Описание
Security update for warewulf4
This update for warewulf4 fixes the following issues:
Update to version 4.6.4.
Security issues fixed:
- CVE-2025-58058: xz: excessive memory consuption when unpacking a large number of corrupted LZMA archives (bsc#1248906).
Other issues fixed:
-
Convert disk booleans from
wwboolto*boolwhich allows bools in disk to be set to false via command line (bsc#1248768). -
Fix
wwctlupgrade nodes to handle kernel argument lists (bsc#1227686, bsc#1227465). -
Mark
slurmas recommeneded in thewarewulf4-overlay-slurmpackage (bsc#1246082). -
Switch to
dnsmasqas default DHCP and TFTP provider. -
v4.6.4 release updates:
- Update NetworkManager Overlay
- Disable IPv4 in NetworkManager if no address or route is specified
- Fix(
wwctl): create overlay edittempfileintmpdir - Add default for systemd name for warewulf in
warewulf.conf - Atomic overlay file application in
wwclient - Simpler names for overlay methods
- Fix
warewulfdAPI behavior when deleting distribution overlay
- Update NetworkManager Overlay
-
v4.6.3 release updates:
- IPv6 iPXE support
- Fix a race condition in
wwctloverlay edit - Fixed handling of comma-separated mount options in
fstabandignitionoverlays - Move
reexec.Init()to beginning ofwwctl - Added
warewuldconfigure option - Address copilot review from #1945
- Bugfix: cloning a site overlay when parent dir does not exist
- Clone to a site overlay when adding files in
wwapi - Consolidated
createOverlayFileandupdateOverlayFiletoaddOverlayFile - Support for creating and updating overlay file in
wwapi - Only return overlay files that refer to a path within the overlay
- Add overlay file deletion support
DELETE /api/overlays/{id}?force=truecan delete overlays in use- Restore idempotency of
PUT /api/nodes/{id} - Simplify overlay mtime API and add tests
- Add node overlay buildtime
- Improved
netplansupport - Rebuild overlays for discovered nodes
-
v4.6.2 release updates:
- (preview) support for provisioning to local disk
-
incoperated from v4.6.1:
- REST API, which is disabled in the default configuration
Список пакетов
SUSE Linux Enterprise Module for HPC 15 SP6
SUSE Linux Enterprise Module for HPC 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:03448-1
- E-Mail link for SUSE-SU-2025:03448-1
- SUSE Security Ratings
- SUSE Bug 1227465
- SUSE Bug 1227686
- SUSE Bug 1246082
- SUSE Bug 1248768
- SUSE Bug 1248906
- SUSE CVE CVE-2025-58058 page
Описание
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Затронутые продукты
Ссылки
- CVE-2025-58058
- SUSE Bug 1248889