# Security update for warewulf4 Announcement ID: SUSE-SU-2025:1094-1 Release Date: 2025-04-02T03:37:41Z Rating: important References: * bsc#1226654 * bsc#1238611 * bsc#1239322 Cross-References: * CVE-2025-22869 * CVE-2025-22870 CVSS scores: * CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L Affected Products: * HPC Module 15-SP6 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Server 15 SP6 An update that solves two vulnerabilities and has one security fix can now be installed. ## Description: This update for warewulf4 fixes the following issues: warewulf4 was updated from version 4.5.8 to 4.6.0: * Security issues fixed for version 4.6.0: * CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322) * CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611) * User visible changes: * Default values `nodes.conf`: * The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile and this profileshould be included in every profile. During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly. * Overlay split up: * The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role. The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list of overlays with same role. * Site and distribution overlays: * The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. Site specific overlays are now sorted under `/etc/warewulf/overlays`. On upgrade, changed overlays are stored with the `rpmsave` suffix and move to `/etc/warewulf/overlays/$OVERLAYNAME`. * Other changes and bugs fixed: * Fixed udev issue with assigning device names (bsc#1226654) * Implemented new package `warewulf-reference-doc` with the reference documentation for Warewulf 4 as PDF * The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x * Summary of upstream changes: * New configuration upgrade system * Changes to the default profile * Renamed containers to (node) images * New kernel management system * Parallel overlay builds * Sprig functions in overlay templates * Improved network overlays * Nested profiles * Arbitrary "resources" data in nodes.conf * NFS client configuration in nodes.conf * Emphatically optional syncuser * Improved network boot observability * Particularly significant changes, especially those affecting the user interface, are described in the release notes: * https://warewulf.org/docs/v4.6.x/release/v4.6.0.html ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2025-1094=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-1094=1 * HPC Module 15-SP6 zypper in -t patch SUSE-SLE-Module-HPC-15-SP6-2025-1094=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1094=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1094=1 ## Package List: * openSUSE Leap 15.5 (aarch64 x86_64) * warewulf4-4.6.0-150500.6.34.1 * warewulf4-overlay-4.6.0-150500.6.34.1 * openSUSE Leap 15.5 (noarch) * warewulf4-man-4.6.0-150500.6.34.1 * warewulf4-dracut-4.6.0-150500.6.34.1 * warewulf4-overlay-slurm-4.6.0-150500.6.34.1 * warewulf4-overlay-rke2-4.6.0-150500.6.34.1 * warewulf4-reference-doc-4.6.0-150500.6.34.1 * openSUSE Leap 15.6 (aarch64 x86_64) * warewulf4-4.6.0-150500.6.34.1 * warewulf4-overlay-4.6.0-150500.6.34.1 * openSUSE Leap 15.6 (noarch) * warewulf4-overlay-slurm-4.6.0-150500.6.34.1 * warewulf4-dracut-4.6.0-150500.6.34.1 * warewulf4-reference-doc-4.6.0-150500.6.34.1 * warewulf4-man-4.6.0-150500.6.34.1 * HPC Module 15-SP6 (aarch64 x86_64) * warewulf4-4.6.0-150500.6.34.1 * warewulf4-overlay-4.6.0-150500.6.34.1 * HPC Module 15-SP6 (noarch) * warewulf4-overlay-slurm-4.6.0-150500.6.34.1 * warewulf4-dracut-4.6.0-150500.6.34.1 * warewulf4-reference-doc-4.6.0-150500.6.34.1 * warewulf4-man-4.6.0-150500.6.34.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * warewulf4-4.6.0-150500.6.34.1 * warewulf4-overlay-4.6.0-150500.6.34.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch) * warewulf4-overlay-slurm-4.6.0-150500.6.34.1 * warewulf4-dracut-4.6.0-150500.6.34.1 * warewulf4-reference-doc-4.6.0-150500.6.34.1 * warewulf4-man-4.6.0-150500.6.34.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * warewulf4-4.6.0-150500.6.34.1 * warewulf4-overlay-4.6.0-150500.6.34.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * warewulf4-overlay-slurm-4.6.0-150500.6.34.1 * warewulf4-dracut-4.6.0-150500.6.34.1 * warewulf4-reference-doc-4.6.0-150500.6.34.1 * warewulf4-man-4.6.0-150500.6.34.1 ## References: * https://www.suse.com/security/cve/CVE-2025-22869.html * https://www.suse.com/security/cve/CVE-2025-22870.html * https://bugzilla.suse.com/show_bug.cgi?id=1226654 * https://bugzilla.suse.com/show_bug.cgi?id=1238611 * https://bugzilla.suse.com/show_bug.cgi?id=1239322