Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-34986 (GCVE-0-2026-34986)
Vulnerability from cvelistv5 – Published: 2026-04-06 16:22 – Updated: 2026-06-30 12:05
VLAI
EPSS
Title
Go JOSE affect by a panic in JWE decryption
Summary
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
110 references
Impacted products
103 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T14:21:42.477191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:21:54.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:cryostat:4::el9"
],
"defaultStatus": "affected",
"product": "Cryostat 4 on RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler 2.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6.0::el9"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift 6.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub:1.3::el9"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub 1.3.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub:1.4::el9"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub 1.4.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub:1.5::el9"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub 1.5.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub:1.6::el9"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub 1.6.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1.4::el9"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection 1.4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1.5::el9"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection 1.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.10::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.8::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.9::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:2.25::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 2.25",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.22::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.22",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.27::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.27",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1.18::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps 1.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Pipelines 1.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Pipelines 1.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3.9.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.12::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.14::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.15::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.10::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.9::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer 1.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.10::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.11::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.11",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.6::el8"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.7::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.8::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.9::el8"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:kernel_module_management:2"
],
"defaultStatus": "affected",
"product": "Kernel Module Management Operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_virtualization:2"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Virtualization",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:0"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_service_on_aws:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift on AWS",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "unaffected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "unaffected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "unaffected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "unaffected",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "unaffected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:kueue_operator:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Build of Kueue",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "unaffected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-06T16:22:45.353Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:05:51.082Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"name": "RHBZ#2455470",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34986.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17789"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19719"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27856"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17040"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16696"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22937"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19135"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22450"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19017"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25252"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25248"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25250"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:32991"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19721"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20607"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19720"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26054"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17287"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20609"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10135"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19186"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23228"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19353"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22714"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19173"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26636"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26585"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22423"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22347"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21769"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23345"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29854"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25127"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13829"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11070"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11217"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13791"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24977"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19712"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17598"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27001"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17448"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27004"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20041"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27063"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21703"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25194"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17468"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25187"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21709"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23241"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27044"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20034"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17474"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25206"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10175"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20946"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24484"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21932"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21931"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11688"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8490"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8491"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8493"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9388"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9385"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17550"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17547"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12279"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12277"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11856"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22629"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21017"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24853"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19375"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22465"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11916"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22840"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:23361"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11996"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10125"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10130"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24475"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24482"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24479"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24477"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24471"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12116"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19099"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19108"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28198"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17459"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17458"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11512"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22258"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17121"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22260"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30650"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18584"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18585"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:17789: Cryostat 4 on RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:20569: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19719: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27856: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:17040: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:16696: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:22937: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19135: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:22450: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19017: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25252: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:25248: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:25250: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:32991: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:19721: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:20607: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19720: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26054: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:17287: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:20609: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:10135: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19186: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:23228: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19353: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:22714: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19173: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19"
