Security update for google-guest-agent

Announcement ID:	SUSE-SU-2026:21319-1
Release Date:	2026-04-22T11:13:19Z
Rating:	important
References:	bsc#1234563 bsc#1236533 bsc#1239763 bsc#1239866 bsc#1243254 bsc#1243505
Cross-References:	CVE-2023-45288 CVE-2024-45337
CVSS scores:	CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-45288 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-45337 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:	SUSE Linux Micro 6.0

An update that solves two vulnerabilities and has four fixes can now be installed.

Description:

This update for google-guest-agent fixes the following issues:

Update to version 20250506.01 (bsc#1243254, bsc#1243505).

Security issues fixed:

• CVE-2024-45337: golang.org/x/crypto/ssh: misuse of the ServerConfig.PublicKeyCallback callback can lead to authorization bypass in applications (bsc#1234563).
• CVE-2023-45288: golang.org/x/net/http2: no limit set for number of HTTP/2 CONTINUATION frames that can be read for an HTTP/2 request can lead to excessive CPU consumption and a DoS (bsc#1236533).

Other updates and bugfixes:

• Version 20250506.01:
• Make sure agent added connections are activated by NM (#534)
• Version 20250506.00:
• Wrap NSS cache refresh in a goroutine (#533)
• Version 20250502.01:
• Wicked: Only reload interfaces for which configurations are written or changed. (#524)
• Version 20250502.00:
• Add AuthorizedKeysCompat to windows packaging (#530)
• Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
• Update guest-logging-go dependency (#526)
• Add 'created-by' metadata, and pass it as option to logging library (#508)
• Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
• Re-enable disabled services if the core plugin was enabled (#522)
• Enable guest services on package upgrade (#519)
• oslogin: Correctly handle newlines at the end of modified files (#520)
• Fix core plugin path (#518)
• Fix package build issues (#517)
• Fix dependencies ran go mod tidy -v (#515)
• Fix debian build path (#514)
• Bundle compat metadata script runner binary in package (#513)
• Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
• Update startup/shutdown services to launch compat manager (#503)
• Bundle new gce metadata script runner binary in agent package (#502)
• Revert "Revert bundling new binaries in the package (#509)" (#511)
• Version 20250418.00:
• Re-enable disabled services if the core plugin was enabled (#521)
• Version 20250414.00:
• Add AuthorizedKeysCompat to windows packaging (#530)
• Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
• Update guest-logging-go dependency (#526)
• Add 'created-by' metadata, and pass it as option to logging library (#508)
• Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
• Re-enable disabled services if the core plugin was enabled (#522)
• Enable guest services on package upgrade (#519)
• oslogin: Correctly handle newlines at the end of modified files (#520)
• Fix core plugin path (#518)
• Fix package build issues (#517)
• Fix dependencies ran go mod tidy -v (#515)
• Fix debian build path (#514)
• Bundle compat metadata script runner binary in package (#513)
• Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
• Update startup/shutdown services to launch compat manager (#503)
• Bundle new gce metadata script runner binary in agent package (#502)
• Revert "Revert bundling new binaries in the package (#509)" (#511)
• Version 20250327.01 (bsc#1239763, bsc#1239866):
• Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
• Version 20250327.00:
• Update guest-logging-go dependency (#526)
• Add 'created-by' metadata, and pass it as option to logging library (#508)
• Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
• Re-enable disabled services if the core plugin was enabled (#522)
• Enable guest services on package upgrade (#519)
• oslogin: Correctly handle newlines at the end of modified files (#520)
• Fix core plugin path (#518)
• Fix package build issues (#517)
• Fix dependencies ran go mod tidy -v (#515)
• Fix debian build path (#514)
• Bundle compat metadata script runner binary in package (#513)
• Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
• Update startup/shutdown services to launch compat manager (#503)
• Bundle new gce metadata script runner binary in agent package (#502)
• Revert "Revert bundling new binaries in the package (#509)" (#511)
• Version 20250326.00:
• Re-enable disabled services if the core plugin was enabled (#521)
• Version 20250324.00:
• Enable guest services on package upgrade (#519)
