Описание
Security update for ignition
This update for ignition fixes the following issues:
- CVE-2025-22870: golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs (bsc#1238681).
- CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239192).
Список пакетов
SUSE Linux Enterprise Module for HPC 15 SP6
ignition-2.14.0-150400.9.9.1
ignition-dracut-grub2-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP7
ignition-2.14.0-150400.9.9.1
ignition-dracut-grub2-2.14.0-150400.9.9.1
openSUSE Leap 15.6
ignition-2.14.0-150400.9.9.1
ignition-dracut-grub2-2.14.0-150400.9.9.1
Ссылки
- Link for SUSE-SU-2025:02014-1
- E-Mail link for SUSE-SU-2025:02014-1
- SUSE Security Ratings
- SUSE Bug 1238681
- SUSE Bug 1239192
- SUSE CVE CVE-2025-22868 page
- SUSE CVE CVE-2025-22870 page
Описание
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Затронутые продукты
SUSE Linux Enterprise Module for HPC 15 SP6:ignition-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP6:ignition-dracut-grub2-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP7:ignition-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP7:ignition-dracut-grub2-2.14.0-150400.9.9.1
Ссылки
- CVE-2025-22868
- SUSE Bug 1239186
Описание
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Затронутые продукты
SUSE Linux Enterprise Module for HPC 15 SP6:ignition-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP6:ignition-dracut-grub2-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP7:ignition-2.14.0-150400.9.9.1
SUSE Linux Enterprise Module for HPC 15 SP7:ignition-dracut-grub2-2.14.0-150400.9.9.1
Ссылки
- CVE-2025-22870
- SUSE Bug 1238572
- SUSE Bug 1238611