Issued:: 2026-02-26
Updated:: 2026-02-26

RHSA-2026:3459 - Red Hat OpenShift distributed tracing platform Tempo - 3.9.0 release

Synopsis

Red Hat OpenShift distributed tracing platform (Tempo) 3.9.0 release

Type/Severity

Security Advisory Important

Topic

Red Hat OpenShift distributed tracing platform (Tempo) 3.9.0 has been released

Description

This release of the Red Hat OpenShift distributed tracing platform (Tempo) provides new features, security improvements, and bug fixes.

Breaking changes:

Nothing

Deprecations:

Nothing

Technology Preview features:

Nothing

Enhancements:

This release upgrades Tempo components to version 2.10.0, which improves TraceQL performance. Jira issue: https://issues.redhat.com/browse/TRACING-5944.
This update extends the TempoStack Custom Resource Definition (CRD) with a network policy option that enables the Operator to reconcile network policies among all components. This option is enabled by default. Jira issue: https://issues.redhat.com/browse/TRACING-5807.
This update adds support for overriding the Operator configuration by using environment variables. You can configure Operator settings through the Subscription custom resource of the Operator Lifecycle Manager (OLM) without modifying ConfigMaps. The --config flag remains available for custom configuration files if needed. Jira issue: https://issues.redhat.com/browse/TRACING-5745.
This update introduces the size field for TempoStack deployments, which provides predefined t-shirt size configurations. Instead of manually calculating CPU, memory, and storage for each component, you can select a size that matches your workload scale. The following sizes are available: 1x.demo, 1x.pico, 1x.extra-small, 1x.small, and 1x.medium. This field is optional and existing configurations using resources.total or per-component overrides continue to work unchanged. Jira issue: https://issues.redhat.com/browse/TRACING-5376.
Improve TempoMonolithic memory usage. The Operator now automatically sets the GOMEMLIMIT soft memory limit for the Go garbage collector to 80% of the container memory limit for all Tempo components. This reduces the likelihood of out-of-memory terminations. Jira issue: https://issues.redhat.com/browse/TRACING-4554.
This update requires tenant configuration and an enabled gateway for TempoStack and TempoMonolithic instances. If you do not enable the gateway, the Operator displays a warning. For a TempoStack instance, enable the gateway by setting .spec.template.gateway.enabled to true. For a TempoMonolithic instance, the gateway is enabled automatically when any tenant is configured. TempoStack and TempoMonolithic instances without an enabled gateway are not supported. Jira ticket: https://issues.redhat.com/browse/TRACING-5750.
This release upgrades the Red Hat Universal Base Image (UBI) to version 9.

Bug fixes:

Fixed network policies for managed OpenShift services. Before this update, the Operator network policies used a hard-coded port 6443 for the API server. As a consequence, the Operator failed to connect to managed OpenShift services that expose the API on port 443. With this update, the Operator dynamically retrieves the control plane address from service endpoints. As a result, network policies work correctly on all OpenShift environments. Jira issue: https://issues.redhat.com/browse/TRACING-5974.
CVE-2025-61726: Before this update, a flaw existed in the net/url package in the Go standard library. As a consequence, a denial-of-service HTTP request with a massive number of query parameters could cause the application to consume an excessive amount of memory and eventually become unresponsive. This release eliminates this flaw. For more information, see https://access.redhat.com/security/cve/cve-2025-61726.
CVE-2025-61729: Before this update, the HostnameError.Error() function in the Go crypto/x509 package used string concatenation in a loop without limiting the number of printed hostnames. As a consequence, processing a malicious certificate with many hostnames could cause excessive CPU and memory consumption, leading to a denial-of-service condition. This release includes the fix for this flaw. For more information, see https://access.redhat.com/security/cve/CVE-2025-61729.
CVE-2025-68121: Before this update, a flaw existed in the crypto/tls package in the Go standard library. As a consequence, during TLS session resumption, unauthorized clients or servers could bypass certificate validation if CA pools were mutated between handshakes. This release includes the fix for this flaw. For more information, see https://access.redhat.com/security/cve/CVE-2025-68121.

Known issues:

Gateway fails to forward OTLP HTTP traffic when receiver TLS is enabled. When Tempo Monolithic is configured with multitenancy.enabled: true and ingestion.otlp.http.tls.enabled: true, the gateway forwards OTLP HTTP traffic to the Tempo receiver using plain HTTP instead of HTTPS. As a consequence, the connection fails with a connection reset by peer error because the receiver expects TLS connections. OTLP gRPC ingestion through the gateway is not affected. Jira issue: https://issues.redhat.com/browse/TRACING-5973.

Solution

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Affected Products

Product	Version	Arch
Red Hat OpenShift distributed tracing	3.9.0	x86_64

Fixes

(none)

CVEs

(none)

References

https://access.redhat.com/security/cve/CVE-2025-61726

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.