Security update for warewulf4 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1094-1 Final 1 1 2025-04-02T03:37:36Z current 2025-04-02T03:37:36Z 2025-04-02T03:37:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for warewulf4 This update for warewulf4 fixes the following issues: warewulf4 was updated from version 4.5.8 to 4.6.0: - Security issues fixed for version 4.6.0: * CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322) * CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611) - User visible changes: * Default values `nodes.conf`: + The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly. * Overlay split up: + The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list of overlays with same role. * Site and distribution overlays: + The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. Site specific overlays are now sorted under `/etc/warewulf/overlays`. On upgrade, changed overlays are stored with the `rpmsave` suffix and move to `/etc/warewulf/overlays/$OVERLAYNAME`. - Other changes and bugs fixed: * Fixed udev issue with assigning device names (bsc#1226654) * Implemented new package `warewulf-reference-doc` with the reference documentation for Warewulf 4 as PDF * The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x - Summary of upstream changes: * New configuration upgrade system * Changes to the default profile * Renamed containers to (node) images * New kernel management system * Parallel overlay builds * Sprig functions in overlay templates * Improved network overlays * Nested profiles * Arbitrary 'resources' data in nodes.conf * NFS client configuration in nodes.conf * Emphatically optional syncuser * Improved network boot observability * Particularly significant changes, especially those affecting the user interface, are described in the release notes: + https://warewulf.org/docs/v4.6.x/release/v4.6.0.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1094,SUSE-SLE-Module-HPC-15-SP6-2025-1094,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1094,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1094,openSUSE-SLE-15.6-2025-1094 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251094-1/ Link for SUSE-SU-2025:1094-1 https://lists.suse.com/pipermail/sle-updates/2025-April/038880.html E-Mail link for SUSE-SU-2025:1094-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1226654 SUSE Bug 1226654 https://bugzilla.suse.com/1238611 SUSE Bug 1238611 https://bugzilla.suse.com/1239322 SUSE Bug 1239322 https://www.suse.com/security/cve/CVE-2025-22869/ SUSE CVE CVE-2025-22869 page https://www.suse.com/security/cve/CVE-2025-22870/ SUSE CVE CVE-2025-22870 page SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for HPC 15 SP6 openSUSE Leap 15.6 warewulf4-4.6.0-150500.6.34.1 warewulf4-dracut-4.6.0-150500.6.34.1 warewulf4-man-4.6.0-150500.6.34.1 warewulf4-overlay-4.6.0-150500.6.34.1 warewulf4-overlay-rke2-4.6.0-150500.6.34.1 warewulf4-overlay-slurm-4.6.0-150500.6.34.1 warewulf4-reference-doc-4.6.0-150500.6.34.1 warewulf4-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-dracut-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-man-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-overlay-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-overlay-slurm-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-reference-doc-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS warewulf4-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-dracut-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-man-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-overlay-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-overlay-slurm-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-reference-doc-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS warewulf4-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-dracut-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-man-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-overlay-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-overlay-slurm-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-reference-doc-4.6.0-150500.6.34.1 as a component of SUSE Linux Enterprise Module for HPC 15 SP6 warewulf4-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 warewulf4-dracut-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 warewulf4-man-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 warewulf4-overlay-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 warewulf4-overlay-slurm-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 warewulf4-reference-doc-4.6.0-150500.6.34.1 as a component of openSUSE Leap 15.6 SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-reference-doc-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-reference-doc-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-dracut-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-man-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-overlay-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-reference-doc-4.6.0-150500.6.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251094-1/ https://www.suse.com/security/cve/CVE-2025-22869.html CVE-2025-22869 https://bugzilla.suse.com/1239322 SUSE Bug 1239322 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. CVE-2025-22870 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:warewulf4-reference-doc-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:warewulf4-reference-doc-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-dracut-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-man-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-overlay-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.0-150500.6.34.1 openSUSE Leap 15.6:warewulf4-reference-doc-4.6.0-150500.6.34.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251094-1/ https://www.suse.com/security/cve/CVE-2025-22870.html CVE-2025-22870 https://bugzilla.suse.com/1238572 SUSE Bug 1238572 https://bugzilla.suse.com/1238611 SUSE Bug 1238611