Описание
Security update for google-guest-agent
This update for google-guest-agent fixes the following issues:
- CVE-2026-39827: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39828: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39829: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39830: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39831: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39832: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39833: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39834: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-39835: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-42508: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-46595: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-46597: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2026-46598: Update golang.org/x/crypto dependency (bsc#1266171).
- CVE-2024-45337: Update golang.org/x/crypto/ssh dependency (bsc#1234563).
- CVE-2026-39821: Update golang.org/x/net dependency (bsc#1266603).
- CVE-2023-45288: Update golang.org/x/net/http2 dependency (bsc#1236533).
- CVE-2025-22869: Update golang.org/x/crypto dependency (bsc#1239334).
- CVE-2025-22869: Update golang.org/x/crypto dependency (bsc#1253889).
- CVE-2026-33814: Update golang.org/x/net/http2 dependency (bsc#1265762).
- CVE-2026-33186: Update google.golang.org/grpc dependency (bsc#1260264).
- CVE-2026-34986: Fix crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262926).
Bug fixes:
- Update to version 20260402.00 (bsc#1257010).
- Update to version 20250506.01 (bsc#1243254, bsc#1243505).
- Install google_metadata_script_runner_adapt script (bsc#1245759).
- Add -buildmode=pie to go build command line (bsc#1239944).
- Re-enable binary stripping and debuginfo (bsc#1210938).
Список пакетов
SUSE Linux Enterprise Module for Public Cloud 12
Ссылки
- Link for SUSE-SU-2026:2581-1
- E-Mail link for SUSE-SU-2026:2581-1
- SUSE Security Ratings
- SUSE Bug 1210938
- SUSE Bug 1234563
- SUSE Bug 1236533
- SUSE Bug 1239334
- SUSE Bug 1239944
- SUSE Bug 1243254
- SUSE Bug 1243505
- SUSE Bug 1245759
- SUSE Bug 1253889
- SUSE Bug 1257010
- SUSE Bug 1260264
- SUSE Bug 1262926
- SUSE Bug 1265762
- SUSE Bug 1266171
- SUSE Bug 1266603
- SUSE CVE CVE-2023-45288 page
- SUSE CVE CVE-2024-45337 page
Описание
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Затронутые продукты
Ссылки
- CVE-2023-45288
- SUSE Bug 1221400
Описание
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Затронутые продукты
Ссылки
- CVE-2024-45337
- SUSE Bug 1234482
Описание
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Затронутые продукты
Ссылки
- CVE-2025-22868
- SUSE Bug 1239185
- SUSE Bug 1239186
Описание
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Затронутые продукты
Ссылки
- CVE-2025-22869
- SUSE Bug 1239322
Описание
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Затронутые продукты
Ссылки
- CVE-2025-58181
- SUSE Bug 1253784
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
- SUSE Bug 1268676
Описание
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Затронутые продукты
Ссылки
- CVE-2026-33814
- SUSE Bug 1264506
- SUSE Bug 1268758
Описание
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-34986
- SUSE Bug 1262805
Описание
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Затронутые продукты
Ссылки
- CVE-2026-39821
- SUSE Bug 1266474
Описание
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
Затронутые продукты
Ссылки
- CVE-2026-39827
- SUSE Bug 1266049
Описание
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Затронутые продукты
Ссылки
- CVE-2026-39828
- SUSE Bug 1266049
Описание
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Затронутые продукты
Ссылки
- CVE-2026-39829
- SUSE Bug 1266049
Описание
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Затронутые продукты
Ссылки
- CVE-2026-39830
- SUSE Bug 1266049
Описание
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
Затронутые продукты
Ссылки
- CVE-2026-39831
- SUSE Bug 1266049
Описание
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Затронутые продукты
Ссылки
- CVE-2026-39832
- SUSE Bug 1266049
Описание
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
Затронутые продукты
Ссылки
- CVE-2026-39833
- SUSE Bug 1266049
Описание
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
Затронутые продукты
Ссылки
- CVE-2026-39834
- SUSE Bug 1266049
Описание
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
Затронутые продукты
Ссылки
- CVE-2026-39835
- SUSE Bug 1266049
Описание
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
Затронутые продукты
Ссылки
- CVE-2026-42508
- SUSE Bug 1266049
Описание
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
Затронутые продукты
Ссылки
- CVE-2026-46595
- SUSE Bug 1266049
Описание
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
Затронутые продукты
Ссылки
- CVE-2026-46597
- SUSE Bug 1266049
Описание
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
Затронутые продукты
Ссылки
- CVE-2026-46598
- SUSE Bug 1266049