Issued:

2026-01-28

Updated:

2026-01-28

RHSA-2026:1485 - Important: RHUI 4.11.3 security update - python-urllib3

Synopsis

Important: RHUI 4.11.3 security update - python-urllib3

Type/Severity

Security Advisory Important

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.11.3 resolves several security vulnerabilities.

Description

Red Hat Update Infrastructure (RHUI) provides a highly scalable and redundant framework for managing repositories and content. It also allows cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fixes:

Python-urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418) Python-urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (CVE-2026-21441) Python-urllib3: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)

This update addresses several vulnerabilities within the urllib3 library pertaining to the handling of compressed content (e.g., gzip, deflate, br, or zstd). A remote attacker could potentially provide specially crafted content that, when processed, leads to excessive CPU utilization and significant memory allocation during decompression, potentially resulting in a denial-of-service (DoS) condition.

Deployment Notes:

• RHUA nodes: The updated python3-urllib3 package provided in this errata is intended specifically for Red Hat Update Appliance (RHUA) nodes.

• CDS nodes: Content Delivery Server (CDS) nodes should receive the corresponding update directly from the standard Red Hat Enterprise Linux (RHEL) distribution channels.

Impact Assessment:

Under standard operating conditions, a properly secured RHUI environment is not expected to be impacted by these vulnerabilities, as the RHUA typically communicates only with trusted endpoints. However, as a matter of security best practice, all RHUI administrators are strongly advised to apply this update to mitigate potential risks.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

1. Apply the update

This update is delivered via a package update, not a new installer. To apply the fix, update the necessary package:

dnf -y update python3.11-urllib3

(Alternatively, rerunning the current rhui-installer will also install this package update automatically.)

2. Restart RHUI services

Execute the following command for the update to take effect:

rhui-services-restart

(Alternatively, if you have rerun the installer, this command is not needed because rerunning the installer restarts RHUI services automatically.)

Affected Products

Updated Packages

• python-urllib3-2.6.3-1.el8ui.src.rpm
• python3.11-urllib3-2.6.3-1.el8ui.noarch.rpm

Fixes

• This content is not included.BZ - 2419455
• This content is not included.BZ - 2419467
• This content is not included.BZ - 2427726

CVEs

• CVE-2025-66418
• CVE-2025-66471
• CVE-2026-21441

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.