Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2026:20956-1

Опубликовано: 11 июн. 2026
Источник: suse-cvrf

Описание

Security update for trivy

This update for trivy fixes the following issues

  • CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html: multiple issues when parsing HTML files (bsc#1267047).
  • CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265648).
  • CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266495).
  • CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266075).
  • CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266075).
  • CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266075).
  • CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266075).
  • CVE-2026-46598: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent (bsc#1266075).
  • CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267268).

Changes for trivy:

  • Update to version 0.71.0 (bsc#1267268, CVE-2026-44740):
  • release: v0.71.0 [main] (#10638)
  • ci: use only the first line of commit message in release-please workflow (#10766)
  • feat: add WithDriver and WithProvider options to ospkg detector (#10740)
  • chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
  • refactor(secret): normalize configPath once in Init (#10702)
  • feat(secret): add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files (#10704)
  • chore(deps): bump the common group across 1 directory with 25 updates (#10758)
  • chore: migrate from gomodguard to gomodguard_v2 (#10739)
  • chore(deps): bump the docker group across 1 directory with 2 updates (#10709)
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.302.0 to 1.303.0 in the aws group (#10752)
  • ci: scope GitHub App tokens to minimum required permissions (#10755)
  • chore(deps): upgrade go-redis from v8 to v9 (#10736)
  • fix(misconf): fix rendering of nested values in terraform plan lists (#10746)
  • fix(misconf): skip resources with no after changes (#10352)
  • fix(misconf): reject nil plays during playbook parsing (#10273)
  • fix(nodejs): silently skip subdirectory package.json files with invalid names (#10609)
  • fix(misconf): skip null cty values in AsMapValue to prevent panic (#10723)
  • refactor(misconf): replace custom Helm archive parsing with Helm SDK loaders (#10718)
  • chore(deps): bump github.com/containerd/containerd/v2 to v2.3.1 (#10738)
  • chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#10686)
  • fix(report): don't produce trailing comma in gitlab.tpl links array (#10728)
  • fix(cloudformation): propagate AWS::EC2::Instance MetadataOptions (#10731)
  • chore(deps): upgrade github.com/cenkalti/backoff dependency to v5 (#10705)
  • chore: bump golangci-lint to v2.12 (#10726)
  • feat(spdx): add SHA-512 hash algorithm support to SPDX serializer (#10719)
  • feat(sbom): support for CycloneDX 1.7 (#10715)
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.300.0 to 1.302.0 in the aws group (#10708)
  • chore: migrate from helm.sh/helm/v3 to helm.sh/helm/v4 (#10678)
  • fix(image): correctly reconstruct RUN instructions built without BuildKit (#10714)
  • feat(java): support from settings.xml (#10692)
  • fix(java): surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693)
  • chore: bump go to 1.26.3 (#10683)
  • fix(nodejs): handle legacy license formats in npm lockfile parser (#10684)
  • fix(secret): correctly skip secret-scanner config file from scanning (#10666)
  • feat(ubuntu): detect Ubuntu 26.04 LTS (#10592)
  • refactor(nodejs): deduplicate license traversal across package managers (#10681)
  • fix: overwrite OS packages PURLs after overwrite OS (#10298)
  • feat(secret): add Azure secret detection rules (#10562)
  • fix(misconf): prevent path traversal in Terraform filesystem functions (#10664)
  • feat(secret): add a way to customize skipped folders, files and exts (#10550)
  • ci: migrate PAT tokens to GitHub App (#10628)
  • chore(deps): bump the aws group across 1 directory with 6 updates (#10598)
  • chore(deps): bump the docker group across 1 directory with 3 updates (#10596)
  • chore(deps): bump the github-actions group across 2 directories with 9 updates (#10608)
  • chore(deps): bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 (#10641)
  • chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#10648)
  • ci: migrate PAT tokens to GITHUB_TOKEN for reusable-release workflow (#10655)
  • feat(seal): add vendor support for language file detection. (#10297)
  • fix(misconf): make identifiers in ignore rules case-insensitive (#10375)
  • fix: pull instead of clone when test repo already exists (#10636)
  • docs: document how to disable check.trivy.dev connections (#10623)
  • docs(misconf): fix typo in misconfiguration config (#10619)
  • ci: remove secrets from run block (#10590)
  • docs: fix typos (#10605)
  • refactor(deps): replace archived go-homedir with os.UserHomeDir (#10484)
  • chore(deps): Bump go-ini and fix the import path. (#10489)
  • chore(deps): bump the github-actions group across 2 directories with 9 updates (#10495)
  • chore(deps): bump github.com/aquasecurity/testdocker (#10543)
  • docs: convert README demonstration videos to mp4 (#10419)
  • chore(deps): upgrade vm scan dependency for bug fix (#10575)
  • docs(nodejs): clarify package.json behavior in image scanning (#10572)
  • chore(deps): replace xeipuuv/gojsonschema and invopop/jsonschema with google/jsonschema-go (#10528)
  • chore(deps): bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 (#10554)
  • chore(deps): bump alpine to 3.23.4 (#10552)
  • ci(helm): bump Trivy version to 0.70.0 for Trivy Helm Chart 0.22.0 (#10547)
  • update x/net to v0.55.0 ( bsc#1266495, CVE-2026-39821 bsc#1267047, CVE-2026-25680, CVE-2026-42502, CVE-2026-27136, CVE-2026-25681, CVE-2026-42506)
  • update x/crypto to 0.52.0 (bsc#1266075, CVE-2026-39827, CVE-2026-39834,CVE-2026-39828,CVE-2026-39829,CVE-2026-39831, CVE-2026-42508,CVE-2026-39833,CVE-2026-39830,CVE-2026-39832, CVE-2026-46597,CVE-2026-46598,CVE-2026-46595,CVE-2026-39835) bsc#1265648, CVE-2026-33814,

Список пакетов

openSUSE Leap 16.0
trivy-0.71.0-160000.1.1

Описание

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки

Описание

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.


Затронутые продукты
openSUSE Leap 16.0:trivy-0.71.0-160000.1.1

Ссылки
Уязвимость openSUSE-SU-2026:20956-1