rekor-1.5.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10127-1 Final 1 1 2026-01-30T00:00:00Z current 2026-01-30T00:00:00Z 2026-01-30T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z rekor-1.5.0-1.1 on GA media These are all security issues fixed in the rekor-1.5.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10127 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-58181/ SUSE CVE CVE-2025-58181 page https://www.suse.com/security/cve/CVE-2026-23831/ SUSE CVE CVE-2026-23831 page https://www.suse.com/security/cve/CVE-2026-24117/ SUSE CVE CVE-2026-24117 page openSUSE Tumbleweed rekor-1.5.0-1.1 rekor-1.5.0-1.1 as a component of openSUSE Tumbleweed SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. CVE-2025-58181 openSUSE Tumbleweed:rekor-1.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58181.html CVE-2025-58181 https://bugzilla.suse.com/1253784 SUSE Bug 1253784 Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. CVE-2026-23831 openSUSE Tumbleweed:rekor-1.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-23831.html CVE-2026-23831 https://bugzilla.suse.com/1257132 SUSE Bug 1257132 Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. CVE-2026-24117 openSUSE Tumbleweed:rekor-1.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-24117.html CVE-2026-24117 https://bugzilla.suse.com/1257135 SUSE Bug 1257135