SUSE-SU-2026:22242-1: important: Security update for google-osconfig-agent
SLE-SECURITY-UPDATES
null at suse.de
Thu Jun 25 12:31:22 UTC 2026
# Security update for google-osconfig-agent
Announcement ID: SUSE-SU-2026:22242-1
Release Date: 2026-06-22T09:17:37Z
Rating: important
References:
* bsc#1210938
* bsc#1236533
* bsc#1239948
* bsc#1244304
* bsc#1244503
* bsc#1251453
* bsc#1251704
* bsc#1260264
* bsc#1262926
* bsc#1264923
* bsc#1265762
* bsc#1266171
* bsc#1266603
Cross-References:
* CVE-2023-45288
* CVE-2024-45339
* CVE-2025-22868
* CVE-2025-47911
* CVE-2025-58190
* CVE-2026-33186
* CVE-2026-33814
* CVE-2026-34986
* CVE-2026-39821
* CVE-2026-39827
* CVE-2026-39828
* CVE-2026-39829
* CVE-2026-39830
* CVE-2026-39831
* CVE-2026-39832
* CVE-2026-39833
* CVE-2026-39834
* CVE-2026-39835
* CVE-2026-41506
* CVE-2026-42508
* CVE-2026-46595
* CVE-2026-46597
* CVE-2026-46598
CVSS scores:
* CVE-2023-45288 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-45288 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45339 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-45339 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
* CVE-2024-45339 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-22868 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22868 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22868 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47911 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39821 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-39827 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39827 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39827 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39828 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39828 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39828 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-39829 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39829 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39829 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39830 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39830 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39830 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-39831 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39831 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39831 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39832 ( SUSE ): 6.2
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
* CVE-2026-39832 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
* CVE-2026-39832 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39833 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-39833 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39833 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-39834 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39834 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39834 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
* CVE-2026-39835 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-39835 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-39835 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-41506 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-41506 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-41506 ( NVD ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2026-41506 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
* CVE-2026-42508 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42508 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-42508 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-46595 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-46595 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-46595 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
* CVE-2026-46597 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-46597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46597 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46598 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-46598 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-46598 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Linux Micro 6.0
An update that solves 23 vulnerabilities can now be installed.
## Description:
This update for google-osconfig-agent fixes the following issues
* CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too
many headers (bsc#1236533).
* CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic
complexity when parsing HTML documents (bsc#1251453).
* CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by
`html.ParseFragment` when processing specially crafted input (bsc#1251704).
* CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper
validation of the HTTP/2 :path pseudo- header (bsc#1260264).
* CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport
when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265762).
* CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a
missing encrypted key can lead to a denial of service (bsc#1262926).
* CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only
Punycode-encoded labels allows for validation bypass and privilege
escalation (bsc#1266603).
* CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS
in golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39828: Invoking bypass of certificate restrictions in
golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in
golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39830: Invoking client can cause server deadlock on unexpected
responses in golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical
interaction in golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in
golang.org/x/crypto/ssh/agent (bsc#1266171).
* CVE-2026-39833: Invoking key constraints not enforced in
golang.org/x/crypto/ssh/agent (bsc#1266171).
* CVE-2026-39834: Invoking infinite loop on large channel writes in
golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in
golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in
golang.org/x/crypto/ssh/knownhosts (bsc#1266171).
* CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip
enforcement in golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in
golang.org/x/crypto/ssh (bsc#1266171).
* CVE-2026-46598: Invoking pathological inputs can lead to client panic in
golang.org/x/crypto/ssh/agent (bsc#1266171).
* CVE-2026-41506: github.com/go-git/go-git/v5: HTTP authentication credential
leak when following redirects during smart-HTTP clone and fetch operations
(bsc#1264923).
