SUSE-SU-2025:3954-1: moderate: Security update for aws-efs-utils

SLE-SECURITY-UPDATES null at suse.de
Wed Nov 5 16:30:16 UTC 2025 


# Security update for aws-efs-utils

Announcement ID: SUSE-SU-2025:3954-1  
Release Date: 2025-11-05T14:06:41Z  
Rating: moderate  
References:

  * bsc#1240044
  * bsc#1248055
  * bsc#1249851

  
Cross-References:

  * CVE-2020-35881
  * CVE-2025-55159

  
CVSS scores:

  * CVE-2020-35881 ( SUSE ):  4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2020-35881 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-55159 ( SUSE ):  5.8
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-55159 ( SUSE ):  5.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H
  * CVE-2025-55159 ( NVD ):  5.1
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

  
Affected Products:

  * openSUSE Leap 15.6
  * Public Cloud Module 15-SP6
  * Public Cloud Module 15-SP7
  * SUSE Linux Enterprise Server 15 SP6
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP6
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

  
  
An update that solves two vulnerabilities and has one security fix can now be
installed.

## Description:

This update for aws-efs-utils fixes the following issues:

Update to version 2.3.3 (bsc#1240044).

Security issues fixed:

  * CVE-2025-55159: slab: incorrect bounds check in `get_disjoint_mut` function
    can lead to potential crash due to out-of-bounds access (bsc#1248055).
  * CVE-2020-35881: traitobject: log4rs: out-of-bounds write due to fat pointer
    layout assumptions (bsc#1249851).

Other issues fixed:

  * Build and install efs-proxy binary (bsc#1240044).

  * Fixed in version 2.3.3:

  * Add environment variable support for AWS profiles and regions
  * Regenerate Cargo.lock with rust 1.70.0
  * Update circle-ci config
  * Fix AWS Env Variable Test and Code Style Issue
  * Remove CentOS 8 and Ubuntu 16.04 from verified Linux distribution list

  * Fixed in version 2.3.2:

  * Update version in amazon-efs-utils.spec to 2.3.1
  * Fix incorrect package version

  * Fixed in version 2.3.1:

  * Fix backtrace version to resolve ubuntu and rhel build issues
  * Pin Cargo.lock to avoid unexpected error across images

  * Fixed in version 2.3.0:

  * Add support for pod-identity credentials in the credentials chain
  * Enable mounting with IPv6 when using with the 'stunnel' mount option

  * Fixed in version 2.2.1:

  * Update log4rs

  * Fixed in version 2.2.0

  * Use region-specific domain suffixes for dns endpoints where missing
  * Merge PR #211 - Amend Debian control to use binary architecture

  * Fixed in version 2.1.0

  * Add mount option for specifying region
  * Add new ISO regions to config file

  * Fixed in version 2.0.4

  * Add retry logic to and increase timeout for EC2 metadata token retrieval
    requests

  * Fixed in version 2.0.3:

  * Upgrade py version
  * Replace deprecated usage of datetime

  * Fixed in version 2.0.2

  * Check for efs-proxy PIDs when cleaning tunnel state files
  * Add PID to log entries

  * Fxied in version 2.0.1

  * Disable Nagle's algorithm for efs-proxy TLS mounts to improve latencies

  * Fixed in version 2.0.0:

  * Replace stunnel, which provides TLS encryptions for mounts, with efs-proxy,
    a component built in-house at AWS. Efs-proxy lays the foundation for
    upcoming feature launches at EFS.

  * Fixed in version 1.36.0:

  * Support new mount option: crossaccount, conduct cross account mounts via ip
    address. Use client AZ-ID to choose mount target.

  * Fixed in version 1.35.2:

  * Revert "Add warning if using older Version"
  * Support MacOS Sonoma

  * Fixed in version 1.35.1:

  * Revert openssl requirement change
  * Revert "Update EFS Documentation: Clarify Current FIPS Compliance Status"
  * Update EFS Documentation: Clarify Current FIPS Compliance Status
  * test: Change repo urls in eol debian9 build
  * Check private key file size to skip generation
  * test: Fix pytest that failed since commit 3dd89ca
  * Fix should_check_efs_utils_version scope
  * Add warning if using old version
  * Add 'fsap' option as EFS-only option

  * Fixed in version 1.35.0:

  * Add parameters to allow mount fo pod impersonation feature in EFS CSI Driver
  * Updated the README with support of Oracle8 distribution
  * Readme troubleshooting section + table of contents
  * Add efs-utils Support for MacOS Ventura EC2 instances

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.6  
    zypper in -t patch openSUSE-SLE-15.6-2025-3954=1 SUSE-2025-3954=1

  * Public Cloud Module 15-SP6  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP6-2025-3954=1

  * Public Cloud Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP7-2025-3954=1

## Package List:

  * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
    * aws-efs-utils-debuginfo-2.3.3-150600.17.6.1
    * aws-efs-utils-2.3.3-150600.17.6.1
  * Public Cloud Module 15-SP6 (aarch64 ppc64le s390x x86_64)
    * aws-efs-utils-2.3.3-150600.17.6.1
  * Public Cloud Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * aws-efs-utils-2.3.3-150600.17.6.1

## References:

  * https://www.suse.com/security/cve/CVE-2020-35881.html
  * https://www.suse.com/security/cve/CVE-2025-55159.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1240044
  * https://bugzilla.suse.com/show_bug.cgi?id=1248055
  * https://bugzilla.suse.com/show_bug.cgi?id=1249851

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20251105/96a883ea/attachment.htm>

More information about the sle-security-updates mailing list