SUSE-SU-2026:22141-1: important: Security update for elemental-system-agent
SLE-SECURITY-UPDATES
null at suse.de
Wed Jun 17 16:30:26 UTC 2026
# Security update for elemental-system-agent
Announcement ID: SUSE-SU-2026:22141-1
Release Date: 2026-06-11T09:43:01Z
Rating: important
References:
* bsc#1260277
Cross-References:
* CVE-2026-33186
CVSS scores:
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
* SUSE Linux Micro 6.1
An update that solves one vulnerability can now be installed.
## Description:
This update for elemental-system-agent fixes the following issue
* CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper
validation of the HTTP/2 :path pseudo- header (bsc#1260277).
Changes for elemental-system-agent:
* Update to version 0.3.16:
* setup for immutable releases (#274)
* align system-agent image publishing for signed releases (#270)
* Bumo github.com/docker/cli to v29.2.0 and go.opentelemetry.io/otel to
v1.43.0
* run go mod tidy in /test folder
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (bsc#1260277
CVE-2026-33186)
* Bump github.com/docker/cli in /test
* export CATTLE_NODE_NAME if SYSTEM_UPGRADE_NODE_NAME is set
* use correct prefix for system-agent binary (#273)
* checksum validation (#271)
* Add `validate` subcommand for configuration validation (#250)
* Update CODEOWNERS
* Pin GH Actions to commit sha
* chore: bump sles to 15.7
* Extend remote plan e2e tests
* Fix agent restart issue and introduce constants
* chore: bump go to v1.25
* Setup e2e test infrastructure
* chores(deps): Bump k8s dependencies
* Define linter rules
* Fix CI failures
* Introduce an extended Makefile
* Switch workflows to use name makefile
* Replace dapper with multi stage builds
* Remove dapper scripts
* Add multiple improvements for ignore files
* fix: remove umask command from the system-agent unit-file
* fix-system-agent-umask
* [1.34] bumped dependencies for 1.34 support (#242)
* Bump K8s patch level to 1.33.5 and Go patch level to 1.24.6
* fix: properly handle traps after unsuccessful SUC job execution
* fix: do not unconditionally reset failure-counts
* fix: remove resetFailureCountOnStartup, always reset failure counts on first
start
* un-rc wrangler and lasso
* drop windows 2019 when running PR CI
* Update to version 0.3.13:
* Bumped dependencies for k8s v1.33
* Add delete for plan.File
* fix dispatch
* fix: add retry logic for one time instruction
* Get UID/GID for current user in write file_test.go
* Update secrets for dispatch
* fix golangci
* support k8s 1.32.2
* Add GitHub App token generation and dispatch job for System Agent Upgrade
workflow.
* Add ResetFailureCountOnServiceRestart, if true reset plan failure count
after each restart of the system-agent
* Bump wharfie to v0.6.7
* Add tests and update CI
* Windows updates
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.1
zypper in -t patch SUSE-SLE-Micro-6.1-574=1
## Package List:
* SUSE Linux Micro 6.1 (aarch64 x86_64)
* elemental-system-agent-0.3.16-slfo.1.1_1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://bugzilla.suse.com/show_bug.cgi?id=1260277
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260617/b9384061/attachment.htm>
More information about the sle-security-updates
mailing list