Changes for google-osconfig-agent:
* Update to version 20260615.01
* Upgrade golang.org/x/crypto & golang.org/x/net (#1006)
* from version 20260615.00
* Add unit tests for ospatch_apt_upgrade.go (#938)
* Update to version 20260611.00
* Add unit tests for policies/policies.go PART 5 (#998)
* from version 20260610.00
* Add unit tests for policies/policies.go PART 4 (#997)
* from version 20260609.02
* squash commits (#936)
* from version 20260609.01
* Add unit tests for policies/policies.go PART 3 (#996)
* from version 20260609.00
* Add unit tests for policies/policies.go PART 2 (#991)
* from version 20260602.01
* Align format of dates and timestamp collected across Windows packages (#973)
* from version 20260602.00
* Add unit tests for config/config,go (#979)
* from version 20260528.00
* Bump github.com/containerd/containerd (#990)
* from version 20260521.00
* Cover agentconfig functionality by unit tests (#925)
* from version 20260520.04
* Add unit tests for policies/googet.go (#961)
* Bump github.com/go-git/go-git/v5 (#987)
* from version 20260520.02
* Add unit tests for policies/yum.go (#952)
* Add unit tests for policies/apt.go PART 3 (#951)
* from version 20260520.00
* Add unit tests for policies/zypper.go (#953)
* from version 20260519.00
* Add unit tests for policies/policies.go PART 1 (#949)
* from version 20260513.01
* Bump github.com/go-git/go-git/v5 (#981), this also updates golang.org/x/net
to v0.53.0 (bsc#1265762, CVE-2026-33814)
* from version 20260513.00
* upgrade a few packages (#980)
* from version 20260512.02
* Add/improve unit tests for agentendpoint/exec_task.go (#933)
* from version 20260512.01
* Cover google_update.go by unit tests (#941)
* from version 20260512.00
* Change zone for arm64 builds because of stockout (#978)
* Update to version 20260511.00
* switch to t2a-standard-2 on ARM package build (#977)
* from version 20260505.03
* Cover zypper_patch by unit tests (#958)
* from version 20260505.02
* Remove unused functions DisableAutoUpdates (#970)
* from version 20260505.01
* Bump
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
(#966)
* from version 20260505.00
* Upgrade a few dependencies across the repo (#968)
* github.com/go-git/go-git/v5 5.16.2->5.18.0 (bsc#1264923, CVE-2026-41506)
* github.com/go-jose/go-jose/v4 4.1.3->4.1.4 (bsc#1262926, CVE-2026-34986)
* github.com/go-viper/mapstructure/v2 2.3.0->2.4.0
* go.opentelemetry.io/otel 1.40.0->1.41.0
* go.opentelemetry.io/otel/sdk 1.39.0->1.43.0
* from version 20260504.01
* bump github.com/docker/cli to 29.2.0 (#962)
* from version 20260504.00
* Bump github.com/opencontainers/selinux (#960)
* Update to version 20260428.00
* Add/improve unit tests for agentendpoint/agentendpoint.go (#930)
* from version 20260427.03
* Cover config/file.go by unit tests (#935)
* from version 20260422.01
* Cover patch_linux.go by unit tests (#932)
* from version 20260422.00
* upgrade grpc package in main package and e2e tests (#959) (bsc#1260264,
CVE-2026-33186)
* from version 20260417.04
* Bump OSV-Scalibr version to v0.4.3 (#956)
* from version 20260417.03
* Add unit tests for updates_linux.go (#937)
* from version 20260417.02
* Add zone to CreateDisk step (#955)
* from version 20260417.01
* Change disk type for deb11 (#954)
* from version 20260417.00
* Add unit tests for policies/apt.go PART 1 (#950)
* from version 20260410.02
* Add unit tests for packages/pty_linux.go (#943)
* from version 20260410.01
* fix disk type for arm workflows (#948)
* from version 20260410.00
* Change machine type for arm based workflows (#946)
* Update to version 20260330.00
* bump timeouts for all workflows (#940)
* from version 20260326.00
* Cover exec_resource.go by unit tests (#934)
* from version 20260318.00
* Integrate OSConfig agent with ReportVmInventory (#923)
* from version 20260313.02
* remove cacheonly flag from yum upgrade (#924)
* from version 20260313.01
* conditions python version override (#927)
* from version 20260313.00
* Fix presubmits by explicitly set python version for rpm based systems (#926)
* from version 20260311.00
* Bump osconfig version (#922)
* from version 20260309.02
* Extend OSV scalibr extractor (#921)
* from version 20260309.01
* upgrade golang.org/x/crypto and it's transitive deps (#918)
* from version 20260309.00
* Add purl to pkg info (#920)
* from version 20260306.00
* Add 'Type' field to PkgInfo (#919)
* from version 20260303.01
* Upgrade go.opentelemetry.io/otel/sdk (#913)
* from version 20260303.00
* Bump github.com/vbatts/tar-split from 0.11.5 to 0.12.2 (#908)
