Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : build (SUSE-SU-2025:0857-1)

medium Nessus Plugin ID 232718

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:0857-1 advisory.

 - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469)

 Other fixes:
 - Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now.

 - fixes for POSIX compatibility for obs-docker-support adn mkbaselibs
 - Add support for apk in docker/podman builds
 - Add support for 'wget' in Docker images
 - Fix debian support for Dockerfile builds
 - Fix preinstallimages in containers
 - mkosi: add back system-packages used by build-recipe directly
 - pbuild: parse the Release files for debian repos

 - mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present
 - improve source copy handling
 - Introduce --repos-directory and --containers-directory options

 - productcompose: support of building against a baseiso
 - preinstallimage: avoid inclusion of build script generated files
 - preserve timestamps on sources copy-in for kiwi and productcompose
 - alpine package support updates
 - tumbleweed config update

 - debian: Support installation of foreign architecture packages (required for armv7l setups)
 - Parse unknown timezones as UTC
 - Apk (Alpine Linux) format support added
 - Implement default value in parameter expansion
 - Also support supplements that use & as 'and'
 - Add workaround for skopeo's argument parser
 - add cap-htm=off on power9
 - Fixed usage of chown calls
 - Remove leading `go` from `purl` locators

 - container related:
 * Implement support for the new <containers> element in kiwi recipes
 * Fixes for SBOM and dependencies of multi stage container builds
 * obs-docker-support: enable dnf and yum substitutions
 - Arch Linux:
 * fix file path for Arch repo
 * exclude unsupported arch
 * Use root as download user
 - build-vm-qemu: force sv48 satp mode on riscv64
 - mkosi:
 * Create .sha256 files after mkosi builds
 * Always pass --image-version to mkosi
 - General improvements and bugfixes (mkosi, pbuild, appimage/livebuild, obs work detection, documention, SBOM)
 - Support slsa v1 in unpack_slsa_provenance
 - generate_sbom: do not clobber spdx supplier
 - Harden export_debian_orig_from_git (bsc#1230469)

 - SBOM generation:
 - Adding golang introspection support
 - Adding rust binary introspection support
 - Keep track of unknwon licenses and add a 'hasExtractedLicensingInfos' section
 - Also normalize licenses for cyclonedx
 - Make generate_sbom errors fatal
 - general improvements
 - Fix noprep building not working because the buildir is removed
 - kiwi image: also detect a debian build if /var/lib/dpkg/status is present
 - Do not use the Encode module to convert a code point to utf8
 - Fix personality syscall number for riscv
 - add more required recommendations for KVM builds
 - set PACKAGER field in build-recipe-arch
 - fix writing _modulemd.yaml
 - pbuild: support --release and --baselibs option
 - container:
 - copy base container information from the annotation into the containerinfo
 - track base containers over multiple stages
 - always put the base container last in the dependencies

 - providing fileprovides in createdirdeps tool
 - Introduce buildflag nochecks

 - productcompose: support __all__ option
 - config update: tumbleweed using preinstallexpand
 - minor improvements

 - tumbleweed build config update
 - support the %load macro
 - improve container filename generation (docker)
 - fix hanging curl calls during build (docker)
 - productcompose: fix milestone query

 - tumbleweed build config update
 - 15.6 build config fixes
 - sourcerpm & sourcedep handling fixes
 - productcompose:
 - Fix milestone handling
 - Support bcntsynctag
 - Adding debian support to generate_sbom
 - Add syscall for personality switch on loongarch64 kernel
 - vm-build: ext3 & ext4: fix disk space allocation
 - mkosi format updates, not fully working yet
 - pbuild exception fixes
 - Fixes for current fedora and centos distros
 - Don't copy original dsc sources if OBS-DCH-RELEASE set
 - Unbreak parsing of sources/patches
 - Support ForceMultiVersion in the dockerfile parser
 - Support %bcond of rpm 4.17.1

 - Add a hack for systemd 255.3, creating an empty /etc/os-release if missing after preinstall.
 - docker: Fix HEAD request in dummyhttpserver
 - pbuild: Make docker-nobasepackages expand flag the default
 - rpm: Support a couple of builtin rpm macros
 - rpm: Implement argument expansion for define/with/bcond...
 - Fix multiline macro handling
 - Accept -N parameter of %autosetup
 - documentation updates
 - various code cleanup and speedup work.

