Security update for cadvisor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0103-1 Final 1 1 2025-03-24T17:01:45Z current 2025-03-24T17:01:45Z 2025-03-24T17:01:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cadvisor This update for cadvisor fixes the following issues: - update to 0.52.1: * Make resctrl optional/pluggable - update to 0.52.0: * bump containerd related deps: api v1.8.0; errdefs v1.0.0; ttrpc v1.2.6 * chore: Update Prometheus libraries * bump runc to v1.2.4 * Add Pressure Stall Information Metrics * Switch to opencontainers/cgroups repository (includes update from golang 1.22 to 1.24) * Bump to newer opencontainers/image-spec @ v1.1.1 - update to 0.49.2: * Cp fix test * Revert 'reduce_logs_for_kubelet_use_crio' - CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (boo#1239291) - Update to version 0.49.1: * build docker - add --provenance=false flag * Remove s390x support * Disable libipmctl in build * Ugrade base image to 1.22 and alpine 3.18 * fix type of C.malloc in cgo * Bump runc to v1.1.12 * Bump to bullseye * Remove section about canary image * Add note about WebUI auth * Remove mentions of accelerator from the docs * reduce_logs_for_kubelet_use_crio * upgrade actions/checkout and actions/setup-go and actions/upload-artifact * build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /cmd * add cadvisor and crio upstream changes * Avoid using container/podman in manager.go * container: skip checking for files in non-existent directories. * Adjust the log level of Initialize Plugins * add ignored device * fix: variable naming * build(deps): bump golang.org/x/net from 0.10.0 to 0.17.0 in /cmd * manager: require higher verbosity level for container info misses * Information should be logged on increased verbosity only * Running do mod tidy * Running go mod tidy * Running go mod tidy * container/libcontainer: Improve limits file parsing perf * container/libcontainer: Add limit parsing benchmark * build(deps): bump github.com/cyphar/filepath-securejoin in /cmd * build(deps): bump github.com/cyphar/filepath-securejoin * Set verbosity after flag definition * fix: error message typo * vendor: bump runc to 1.1.9 * Switch to use busybox from registry.k8s.io * Bump golang ci lint to v1.54.1 * Bump github.com/docker/docker in /cmd * Bump github.com/docker/docker * Bump github.com/docker/distribution in /cmd * Bump github.com/docker/distribution * Update genproto dependency to isolated submodule * remove the check for the existence of NFS files, which will cause unnecessary requests. * reduce inotify watch * fix performance degradation of NFS * fix: fix type issue * fix: fix cgo memory leak * ft: export memory kernel usage * sysinfo: Ignore 'hidden' sysfs device entries * Increasing required verbosity level * Patch to fix issue 2341 * podman support: Enable Podman support. * podman support: Create Podman handler. * podman support: Changes in Docker handler. * unit test: machine_swap_bytes * Add documentation for machine_swap_bytes metric * Add a machine_swap_bytes metric * fix: add space trimming for label allowlist * Upgrade to blang/semver/v4 v4.0.0 * docs(deploy/k8s): remote build for kustomize * Update dependencies * Change filepaths to detect online CPUs * Update actions/checkout to v3 * Fix flags typo * Updating location of kubernetes/pause image * Using t.TempDir() in tests * Unit test: MachineInfo Clone() method * Bugfix: MachineInfo Clone() - clone SwapCapacity * Optimize network metrics collection * Removing calls to deprecates io/ioutil package * Updating minimum Go version to 1.19 * Request the pid of another container if current pid is not longer valid * Restructure * Add CRI-O client timeout setting * Set containerd grpc.MaxCallRecvMsgSize to 16MB * Fix asset build * feat(logging): add verbosity to non-NUMA node warning * add nerdctl to ignoredDevices * nvm: Change the 'no NVM devices' log. * nvm: Fix typo. * Fix CVE-2022-27664 (#3248) * resctrl: Reduce size and mode files check (#3264) * readme: Update Creatone contributor info. (#3265) * Fix comment to refer to correct client * build: bump golang to 1.20 * ci: Update golang ci-lint to v1.51.2 * build: Update shebang to python3 * Revert 'dockerfile: Fix typo in go build tags.' * Decreasing verbosity level for 'Cannot read vendor id correctly, set empty' * dockerfile: Fix typo in go build tags. * deps: Move from cloud.google.com/go/compute -> cloud.google.com/go * use memory.min for reservation memory instead of high * Mark GOPATH as git safe.directory to fix CI build * switch to gomodule/redigo from garyburd/redigo * update go.mod/sum both in root and cmd/ * Drop accelerator metrics and nvidia integration * Add s390x support for docker image * typo in MachineInfo spec for SwapCapacity * add support for swap in machine/info The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-103 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JTZ2DTLVURMW7SOEALLXE6GW75RG2MM/ E-Mail link for openSUSE-SU-2025:0103-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222192 SUSE Bug 1222192 https://bugzilla.suse.com/1239291 SUSE Bug 1239291 https://www.suse.com/security/cve/CVE-2022-27664/ SUSE CVE CVE-2022-27664 page https://www.suse.com/security/cve/CVE-2025-22868/ SUSE CVE CVE-2025-22868 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 cadvisor-0.52.1-bp156.3.3.1 cadvisor-0.52.1-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 cadvisor-0.52.1-bp156.3.3.1 as a component of openSUSE Leap 15.6 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 SUSE Package Hub 15 SP6:cadvisor-0.52.1-bp156.3.3.1 openSUSE Leap 15.6:cadvisor-0.52.1-bp156.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JTZ2DTLVURMW7SOEALLXE6GW75RG2MM/ https://www.suse.com/security/cve/CVE-2022-27664.html CVE-2022-27664 https://bugzilla.suse.com/1203185 SUSE Bug 1203185 https://bugzilla.suse.com/1203293 SUSE Bug 1203293 An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 SUSE Package Hub 15 SP6:cadvisor-0.52.1-bp156.3.3.1 openSUSE Leap 15.6:cadvisor-0.52.1-bp156.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4JTZ2DTLVURMW7SOEALLXE6GW75RG2MM/ https://www.suse.com/security/cve/CVE-2025-22868.html CVE-2025-22868 https://bugzilla.suse.com/1239186 SUSE Bug 1239186