SUSE-SU-2025:20288-1: moderate: Security update for iperf

SLE-UPDATES null at suse.de
Wed Jun 4 07:26:23 UTC 2025 


# Security update for iperf

Announcement ID: SUSE-SU-2025:20288-1  
Release Date: 2025-02-03T09:04:33Z  
Rating: moderate  
References:

  * bsc#1224262

  
Cross-References:

  * CVE-2024-26306

  
CVSS scores:

  * CVE-2024-26306 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2024-26306 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

  
Affected Products:

  * SUSE Linux Micro Extras 6.0

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for iperf fixes the following issues:

  * update to 3.17.1 (bsc#1224262, CVE-2024-26306):
  * BREAKING CHANGE: iperf3's authentication features, when used with OpenSSL
    prior to 3.2.0, contain a vulnerability to a side-channel timing attack. To
    address this flaw, a change has been made to the padding applied to
    encrypted strings. This change is not backwards compatible with older
    versions of iperf3 (before 3.17). To restore the older (vulnerable)
    behavior, and hence backwards-compatibility, use the --use-pkcs1-padding
    flag. The iperf3 team thanks Hubert Kario from RedHat for reporting this
    issue and providing feedback on the fix. (CVE-2024-26306)(PR#1695)
  * iperf3 no longer changes its current working directory in --daemon mode.
    This results in more predictable behavior with relative paths, in particular
    finding key and credential files for authentication. (PR#1672)
  * A new --json-stream option has been added to enable a streaming output
    format, consisting of a series of JSON objects (for the start of the test,
    each measurement interval, and the end of the test) separated by newlines
    (#444, #923, #1098).
  * UDP tests now work correctly between different endian hosts
  * The --fq-rate parameter now works for --reverse tests
  * The statistics reporting interval is now available in the --json start test
    object (#1663).
  * A negative time test duration is now properly flagged as an error (IS#1662 /
    PR#1666).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro Extras 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-92=1

## Package List:

  * SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
    * libiperf0-debuginfo-3.17.1-1.1
    * iperf-3.17.1-1.1
    * iperf-debugsource-3.17.1-1.1
    * iperf-debuginfo-3.17.1-1.1
    * libiperf0-3.17.1-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-26306.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1224262

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/90dffd59/attachment.htm>

More information about the sle-updates mailing list