SUSE-SU-2025:1094-1: important: Security update for warewulf4

SLE-UPDATES null at suse.de
Wed Apr 2 08:30:16 UTC 2025



# Security update for warewulf4

Announcement ID: SUSE-SU-2025:1094-1  
Release Date: 2025-04-02T03:37:41Z  
Rating: important  
References:

  * bsc#1226654
  * bsc#1238611
  * bsc#1239322

  
Cross-References:

  * CVE-2025-22869
  * CVE-2025-22870

  
CVSS scores:

  * CVE-2025-22869 ( SUSE ):  8.2
    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-22869 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-22870 ( SUSE ):  4.8
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-22870 ( SUSE ):  4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
  * CVE-2025-22870 ( NVD ):  4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

  
Affected Products:

  * HPC Module 15-SP6
  * openSUSE Leap 15.5
  * openSUSE Leap 15.6
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  * SUSE Linux Enterprise Server 15 SP6

  
  
An update that solves two vulnerabilities and has one security fix can now be
installed.

## Description:

This update for warewulf4 fixes the following issues:

warewulf4 was updated from version 4.5.8 to 4.6.0:

  * Security issues fixed for version 4.6.0:

  * CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of
    golang.org/x/crypto/ssh (bsc#1239322)

  * CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)

  * User visible changes:

  * Default values `nodes.conf`:

    * The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly.
  * Overlay split up:

    * The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list of overlays with same role.
  * Site and distribution overlays:

    * The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. Site specific overlays are now sorted under `/etc/warewulf/overlays`. On upgrade, changed overlays are stored with the `rpmsave` suffix and move to `/etc/warewulf/overlays/$OVERLAYNAME`.
  * Other changes and bugs fixed:

  * Fixed udev issue with assigning device names (bsc#1226654)

  * Implemented new package `warewulf-reference-doc` with the reference
    documentation for Warewulf 4 as PDF
  * The configuation files nodes.conf and warewulf.conf will be updated on
    upgrade and the unmodified configuration files will be saved as
    nodes.conf.4.5.x and warewulf.conf.4.5.x

  * Summary of upstream changes:

  * New configuration upgrade system

  * Changes to the default profile
  * Renamed containers to (node) images
  * New kernel management system
  * Parallel overlay builds
  * Sprig functions in overlay templates
  * Improved network overlays
  * Nested profiles
  * Arbitrary "resources" data in nodes.conf
  * NFS client configuration in nodes.conf
  * Emphatically optional syncuser
  * Improved network boot observability
  * Particularly significant changes, especially those affecting the user
    interface, are described in the release notes:

    * https://warewulf.org/docs/v4.6.x/release/v4.6.0.html

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.5  
    zypper in -t patch SUSE-2025-1094=1

  * openSUSE Leap 15.6  
    zypper in -t patch openSUSE-SLE-15.6-2025-1094=1

  * HPC Module 15-SP6  
    zypper in -t patch SUSE-SLE-Module-HPC-15-SP6-2025-1094=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1094=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1094=1

## Package List:

  * openSUSE Leap 15.5 (aarch64 x86_64)
    * warewulf4-4.6.0-150500.6.34.1
    * warewulf4-overlay-4.6.0-150500.6.34.1
  * openSUSE Leap 15.5 (noarch)
    * warewulf4-man-4.6.0-150500.6.34.1
    * warewulf4-dracut-4.6.0-150500.6.34.1
    * warewulf4-overlay-slurm-4.6.0-150500.6.34.1
    * warewulf4-overlay-rke2-4.6.0-150500.6.34.1
    * warewulf4-reference-doc-4.6.0-150500.6.34.1
  * openSUSE Leap 15.6 (aarch64 x86_64)
    * warewulf4-4.6.0-150500.6.34.1
    * warewulf4-overlay-4.6.0-150500.6.34.1
  * openSUSE Leap 15.6 (noarch)
    * warewulf4-overlay-slurm-4.6.0-150500.6.34.1
    * warewulf4-dracut-4.6.0-150500.6.34.1
    * warewulf4-reference-doc-4.6.0-150500.6.34.1
    * warewulf4-man-4.6.0-150500.6.34.1
  * HPC Module 15-SP6 (aarch64 x86_64)
    * warewulf4-4.6.0-150500.6.34.1
    * warewulf4-overlay-4.6.0-150500.6.34.1
  * HPC Module 15-SP6 (noarch)
    * warewulf4-overlay-slurm-4.6.0-150500.6.34.1
    * warewulf4-dracut-4.6.0-150500.6.34.1
    * warewulf4-reference-doc-4.6.0-150500.6.34.1
    * warewulf4-man-4.6.0-150500.6.34.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
    x86_64)
    * warewulf4-4.6.0-150500.6.34.1
    * warewulf4-overlay-4.6.0-150500.6.34.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
    * warewulf4-overlay-slurm-4.6.0-150500.6.34.1
    * warewulf4-dracut-4.6.0-150500.6.34.1
    * warewulf4-reference-doc-4.6.0-150500.6.34.1
    * warewulf4-man-4.6.0-150500.6.34.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
    x86_64)
    * warewulf4-4.6.0-150500.6.34.1
    * warewulf4-overlay-4.6.0-150500.6.34.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
    * warewulf4-overlay-slurm-4.6.0-150500.6.34.1
    * warewulf4-dracut-4.6.0-150500.6.34.1
    * warewulf4-reference-doc-4.6.0-150500.6.34.1
    * warewulf4-man-4.6.0-150500.6.34.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-22869.html
  * https://www.suse.com/security/cve/CVE-2025-22870.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1226654
  * https://bugzilla.suse.com/show_bug.cgi?id=1238611
  * https://bugzilla.suse.com/show_bug.cgi?id=1239322

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250402/e52d0df8/attachment.htm>


More information about the sle-updates mailing list