<div class="container">
<h1>Security update for iperf</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20288-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-02-03T09:04:33Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224262">bsc#1224262</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-26306.html">CVE-2024-26306</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-26306</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-26306</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro Extras 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for iperf fixes the following issues:</p>
<ul>
<li>update to 3.17.1 (bsc#1224262, CVE-2024-26306):</li>
<li>BREAKING CHANGE: iperf3's authentication features, when used
with OpenSSL prior to 3.2.0, contain a vulnerability to a
side-channel timing attack. To address this flaw, a change
has been made to the padding applied to encrypted strings.
This change is not backwards compatible with older versions of
iperf3 (before 3.17). To restore
the older (vulnerable) behavior, and hence
backwards-compatibility, use the --use-pkcs1-padding flag. The
iperf3 team thanks Hubert Kario from RedHat for reporting this
issue and providing feedback on the fix. (CVE-2024-26306)(PR#1695)</li>
<li>iperf3 no longer changes its current working directory in --daemon
mode. This results in more predictable behavior with relative
paths, in particular finding key and credential files for
authentication. (PR#1672)</li>
<li>A new --json-stream option has been added to enable a streaming
output format, consisting of a series of JSON objects (for the
start of the test, each measurement interval, and the end of the
test) separated by newlines (#444, #923, #1098).</li>
<li>UDP tests now work correctly between different endian hosts</li>
<li>The --fq-rate parameter now works for --reverse tests</li>
<li>The statistics reporting interval is now available in the --json
start test object (#1663).</li>
<li>A negative time test duration is now properly flagged as an error
(IS#1662 / PR#1666).</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro Extras 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-92=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro Extras 6.0 (aarch64 s390x x86_64)
<ul>
<li>libiperf0-debuginfo-3.17.1-1.1</li>
<li>iperf-3.17.1-1.1</li>
<li>iperf-debugsource-3.17.1-1.1</li>
<li>iperf-debuginfo-3.17.1-1.1</li>
<li>libiperf0-3.17.1-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-26306.html">https://www.suse.com/security/cve/CVE-2024-26306.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224262">https://bugzilla.suse.com/show_bug.cgi?id=1224262</a>
</li>
</ul>
</div>