Описание
Security update for warewulf4
This update for warewulf4 fixes the following issues:
warewulf4 was updated from version 4.5.8 to 4.6.0:
-
Security issues fixed for version 4.6.0:
- CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322)
- CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)
-
User visible changes:
-
Default values
nodes.conf:- The default values for
kernel command line,init parametersandrootare now set in thedefaultprofile and this profileshould be included in every profile. During the installation of an update an upgrade is done tonodes.confwhich updates the database accordingly.
- The default values for
-
Overlay split up:
- The overlays
wwinitandruntimeare now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlayswwinitandruntimewith a list of overlays with same role.
- The overlays
-
Site and distribution overlays:
- The overlays in
/var/lib/warewulf/overlaysshould not be changed by the user any more. Site specific overlays are now sorted under/etc/warewulf/overlays. On upgrade, changed overlays are stored with therpmsavesuffix and move to/etc/warewulf/overlays/$OVERLAYNAME.
- The overlays in
-
-
Other changes and bugs fixed:
- Fixed udev issue with assigning device names (bsc#1226654)
- Implemented new package
warewulf-reference-docwith the reference documentation for Warewulf 4 as PDF - The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x
-
Summary of upstream changes:
-
New configuration upgrade system
-
Changes to the default profile
-
Renamed containers to (node) images
-
New kernel management system
-
Parallel overlay builds
-
Sprig functions in overlay templates
-
Improved network overlays
-
Nested profiles
-
Arbitrary 'resources' data in nodes.conf
-
NFS client configuration in nodes.conf
-
Emphatically optional syncuser
-
Improved network boot observability
-
Particularly significant changes, especially those affecting the user interface, are described in the release notes:
-
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for HPC 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:1094-1
- E-Mail link for SUSE-SU-2025:1094-1
- SUSE Security Ratings
- SUSE Bug 1226654
- SUSE Bug 1238611
- SUSE Bug 1239322
- SUSE CVE CVE-2025-22869 page
- SUSE CVE CVE-2025-22870 page
Описание
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Затронутые продукты
Ссылки
- CVE-2025-22869
- SUSE Bug 1239322
Описание
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
Затронутые продукты
Ссылки
- CVE-2025-22870
- SUSE Bug 1238572
- SUSE Bug 1238611