* from version 20260302.00
* Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.7 (#906)
* from version 20260126.00
* Bump go.opentelemetry.io/otel/sdk from 1.38.0 to 1.39.0 (#905)
* Bump github.com/sirupsen/logrus (#894)
* Update to version 20260119.00
* Bump cloud.google.com/go/storage from 1.56.0 to 1.58.0 (#899)
* Update to version 20251230.00
* chore: Migrate gsutil usage to gcloud storage (#904)
* from version 20251223.00
* fix e2e tests for report inventory (#903)
* from version 20251222.01
* Revert "Bump cloud.google.com/go/longrunning from 0.6.3 to 0.7.0 (#882)"
(#902)
* from version 20251222.00
* Bump golang to the new version (#900)
* from version 20251218.00
* add new CODEOWNERS (#901)
* from version 20251217.00
* Bump cloud.google.com/go/longrunning from 0.6.3 to 0.7.0 (#882)
* Bump the golang compiler version to 1.24.5
* Update to version 20251202.00
* Revert "Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)" (#893)
* Update to version 20251201.00
* Revert "Bump github.com/containerd/containerd (#890)" (#892)
* Update to version 20251126.00
* Bump github.com/containerd/containerd (#890)
* Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)
* Update to version 20251028.00
* Bump go.opentelemetry.io/otel/sdk/metric from 1.35.0 to 1.38.0 (#886)
* Bump github.com/tidwall/pretty from 1.2.0 to 1.2.1 (#880)
* from version 20251023.02
* Create multiple_os.yaml (#883)
* from version 20251023.00
* Bump github.com/docker/go-connections from 0.4.0 to 0.6.0 (#877)
* Add test runner for e2e tests (#876)
* Update to version 20250925.00
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.7 to 0.2.8 (#870)
* Bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#874)
* Bump go.opentelemetry.io/otel from 1.35.0 to 1.38.0 (#872)
* Bump github.com/golang/glog from 1.2.4 to 1.2.5 (#830)
* Update to version 20250902.01
* Bump github.com/googleapis/enterprise-certificate-proxy (#829)
* from version 20250902.00
* update github.com/go-jose/go-jose/v4 (#869)
* Upgrade scalibr and other deps (#866)
* from version 20250901.00
* Fix possibility of path traversal for zip and tar archival (#868)
* from version 20250825.00
* set CODEOWNERS file as required by org (#863)
* from version 20250819.00
* Fix/rhel10 build centos image (#860)
* from version 20250814.00
* Fix/rhel10 build image (#859)
* from version 20250813.00
* Fix: Add RHEL 10 support to RPM startup script (#858)
* from version 20250811.00
* Remove old/sles-15-sp4-sap as image is deprecated (#857)
* Update to version 20250806.00
* Fixed JSON identifier for the universe domain (#855)
* from version 20250729.00
* Bump github.com/google/s2a-go from 0.1.8 to 0.1.9 (#828)
* from version 20250725.02
* Update utils.go (#854)
* Upgrade golang.org/x/oauth2 package to the latest. (#853)
* Bump golang.org/x/time from 0.9.0 to 0.12.0 (#839)
* from version 20250725.01
* Bump golang.org/x/oauth2 (#848)
* Port fix for debian 11 to goo package manager. (#852)
* from version 20250725.00
* Update Golang version in common.sh and skip backports repo for debian 11
(#850)
* from version 20250723.01
* Add workflows to build package for el10 (#849)
* from version 20250721.00
* Make OS Config agent TPC aware (#846)
* from version 20250718.00
* Create workflows for new Debian 13. (#847)
* Update to version 20250703.00
* Fix sles images (#844)
* from version 20250702.00
* Remove rhel-sap 8-4 add rhel-sap 8-10 (#843)
* from version 20250701.00
* Bump the go_modules group across 1 directory with 2 updates (#840)
* Update to version 20250606.00
* Change base docker images Google's official base images. (#838)
* Update to version 20250523.01
* Add a simple no-op OS policy for user testing (#837)
* from version 20250523.00
* Introduce scalibr inventory extractor for dpkg/rpm/cos os/filesystem
extractors (linux) (#834)
* Trace GetInstalledPackages memory levels (#835)
* from version 20250520.00
* Update to version 20250513.00
* Fix rpm extractor, handle (none) value correctly. (#833)
* from version 20250512.01
* Bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.4 (#816)
* from version 20250512.00
* Bump golang.org/x/net from 0.39.0 to 0.40.0 (#819)
* from version 20250508.01
* cosmetic refactoring to osinfo package (#826)
* from version 20250508.00
* Refactor /inventory with dependency injection (#825)
* Add debian, ubuntu (InstalledDebPackages) snapshots (#821)
* cover packages_linux.go file with tests (#824)
* Add debian (10,11,12) GetPackageUpdates output snapshots (#822)