 - ProductCompose: multiple improvements
 - Add buildflags:define_specfile support
 - Fix copy-in of git subdirectory sources
 - pbuild: Speed up XML parsing
 - pubild: product compose support
 - generate_sbom: add help option
 - podman: enforce runtime=runc
 - Implement direct conflicts from the distro config
 - changelog2spec: fix time zone handling
 - Do not unmount /proc/sys/fs/binfmt_misc before runnint the check scripts
 - spec file cleanup
 - documentation updates

 - productcompose:
 - support schema 0.1
 - support milestones
 - Leap 15.6 config
 - SLE 15 SP6 config

 - productcompose: follow incompatible flavor syntax change
 - pbuild: support for zstd

 - fixed handling for cmdline parameters via kernel packages

 - productcompose:
 * BREAKING: support new schema
 * adapt flavor architecture parsing

 - productcompose:
 * support filtered package lists
 * support default architecture listing
 * fix copy in binaries in VM builds^

 - obsproduct build type got renamed to productcompose

 - Support zstd compressed rpm-md meta data (bsc#1217269)
 - Added Debian 12 configuration
 - First ObsProduct build format support

 - fix SLE 15 SP5 build configuration
 - Improve user agent handling for obs repositories

 - Docker:
 - Support flavor specific build descriptions via Dockerfile.$flavor
 - support 'PlusRecommended' hint to also provide recommended packages
 - use the name/version as filename if both are known
 - Produce docker format containers by default
 - pbuild: Support for signature authentification of OBS resources
 - Fix wiping build root for --vm-type podman
 - Put BUILD_RELEASE and BUILD_CHANGELOG_TIMESTAMP in the /.buildenv
 - build-vm-kvm: use -cpu host on riscv64
 - small fixes and cleanups

 - Added parser for BcntSyncTag in sources

 - pbuild:
 * fix dependency expansion for build types other than spec
 * Reworked cycle handling code
 * add --extra-packs option
 * add debugflags option
 - Pass-through --buildtool-opt
 - Parse Patch and Source lines more accurately
 - fix tunefs functionality
 - minor bugfixes

 - --vm-type=podman added (supports also root-less builds)
 - Also support build constraints in the Dockerfile
 - minor fixes

 - Add SUSE ALP build config

 - BREAKING: Record errors when parsing the project config former behaviour was undefined
 - container: Support compression format configuration option
 - Don't setup ccache with --no-init
 - improved loongarch64 support
 - sbom: SPDX supplier tag added
 - kiwi: support different versions per profile
 - preinstallimage: fail when recompression fails
 - Add support for recommends and supplements dependencies
 - Support the 'keepfilerequires' expand flag
 - add '--buildtool-opt=OPTIONS' to pass options to the used build tool
 - distro config updates
 * ArchLinux
 * Tumbleweed
 - documentation updates

 - openSUSE Tumbleweed: sync config and move to suse_version 1699.

 - universal post-build hook, just place a file in /usr/lib/build/post_build.d/
 - mkbaselibs/hwcaps, fix pattern name once again (x86_64_v3)
 - KiwiProduct: add --use-newest-package hint if the option is set

 - Dockerfile support:
 * export multibuild flavor as argument
 * allow parameters in FROM .. scratch lines
 * include OS name in build result if != linux
 - Workaround directory->symlink usrmerge problems for cross arch sysroot
 - multiple fixes for SBOM support

 - KIWI VM image SBOM support added

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1217269

https://bugzilla.suse.com/1230469

http://www.nessus.org/u?8b990fb9

https://www.suse.com/security/cve/CVE-2024-22038

Plugin Details

Severity: Medium

ID: 232718

File Name: suse_SU-2025-0857-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/14/2025

Updated: 3/14/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:C/A:C

CVSS Score Source: CVE-2024-22038

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 4.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:build, p-cpe:/a:novell:suse_linux:build-mkbaselibs, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/13/2025

Vulnerability Publication Date: 11/28/2024

Reference Information

CVE: CVE-2024-22038

SuSE: SUSE-SU-2025:0857-1