• oslogin: Correctly handle newlines at the end of modified files (#520)
• Fix core plugin path (#518)
• Fix package build issues (#517)
• Fix dependencies ran go mod tidy -v (#515)
• Fix debian build path (#514)
• Bundle compat metadata script runner binary in package (#513)
• Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
• Update startup/shutdown services to launch compat manager (#503)
• Bundle new gce metadata script runner binary in agent package (#502)
• Revert "Revert bundling new binaries in the package (#509)" (#511)
• Revert bundling new binaries in the package (#509)
• Fix typo in windows build script (#501)
• Include core plugin binary for all packages (#500)
• Start packaging compat manager (#498)
• Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
• scripts: introduce a wrapper to locally build deb package (#490)
• Introduce compat-manager systemd unit (#497)
• Version 20250317.00:
• Revert "Revert bundling new binaries in the package (#509)" (#511)
• Revert bundling new binaries in the package (#509)
• Fix typo in windows build script (#501)
• Include core plugin binary for all packages (#500)
• Start packaging compat manager (#498)
• Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
• scripts: introduce a wrapper to locally build deb package (#490)
• Introduce compat-manager systemd unit (#497)
• Version 20250312.00:
• Revert bundling new binaries in the package (#509)
• Fix typo in windows build script (#501)
• Include core plugin binary for all packages (#500)
• Start packaging compat manager (#498)
• Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
• scripts: introduce a wrapper to locally build deb package (#490)
• Introduce compat-manager systemd unit (#497)
• Version 20250305.00:
• Revert bundling new binaries in the package (#509)
• Fix typo in windows build script (#501)
• Include core plugin binary for all packages (#500)
• Start packaging compat manager (#498)
• Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
• scripts: introduce a wrapper to locally build deb package (#490)
• Introduce compat-manager systemd unit (#497)
• Version 20250304.01:
• Fix typo in windows build script (#501)
• Version 20250214.01:
• Include core plugin binary for all packages (#500)
• Version 20250212.00:
• Start packaging compat manager (#498)
• Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
• Version 20250211.00:
• scripts: introduce a wrapper to locally build deb package (#490)
• Introduce compat-manager systemd unit (#497)
• Version 20250207.00:
• vlan: toggle vlan configuration in debian packaging (#495)
• vlan: move config out of unstable section (#494)
• Add clarification to comments regarding invalid NICs and the invalid tag. (#493)
• Include interfaces in lists even if it has an invalid MAC. (#489)
• Fix windows package build failures (#491)
• vlan: don't index based on the vlan ID (#486)
• Revert PR #482 (#488)
• Remove Amy and Zach from OWNERS (#487)
• Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
• Fix Debian packaging if guest agent manager is not checked out (#485)
• Version 20250204.02:
• force concourse to move version forward.
• Version 20250204.01:
• vlan: toggle vlan configuration in debian packaging (#495)
• Version 20250204.00:
• vlan: move config out of unstable section (#494)
• Add clarification to comments regarding invalid NICs and the invalid tag. (#493)
• Version 20250203.01:
• Include interfaces in lists even if it has an invalid MAC. (#489)
• Version 20250203.00:
• Fix windows package build failures (#491)
• vlan: don't index based on the vlan ID (#486)
• Revert PR #482 (#488)
• Remove Amy and Zach from OWNERS (#487)
• Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
• Fix Debian packaging if guest agent manager is not checked out (#485)
• Version 20250122.00:
• networkd(vlan): remove the interface in addition to config (#468)
• Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465)
• Update logging library (#479)
• Remove Pat from owners file. (#478)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-682=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • google-guest-agent-20250506.01-1.1

References:

• https://www.suse.com/security/cve/CVE-2023-45288.html
• https://www.suse.com/security/cve/CVE-2024-45337.html
• https://bugzilla.suse.com/show_bug.cgi?id=1234563
• https://bugzilla.suse.com/show_bug.cgi?id=1236533
• https://bugzilla.suse.com/show_bug.cgi?id=1239763
• https://bugzilla.suse.com/show_bug.cgi?id=1239866
• https://bugzilla.suse.com/show_bug.cgi?id=1243254
• https://bugzilla.suse.com/show_bug.cgi?id=1243505