SUSE-SU-2025:1094-1: important: Security update for warewulf4
SLE-UPDATES
null at suse.de
Wed Apr 2 08:30:16 UTC 2025
# Security update for warewulf4
Announcement ID: SUSE-SU-2025:1094-1
Release Date: 2025-04-02T03:37:41Z
Rating: important
References:
* bsc#1226654
* bsc#1238611
* bsc#1239322
Cross-References:
* CVE-2025-22869
* CVE-2025-22870
CVSS scores:
* CVE-2025-22869 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22870 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
* CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Affected Products:
* HPC Module 15-SP6
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP6
An update that solves two vulnerabilities and has one security fix can now be
installed.
## Description:
This update for warewulf4 fixes the following issues:
warewulf4 was updated from version 4.5.8 to 4.6.0:
* Security issues fixed for version 4.6.0:
* CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of
golang.org/x/crypto/ssh (bsc#1239322)
* CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)
* User visible changes:
* Default values `nodes.conf`:
* The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly.
* Overlay split up:
* The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list of overlays with same role.
* Site and distribution overlays:
* The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. Site specific overlays are now sorted under `/etc/warewulf/overlays`. On upgrade, changed overlays are stored with the `rpmsave` suffix and move to `/etc/warewulf/overlays/$OVERLAYNAME`.
* Other changes and bugs fixed:
* Fixed udev issue with assigning device names (bsc#1226654)
* Implemented new package `warewulf-reference-doc` with the reference
documentation for Warewulf 4 as PDF
* The configuation files nodes.conf and warewulf.conf will be updated on
upgrade and the unmodified configuration files will be saved as
nodes.conf.4.5.x and warewulf.conf.4.5.x
* Summary of upstream changes:
* New configuration upgrade system
* Changes to the default profile
* Renamed containers to (node) images
* New kernel management system
* Parallel overlay builds
* Sprig functions in overlay templates
* Improved network overlays
* Nested profiles
* Arbitrary "resources" data in nodes.conf
* NFS client configuration in nodes.conf
* Emphatically optional syncuser
* Improved network boot observability
* Particularly significant changes, especially those affecting the user
interface, are described in the release notes:
* https://warewulf.org/docs/v4.6.x/release/v4.6.0.html
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.5
zypper in -t patch SUSE-2025-1094=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-1094=1
* HPC Module 15-SP6
zypper in -t patch SUSE-SLE-Module-HPC-15-SP6-2025-1094=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1094=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1094=1
## Package List:
* openSUSE Leap 15.5 (aarch64 x86_64)
* warewulf4-4.6.0-150500.6.34.1
* warewulf4-overlay-4.6.0-150500.6.34.1
* openSUSE Leap 15.5 (noarch)
* warewulf4-man-4.6.0-150500.6.34.1
* warewulf4-dracut-4.6.0-150500.6.34.1
* warewulf4-overlay-slurm-4.6.0-150500.6.34.1
* warewulf4-overlay-rke2-4.6.0-150500.6.34.1
* warewulf4-reference-doc-4.6.0-150500.6.34.1
* openSUSE Leap 15.6 (aarch64 x86_64)
* warewulf4-4.6.0-150500.6.34.1
* warewulf4-overlay-4.6.0-150500.6.34.1
* openSUSE Leap 15.6 (noarch)
* warewulf4-overlay-slurm-4.6.0-150500.6.34.1
* warewulf4-dracut-4.6.0-150500.6.34.1
* warewulf4-reference-doc-4.6.0-150500.6.34.1
* warewulf4-man-4.6.0-150500.6.34.1
* HPC Module 15-SP6 (aarch64 x86_64)
* warewulf4-4.6.0-150500.6.34.1
* warewulf4-overlay-4.6.0-150500.6.34.1
* HPC Module 15-SP6 (noarch)
* warewulf4-overlay-slurm-4.6.0-150500.6.34.1
* warewulf4-dracut-4.6.0-150500.6.34.1
* warewulf4-reference-doc-4.6.0-150500.6.34.1
* warewulf4-man-4.6.0-150500.6.34.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* warewulf4-4.6.0-150500.6.34.1
* warewulf4-overlay-4.6.0-150500.6.34.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* warewulf4-overlay-slurm-4.6.0-150500.6.34.1
* warewulf4-dracut-4.6.0-150500.6.34.1
* warewulf4-reference-doc-4.6.0-150500.6.34.1
* warewulf4-man-4.6.0-150500.6.34.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* warewulf4-4.6.0-150500.6.34.1
* warewulf4-overlay-4.6.0-150500.6.34.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* warewulf4-overlay-slurm-4.6.0-150500.6.34.1
* warewulf4-dracut-4.6.0-150500.6.34.1
* warewulf4-reference-doc-4.6.0-150500.6.34.1
* warewulf4-man-4.6.0-150500.6.34.1
## References:
* https://www.suse.com/security/cve/CVE-2025-22869.html
* https://www.suse.com/security/cve/CVE-2025-22870.html
* https://bugzilla.suse.com/show_bug.cgi?id=1226654
* https://bugzilla.suse.com/show_bug.cgi?id=1238611
* https://bugzilla.suse.com/show_bug.cgi?id=1239322
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250402/e52d0df8/attachment.htm>
More information about the sle-updates
mailing list