A vulnerability (CVE-2026-25679, CVSS 7.5 HIGH) in the `net/url` package of Go, used by the go-rpm-macros build automation tool, involves incorrect parsing of IPv6 host literals. This security update for Red Hat Enterprise Linux 9 addresses the issue by providing patched packages. The specific fixed version for the go-rpm-macros package suite is 3.6.0-14.el9_7, as indicated by the provided RPM file list.
Red Hat Product Errata RHSA-2026:8841 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8841 - Security Advisory Overview Updated Packages Synopsis Important: go-rpm-macros security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only. Security Fix(es): net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url CVEs CVE-2026-25679 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM go-rpm-macros-3.6.0-14.el9_7.src.rpm SHA-256: 4a490dda96bd162297174ed4417d247e7b38eaefa7cffef256656d149500d915 x86_64 go-filesystem-3.6.0-14.el9_7.x86_64.rpm SHA-256: a4c73dbffd180b4b23b428d9cea5674e54a4bad1533c32be496d7958db93805f go-rpm-macros-3.6.0-14.el9_7.x86_64.rpm SHA-256: 62e6b55dcad4f5ea02ad3afff9c83feecc0c97eff4b048757e81acd6d0cd8258 go-rpm-macros-debuginfo-3.6.0-14.el9_7.x86_64.rpm SHA-256: e434c0e4ffc8db0bea7955783206931c09af99d96bdb943e87ad85792d1d34dd go-rpm-macros-debugsource-3.6.0-14.el9_7.x86_64.rpm SHA-256: b59e55c7f21bf5e9c81f66ba7d0f0df0445b24f86ab6949fa229cbcbcd2c76d3 go-rpm-templates-3.6.0-14.el9_7.noarch.rpm SHA-256: 1ff26f5cdb72f0074efe6787cd5633459516097843824f16baa228422afe7c9e go-srpm-macros-3.6.0-14.el9_7.noarch.rpm SHA-256: 556c49df02b7ae8093ca2e13fc66e82c76b67c55468fae9d982796063dbbdd1d Red Hat Enterprise Linux for IBM z Systems 9 SRPM go-rpm-macros-3.6.0-14.el9_7.src.rpm SHA-256: 4a490dda96bd162297174ed4417d247e7b38eaefa7cffef256656d149500d915 s390x go-filesystem-3.6.0-14.el9_7.s390x.rpm SHA-256: 12f0e29267dd5966028b53db7a5384597d78558a4646d6df8ef90135ba0278a5 go-rpm-macros-3.6.0-14.el9_7.s390x.rpm SHA-256: 6aa5bafc36fb5d1f3144b60651b7b8346aa29e3bf065a0d97fdd3945efe42839 go-rpm-macros-debuginfo-3.6.0-14.el9_7.s390x.rpm SHA-256: 3476c713a02c6fbd8af8b3cf91a0460eec9e56000a8472ed26c6214927869660 go-rpm-macros-debugsource-3.6.0-14.el9_7.s390x.rpm SHA-256: 877f5e1e24127510dfd6edb61cbea8e36a4b71a897b8d102a97e5be30a58522a go-rpm-templates-3.6.0-14.el9_7.noarch.rpm SHA-256: 1ff26f5cdb72f0074efe6787cd5633459516097843824f16baa228422afe7c9e go-srpm-macros-3.6.0-14.el9_7.noarch.rpm SHA-256: 556c49df02b7ae8093ca2e13fc66e82c76b67c55468fae9d982796063dbbdd1d Red Hat Enterprise Linux for Power, little endian 9 SRPM go-rpm-macros-3.6.0-14.el9_7.src.rpm SHA-256: 4a490dda96bd162297174ed4417d247e7b38eaefa7cffef256656d149500d915 ppc64le go-filesystem-3.6.0-14.el9_7.ppc64le.rpm SHA-256: 8b3d71b3e788fab3a71ba0a4f21e0c07e076477747f71e54f88613efcb7c9e32 go-rpm-macros-3.6.0-14.el9_7.ppc64le.rpm SHA-256: 7a9ba67f7de8544098c7f2db8aa0849928579cba38c8a027ccb461c50c32eee6 go-rpm-macros-debuginfo-3.6.0-14.el9_7.ppc64le.rpm SHA-256: 64d542d29d7e672900528566d230aad738c92399f24d10c2f33b515e2fbc62b8 go-rpm-macros-debugsource-3.6.0-14.el9_7.ppc64le.rpm SHA-256: 246e4255ef5d37dcca03f8c31c56249a14665cd86938edbfc5d13aa2c312ad20 go-rpm-templates-3.6.0-14.el9_7.noarch.rpm SHA-256: 1ff26f5cdb72f0074efe6787cd5633459516097843824f16baa228422afe7c9e go-srpm-macros-3.6.0-14.el9_7.noarch.rpm SHA-256: 556c49df02b7ae8093ca2e13fc66e82c76b67c55468fae9d982796063dbbdd1d Red Hat Enterprise Linux for ARM 64 9 SRPM go-rpm-macros-3.6.0-14.el9_7.src.rpm SHA-256: 4a490dda96bd162297174ed4417d247e7b38eaefa7cffef256656d149500d915 aarch64 go-filesystem-3.6.0-14.el9_7.aarch64.rpm SHA-256: 3b74e61375e1fef0d1b69628c4de0aeda5197ed202288a96a140bd249f96428c go-rpm-macros-3.6.0-14.el9_7.aarch64.rpm SHA-256: 60976299eb3cd075141116418975ad4f4d55929814398e018ec38c17f123e889 go-rpm-macros-debuginfo-3.6.0-14.el9_7.aarch64.rpm SHA-256: 8b23b11fa86710a5729b646539d4bffc62fe04e029a4487dec202303ae8a6868 go-rpm-macros-debugsource-3.6.0-14.el9_7.aarch64.rpm SHA-256: 0de9f7e3eed296eb6c8206a20dd6a7ffb4a302452757787b639bddc1391fb929 go-rpm-templates-3.6.0-14.el9_7.noarch.rpm SHA-256: 1ff26f5cdb72f0074efe6787cd5633459516097843824f16baa228422afe7c9e go-srpm-macros-3.6.0-14.el9_7.noarch.rpm SHA-256: 556c49df02b7ae8093ca2e13fc66e82c76b67c55468fae9d982796063dbbdd1d The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .