Описание
Security update for elemental-system-agent
This update for elemental-system-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#1260277).
Changes:
- Update to version 0.3.16:
- setup for immutable releases (#274)
- align system-agent image publishing for signed releases (#270)
- Bumo github.com/docker/cli to v29.2.0 and go.opentelemetry.io/otel to v1.43.0
- run go mod tidy in /test folder
- Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (bsc#1260277 CVE-2026-33186)
- Bump github.com/docker/cli in /test
- export CATTLE_NODE_NAME if SYSTEM_UPGRADE_NODE_NAME is set
- use correct prefix for system-agent binary (#273)
- checksum validation (#271)
- Add
validatesubcommand for configuration validation (#250) - Update CODEOWNERS
- Pin GH Actions to commit sha
- chore: bump sles to 15.7
- Extend remote plan e2e tests
- Fix agent restart issue and introduce constants
- chore: bump go to v1.25
- Setup e2e test infrastructure
- chores(deps): Bump k8s dependencies
- Define linter rules
- Fix CI failures
- Introduce an extended Makefile
- Switch workflows to use name makefile
- Replace dapper with multi stage builds
- Remove dapper scripts
- Add multiple improvements for ignore files
- fix: remove umask command from the system-agent unit-file
- fix-system-agent-umask
- [1.34] bumped dependencies for 1.34 support (#242)
- Bump K8s patch level to 1.33.5 and Go patch level to 1.24.6
- fix: properly handle traps after unsuccessful SUC job execution
- fix: do not unconditionally reset failure-counts
- fix: remove resetFailureCountOnStartup, always reset failure counts on first start
- un-rc wrangler and lasso
- drop windows 2019 when running PR CI
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1260277
- SUSE CVE CVE-2026-33186 page
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085