traefik2-2.11.35-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10143-1 Final 1 1 2026-02-03T00:00:00Z current 2026-02-03T00:00:00Z 2026-02-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z traefik2-2.11.35-1.1 on GA media These are all security issues fixed in the traefik2-2.11.35-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10143 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-54386/ SUSE CVE CVE-2025-54386 page https://www.suse.com/security/cve/CVE-2025-58181/ SUSE CVE CVE-2025-58181 page https://www.suse.com/security/cve/CVE-2025-66490/ SUSE CVE CVE-2025-66490 page https://www.suse.com/security/cve/CVE-2026-22045/ SUSE CVE CVE-2026-22045 page openSUSE Tumbleweed traefik2-2.11.35-1.1 traefik2-2.11.35-1.1 as a component of openSUSE Tumbleweed Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik's plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0. CVE-2025-54386 openSUSE Tumbleweed:traefik2-2.11.35-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54386.html CVE-2025-54386 https://bugzilla.suse.com/1247524 SUSE Bug 1247524 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. CVE-2025-58181 openSUSE Tumbleweed:traefik2-2.11.35-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58181.html CVE-2025-58181 https://bugzilla.suse.com/1253784 SUSE Bug 1253784 Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3. CVE-2025-66490 openSUSE Tumbleweed:traefik2-2.11.35-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-66490.html CVE-2025-66490 https://bugzilla.suse.com/1254879 SUSE Bug 1254879 Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. CVE-2026-22045 openSUSE Tumbleweed:traefik2-2.11.35-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-22045.html CVE-2026-22045 https://bugzilla.suse.com/1256815 SUSE Bug 1256815