Security update for amazon-ssm-agent SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0191-1 Final 1 1 2025-01-20T06:49:21Z current 2025-01-20T06:49:21Z 2025-01-20T06:49:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for amazon-ssm-agent This update for amazon-ssm-agent fixes the following issues: Update to version 3.3.1611.0: - CVE-2025-21613: Fixed argument injection via the URL field in github.com/go-git/go-git/v5 (bsc#1235575) Full changelog: https://github.com/aws/amazon-ssm-agent/compare/3.1.1260.0...3.3.1611.0 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-EC2-BYOS-2025-191,Image SLES12-SP5-EC2-ECS-On-Demand-2025-191,Image SLES12-SP5-EC2-On-Demand-2025-191,Image SLES12-SP5-EC2-SAP-BYOS-2025-191,Image SLES12-SP5-EC2-SAP-On-Demand-2025-191,SUSE-2025-191,SUSE-SLE-Module-Public-Cloud-12-2025-191 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250191-1/ Link for SUSE-SU-2025:0191-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020175.html E-Mail link for SUSE-SU-2025:0191-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1235575 SUSE Bug 1235575 https://www.suse.com/security/cve/CVE-2025-21613/ SUSE CVE CVE-2025-21613 page Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand SUSE Linux Enterprise Module for Public Cloud 12 amazon-ssm-agent-3.3.1611.0-4.36.1 amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of Image SLES12-SP5-EC2-BYOS amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of Image SLES12-SP5-EC2-On-Demand amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand amazon-ssm-agent-3.3.1611.0-4.36.1 as a component of SUSE Linux Enterprise Module for Public Cloud 12 go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. CVE-2025-21613 Image SLES12-SP5-EC2-BYOS:amazon-ssm-agent-3.3.1611.0-4.36.1 Image SLES12-SP5-EC2-ECS-On-Demand:amazon-ssm-agent-3.3.1611.0-4.36.1 Image SLES12-SP5-EC2-On-Demand:amazon-ssm-agent-3.3.1611.0-4.36.1 Image SLES12-SP5-EC2-SAP-BYOS:amazon-ssm-agent-3.3.1611.0-4.36.1 Image SLES12-SP5-EC2-SAP-On-Demand:amazon-ssm-agent-3.3.1611.0-4.36.1 SUSE Linux Enterprise Module for Public Cloud 12:amazon-ssm-agent-3.3.1611.0-4.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250191-1/ https://www.suse.com/security/cve/CVE-2025-21613.html CVE-2025-21613 https://bugzilla.suse.com/1235572 SUSE Bug 1235572