SUSE-SU-2026:21319-1: important: Security update for google-guest-agent
SLE-UPDATES
null at suse.de
Mon Apr 27 08:32:45 UTC 2026
# Security update for google-guest-agent
Announcement ID: SUSE-SU-2026:21319-1
Release Date: 2026-04-22T11:13:19Z
Rating: important
References:
* bsc#1234563
* bsc#1236533
* bsc#1239763
* bsc#1239866
* bsc#1243254
* bsc#1243505
Cross-References:
* CVE-2023-45288
* CVE-2024-45337
CVSS scores:
* CVE-2023-45288 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-45288 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45337 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
* SUSE Linux Micro 6.0
An update that solves two vulnerabilities and has four fixes can now be
installed.
## Description:
This update for google-guest-agent fixes the following issues:
Update to version 20250506.01 (bsc#1243254, bsc#1243505).
Security issues fixed:
* CVE-2024-45337: golang.org/x/crypto/ssh: misuse of the
ServerConfig.PublicKeyCallback callback can lead to authorization bypass in
applications (bsc#1234563).
* CVE-2023-45288: golang.org/x/net/http2: no limit set for number of HTTP/2
CONTINUATION frames that can be read for an HTTP/2 request can lead to
excessive CPU consumption and a DoS (bsc#1236533).
Other updates and bugfixes:
* Version 20250506.01:
* Make sure agent added connections are activated by NM (#534)
* Version 20250506.00:
* Wrap NSS cache refresh in a goroutine (#533)
* Version 20250502.01:
* Wicked: Only reload interfaces for which configurations are written or
changed. (#524)
* Version 20250502.00:
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script
runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files
(#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Version 20250418.00:
* Re-enable disabled services if the core plugin was enabled (#521)
* Version 20250414.00:
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script
runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files
(#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Version 20250327.01 (bsc#1239763, bsc#1239866):
* Remove error messages from gce_workload_cert_refresh and metadata script
runner (#527)
* Version 20250327.00:
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files
(#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Version 20250326.00:
* Re-enable disabled services if the core plugin was enabled (#521)
* Version 20250324.00:
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
* Version 20250317.00:
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
* Version 20250312.00:
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
* Version 20250305.00:
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
* Version 20250304.01:
* Fix typo in windows build script (#501)
* Version 20250214.01:
* Include core plugin binary for all packages (#500)
* Version 20250212.00:
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* Version 20250211.00:
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
* Version 20250207.00:
* vlan: toggle vlan configuration in debian packaging (#495)
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the `invalid` tag.
(#493)
* Include interfaces in lists even if it has an invalid MAC. (#489)
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an
(#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
* Version 20250204.02:
* force concourse to move version forward.
* Version 20250204.01:
* vlan: toggle vlan configuration in debian packaging (#495)
* Version 20250204.00:
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the `invalid` tag.
(#493)
* Version 20250203.01:
* Include interfaces in lists even if it has an invalid MAC. (#489)
* Version 20250203.00:
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an
(#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
* Version 20250122.00:
* networkd(vlan): remove the interface in addition to config (#468)
* Implement support for vlan dynamic removal, update dhclient to remove only
if configured (#465)
* Update logging library (#479)
* Remove Pat from owners file. (#478)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-682=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* google-guest-agent-20250506.01-1.1
## References:
* https://www.suse.com/security/cve/CVE-2023-45288.html
* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://bugzilla.suse.com/show_bug.cgi?id=1234563
* https://bugzilla.suse.com/show_bug.cgi?id=1236533
* https://bugzilla.suse.com/show_bug.cgi?id=1239763
* https://bugzilla.suse.com/show_bug.cgi?id=1239866
* https://bugzilla.suse.com/show_bug.cgi?id=1243254
* https://bugzilla.suse.com/show_bug.cgi?id=1243505
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260427/2dc21630/attachment.htm>
More information about the sle-updates
mailing list