* from version 20250507.00
* Add InstalledRPMPackages snapshot tests (#823)
* from version 20250506.02
* Yum tests: simplify initialization of exit errors (#820)
* from version 20250506.01
* Improve test coverage for gem package manager (#818)
* from version 20250506.00
* after go/x/crypto update 0.32.0 -> 0.37.0 (#817)
* from version 20250505.01
* Improve packages package coverage (#814)
* Bump golang.org/x/net from 0.34.0 to 0.39.0 (#807)
* from version 20250505.00
* Bump golang.org/x/crypto from 0.32.0 to 0.37.0 (#806)
* from version 20250430.00
* Snapshot YumUpdates (GetPackageUpdates) output (#813)
* from version 20250428.00
* Snapshot ZypperPatches, ZypperUpdates (GetPackageUpdates) output for sles
12, 15 testdata (#812)
* from version 20250423.00
* Introduce MatchSnapshot large test results matcher function, snapshot apt-
deb GetPackageUpdates (#811)
* from version 20250416.02
* defaultSleeper: tolerate 10% difference to reduce test flakiness (#810)
* Add output of some packagemanagers to the testdata (#808)
* from version 20250416.01
* Refactor OS Info package (#809)
* from version 20250416.00
* Report RPM inventory as YUM instead of empty SoftwarePackage when neither
Zypper nor YUM are installed. (#805)
* from version 20250414.00
* Update hash computation algorithm (#799)
* Update to version 20250320.00
* Bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 (#797)
* from version 20250318.00
* Bump go.opentelemetry.io/otel/sdk/metric from 1.32.0 to 1.35.0 (#793)
* from version 20250317.02
* Bump cel.dev/expr from 0.18.0 to 0.22.0 (#792)
* Bump github.com/golang/glog from 1.2.3 to 1.2.4 in the go_modules group
(#785)
* from version 20250317.01
* Bump cloud.google.com/go/logging from 1.12.0 to 1.13.0 (#774)
* from version 20250317.00
* Add tests for retryutil package. (#795)
* from version 20250306.00
* Update OWNERS (#794)
* from version 20250206.01
* Use separate counters for pre- and post-patch reboots. (#788)
* from version 20250206.00
* Update owners (#789)
* from version 20250203.00
* Fix the vet errors for contants in logging (#786)
* from version 20250122.00
* change available package check (#783)
* from version 20250121.00
* Fix Inventory reporting e2e tests. (#782)
* from version 20250120.00
* fix e2e tests (#781)
* Add -buildmode=pie to go build command line (bsc#1239948)
* from version 20240501.00 (bsc#1236533, CVE-2023-45288)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-764=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* google-osconfig-agent-20260615.01-1.1
* google-osconfig-agent-debuginfo-20260615.01-1.1
## References:
* https://www.suse.com/security/cve/CVE-2023-45288.html
* https://www.suse.com/security/cve/CVE-2024-45339.html
* https://www.suse.com/security/cve/CVE-2025-22868.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-58190.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-39821.html
* https://www.suse.com/security/cve/CVE-2026-39827.html
* https://www.suse.com/security/cve/CVE-2026-39828.html
* https://www.suse.com/security/cve/CVE-2026-39829.html
* https://www.suse.com/security/cve/CVE-2026-39830.html
* https://www.suse.com/security/cve/CVE-2026-39831.html
* https://www.suse.com/security/cve/CVE-2026-39832.html
* https://www.suse.com/security/cve/CVE-2026-39833.html
* https://www.suse.com/security/cve/CVE-2026-39834.html
* https://www.suse.com/security/cve/CVE-2026-39835.html
* https://www.suse.com/security/cve/CVE-2026-41506.html
* https://www.suse.com/security/cve/CVE-2026-42508.html
* https://www.suse.com/security/cve/CVE-2026-46595.html
* https://www.suse.com/security/cve/CVE-2026-46597.html
* https://www.suse.com/security/cve/CVE-2026-46598.html
* https://bugzilla.suse.com/show_bug.cgi?id=1210938
* https://bugzilla.suse.com/show_bug.cgi?id=1236533
* https://bugzilla.suse.com/show_bug.cgi?id=1239948
* https://bugzilla.suse.com/show_bug.cgi?id=1244304
* https://bugzilla.suse.com/show_bug.cgi?id=1244503
* https://bugzilla.suse.com/show_bug.cgi?id=1251453
* https://bugzilla.suse.com/show_bug.cgi?id=1251704
* https://bugzilla.suse.com/show_bug.cgi?id=1260264
* https://bugzilla.suse.com/show_bug.cgi?id=1262926
* https://bugzilla.suse.com/show_bug.cgi?id=1264923
* https://bugzilla.suse.com/show_bug.cgi?id=1265762
* https://bugzilla.suse.com/show_bug.cgi?id=1266171
* https://bugzilla.suse.com/show_bug.cgi?id=1266603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260625/ec4037c9/attachment.htm>
More information about the sle-security-updates
mailing list