openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2025:1094-1)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.2.2025.1094.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2025:1094-1)

Summary: The remote host is missing an update for the 'warewulf4' package(s) announced via the SUSE-SU-2025:1094-1 advisory.

Description: Summary:
The remote host is missing an update for the 'warewulf4' package(s) announced via the SUSE-SU-2025:1094-1 advisory.

Vulnerability Insight:
This update for warewulf4 fixes the following issues:

warewulf4 was updated from version 4.5.8 to 4.6.0:

- Security issues fixed for version 4.6.0:

* CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322)
* CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)

- User visible changes:

* Default values `nodes.conf`:

+ The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile
and this profileshould be included in every profile.
During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly.

* Overlay split up:

+ The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role.
The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list
of overlays with same role.

* Site and distribution overlays:

+ The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more.
Site specific overlays are now sorted under `/etc/warewulf/overlays`.
On upgrade, changed overlays are stored with the `rpmsave` suffix and move to
`/etc/warewulf/overlays/$OVERLAYNAME`.

- Other changes and bugs fixed:

* Fixed udev issue with assigning device names (bsc#1226654)
* Implemented new package `warewulf-reference-doc` with the reference documentation for Warewulf 4 as PDF
* The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration
files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x

- Summary of upstream changes:

* New configuration upgrade system
* Changes to the default profile
* Renamed containers to (node) images
* New kernel management system
* Parallel overlay builds
* Sprig functions in overlay templates
* Improved network overlays
* Nested profiles
* Arbitrary 'resources' data in nodes.conf
* NFS client configuration in nodes.conf
* Emphatically optional syncuser
* Improved network boot observability
* Particularly significant changes, especially those affecting the user interface,
are described in the release notes:

+ [link moved to references]

Affected Software/OS:
'warewulf4' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2025-22869
Common Vulnerability Exposure (CVE) ID: CVE-2025-22870

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.2.2025.1094.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2025:1094-1)
Summary:	The remote host is missing an update for the 'warewulf4' package(s) announced via the SUSE-SU-2025:1094-1 advisory.
Description:	Summary: The remote host is missing an update for the 'warewulf4' package(s) announced via the SUSE-SU-2025:1094-1 advisory. Vulnerability Insight: This update for warewulf4 fixes the following issues: warewulf4 was updated from version 4.5.8 to 4.6.0: - Security issues fixed for version 4.6.0: * CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322) * CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611) - User visible changes: * Default values `nodes.conf`: + The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly. * Overlay split up: + The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list of overlays with same role. * Site and distribution overlays: + The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. Site specific overlays are now sorted under `/etc/warewulf/overlays`. On upgrade, changed overlays are stored with the `rpmsave` suffix and move to `/etc/warewulf/overlays/$OVERLAYNAME`. - Other changes and bugs fixed: * Fixed udev issue with assigning device names (bsc#1226654) * Implemented new package `warewulf-reference-doc` with the reference documentation for Warewulf 4 as PDF * The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x - Summary of upstream changes: * New configuration upgrade system * Changes to the default profile * Renamed containers to (node) images * New kernel management system * Parallel overlay builds * Sprig functions in overlay templates * Improved network overlays * Nested profiles * Arbitrary 'resources' data in nodes.conf * NFS client configuration in nodes.conf * Emphatically optional syncuser * Improved network boot observability * Particularly significant changes, especially those affecting the user interface, are described in the release notes: + [link moved to references] Affected Software/OS: 'warewulf4' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2025-22869 Common Vulnerability Exposure (CVE) ID: CVE-2025-22870
Copyright	Copyright (C) 2025 Greenbone AG