Security update for warewulf4

Announcement ID:	SUSE-SU-2025:1094-1
Release Date:	2025-04-02T03:37:41Z
Rating:	important
References:	bsc#1226654 bsc#1238611 bsc#1239322
Cross-References:	CVE-2025-22869 CVE-2025-22870
CVSS scores:	CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Affected Products:	HPC Module 15-SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 SUSE Linux Enterprise Server 15 SP6

An update that solves two vulnerabilities and has one security fix can now be installed.

Description:

This update for warewulf4 fixes the following issues:

warewulf4 was updated from version 4.5.8 to 4.6.0:

• Security issues fixed for version 4.6.0:

• CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322)

• CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)

• User visible changes:

• Default values nodes.conf:

  • The default values for kernel command line, init parameters and root are now set in the default profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to nodes.conf which updates the database accordingly.

• Overlay split up:

  • The overlays wwinit and runtime are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays wwinit and runtime with a list of overlays with same role.

• Site and distribution overlays:

  • The overlays in /var/lib/warewulf/overlays should not be changed by the user any more. Site specific overlays are now sorted under /etc/warewulf/overlays. On upgrade, changed overlays are stored with the rpmsave suffix and move to /etc/warewulf/overlays/$OVERLAYNAME.

• Other changes and bugs fixed:

• Fixed udev issue with assigning device names (bsc#1226654)

• Implemented new package warewulf-reference-doc with the reference documentation for Warewulf 4 as PDF

• The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x

• Summary of upstream changes:

• New configuration upgrade system

• Changes to the default profile
• Renamed containers to (node) images
• New kernel management system
• Parallel overlay builds
• Sprig functions in overlay templates
• Improved network overlays
• Nested profiles
• Arbitrary "resources" data in nodes.conf
• NFS client configuration in nodes.conf
• Emphatically optional syncuser
• Improved network boot observability

• Particularly significant changes, especially those affecting the user interface, are described in the release notes:

  • https://warewulf.org/docs/v4.6.x/release/v4.6.0.html

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch SUSE-2025-1094=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-1094=1
• HPC Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-HPC-15-SP6-2025-1094=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1094=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1094=1

Package List:

• openSUSE Leap 15.5 (aarch64 x86_64)
  • warewulf4-4.6.0-150500.6.34.1
  • warewulf4-overlay-4.6.0-150500.6.34.1
• openSUSE Leap 15.5 (noarch)
  • warewulf4-man-4.6.0-150500.6.34.1
  • warewulf4-dracut-4.6.0-150500.6.34.1
  • warewulf4-overlay-slurm-4.6.0-150500.6.34.1
  • warewulf4-overlay-rke2-4.6.0-150500.6.34.1
  • warewulf4-reference-doc-4.6.0-150500.6.34.1
• openSUSE Leap 15.6 (aarch64 x86_64)
  • warewulf4-4.6.0-150500.6.34.1
  • warewulf4-overlay-4.6.0-150500.6.34.1
• openSUSE Leap 15.6 (noarch)
  • warewulf4-overlay-slurm-4.6.0-150500.6.34.1
  • warewulf4-dracut-4.6.0-150500.6.34.1
  • warewulf4-reference-doc-4.6.0-150500.6.34.1
  • warewulf4-man-4.6.0-150500.6.34.1
• HPC Module 15-SP6 (aarch64 x86_64)
  • warewulf4-4.6.0-150500.6.34.1
  • warewulf4-overlay-4.6.0-150500.6.34.1
• HPC Module 15-SP6 (noarch)
  • warewulf4-overlay-slurm-4.6.0-150500.6.34.1
  • warewulf4-dracut-4.6.0-150500.6.34.1
  • warewulf4-reference-doc-4.6.0-150500.6.34.1
  • warewulf4-man-4.6.0-150500.6.34.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64)
  • warewulf4-4.6.0-150500.6.34.1
  • warewulf4-overlay-4.6.0-150500.6.34.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
  • warewulf4-overlay-slurm-4.6.0-150500.6.34.1
  • warewulf4-dracut-4.6.0-150500.6.34.1
  • warewulf4-reference-doc-4.6.0-150500.6.34.1
  • warewulf4-man-4.6.0-150500.6.34.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64)
  • warewulf4-4.6.0-150500.6.34.1
  • warewulf4-overlay-4.6.0-150500.6.34.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
  • warewulf4-overlay-slurm-4.6.0-150500.6.34.1
  • warewulf4-dracut-4.6.0-150500.6.34.1
  • warewulf4-reference-doc-4.6.0-150500.6.34.1
  • warewulf4-man-4.6.0-150500.6.34.1

References:

• https://www.suse.com/security/cve/CVE-2025-22869.html
• https://www.suse.com/security/cve/CVE-2025-22870.html
• https://bugzilla.suse.com/show_bug.cgi?id=1226654
• https://bugzilla.suse.com/show_bug.cgi?id=1238611
• https://bugzilla.suse.com/show_bug.cgi?id=1239322