},
{
"lang": "en",
"value": "RHSA-2026:26585: Logging Subsystem for Red Hat OpenShift 6.0"
},
{
"lang": "en",
"value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
},
{
"lang": "en",
"value": "RHSA-2026:22347: Multicluster Global Hub 1.4.5"
},
{
"lang": "en",
"value": "RHSA-2026:21769: Multicluster Global Hub 1.5.4"
},
{
"lang": "en",
"value": "RHSA-2026:23345: Multicluster Global Hub 1.6.2"
},
{
"lang": "en",
"value": "RHSA-2026:29854: OpenShift API for Data Protection 1.4"
},
{
"lang": "en",
"value": "RHSA-2026:26568: OpenShift API for Data Protection 1.5"
},
{
"lang": "en",
"value": "RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14"
},
{
"lang": "en",
"value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
},
{
"lang": "en",
"value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
},
{
"lang": "en",
"value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
},
{
"lang": "en",
"value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9"
},
{
"lang": "en",
"value": "RHSA-2026:24977: Red Hat OpenShift AI 2.25"
},
{
"lang": "en",
"value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:17598: Red Hat OpenShift Container Platform 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:27001: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:17448: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:27004: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:20041: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:27063: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:21703: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:25194: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:17468: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:25187: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:21709: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:23241: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:27044: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:20034: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:17474: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:25206: Red Hat OpenShift Container Platform 4.22"
},
{
"lang": "en",
"value": "RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"
},
{
"lang": "en",
"value": "RHSA-2026:20946: Red Hat OpenShift GitOps 1.18"
},
{
"lang": "en",
"value": "RHSA-2026:24484: Red Hat OpenShift Pipelines 1.21"
},
{
"lang": "en",
"value": "RHSA-2026:21932: Red Hat OpenShift Pipelines 1.2"
},
{
"lang": "en",
"value": "RHSA-2026:21931: Red Hat OpenShift Pipelines 1.2"
},
{
"lang": "en",
"value": "RHSA-2026:11688: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:9448: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:8490: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:9453: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:8491: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:8493: Red Hat OpenShift Service Mesh 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:9388: Red Hat OpenShift distributed tracing 3.9.3"
},
{
"lang": "en",
"value": "RHSA-2026:9385: Red Hat OpenShift distributed tracing 3.9.3"
},
{
"lang": "en",
"value": "RHSA-2026:17550: Red Hat Openshift Data Foundation 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:17547: Red Hat Openshift Data Foundation 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:12279: Red Hat Openshift Data Foundation 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:12277: Red Hat Openshift Data Foundation 4.2"
},
{
"lang": "en",
"value": "RHSA-2026:11856: Red Hat Quay 3.12"
},
{
"lang": "en",
"value": "RHSA-2026:22629: Red Hat Quay 3.12"
},
{
"lang": "en",
"value": "RHSA-2026:21017: Red Hat Quay 3.14"
},
{
"lang": "en",
"value": "RHSA-2026:24853: Red Hat Quay 3.15"
},
{
"lang": "en",
"value": "RHSA-2026:19375: Red Hat Quay 3.16"
},
{
"lang": "en",
"value": "RHSA-2026:22465: Red Hat Quay 3.17"
},
{
"lang": "en",
"value": "RHSA-2026:11916: Red Hat Quay 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:22840: Red Hat Quay 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:23361: Red Hat Quay 3.9"
},
{
"lang": "en",
"value": "RHSA-2026:11996: Red Hat Quay 3.9"
},
{
"lang": "en",
"value": "RHSA-2026:10125: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:10130: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:24477: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:24471: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:12116: multicluster engine for Kubernetes 2.10"
},
{
"lang": "en",
"value": "RHSA-2026:19099: multicluster engine for Kubernetes 2.10"
},
{
"lang": "en",
"value": "RHSA-2026:19108: multicluster engine for Kubernetes 2.11"
},
{
"lang": "en",
"value": "RHSA-2026:28198: multicluster engine for Kubernetes 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:17459: multicluster engine for Kubernetes 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:17458: multicluster engine for Kubernetes 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:11512: multicluster engine for Kubernetes 2.7"
},
{
"lang": "en",
"value": "RHSA-2026:17123: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:22258: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:17121: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:22260: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:30650: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:18584: multicluster engine for Kubernetes 2.9"
},
{
"lang": "en",
"value": "RHSA-2026:18585: multicluster engine for Kubernetes 2.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-06T17:01:34.639Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-06T16:22:45.353Z",
"value": "Made public."
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "go-jose",
"vendor": "go-jose",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.1.4"
},
{
"status": "affected",
"version": "\u003c 3.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:22:45.353Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"name": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"tags": [
"x_refsource_MISC"
],
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"source": {
"advisory": "GHSA-78h2-9frx-2jm8",
"discovery": "UNKNOWN"
},
"title": "Go JOSE affect by a panic in JWE decryption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34986",
"datePublished": "2026-04-06T16:22:45.353Z",
"dateReserved": "2026-03-31T19:38:31.617Z",
"dateUpdated": "2026-06-30T12:05:51.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-34986",
"date": "2026-06-30",
"epss": "0.00651",
"percentile": "0.46542"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34986\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-06T17:17:11.870\",\"lastModified\":\"2026-06-30T03:19:00.233\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"go-jose\",\"product\":\"go-jose\",\"versions\":[{\"version\":\"\u003e= 4.0.0, \u003c 4.1.4\",\"status\":\"affected\"},{\"version\":\"\u003c 3.0.5\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4 on RHEL 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cryostat:4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.2::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Custom Metric Autoscaler 2.19\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logging Subsystem for Red Hat OpenShift 6.0\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:logging:6.0::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.3.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.4.5\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.5.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.5::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.6.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.6::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift API for Data Protection 1.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_api_data_protection:1.4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift API for Data Protection 1.5\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_api_data_protection:1.5::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2.14\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:acm:2.14::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security for Kubernetes 4.10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4.10::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security for Kubernetes 4.8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4.8::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security for Kubernetes 4.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4.9::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI 2.25\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai:2.25::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI 3.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai:3.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.17\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.17::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.18\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.18::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.19\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.19::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.20\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.20::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.21\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.21::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.22\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4.22::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces 3.27\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3.27::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps 1.18\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1.18::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Pipelines 1.21\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1.21::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Pipelines 1.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1.20::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 2.6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2.6::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.1::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.2::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift distributed tracing 3.9.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_distributed_tracing:3.9::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4.17\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4.17::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4.18\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4.18::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4.19\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4.19::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4.20::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.12\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.12::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.14\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.14::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.15\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.15::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.16\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.16::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.17\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.17::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.10::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.9::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Trusted Artifact Signer 1.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:trusted_artifact_signer:1.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.10::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.11\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.11::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.6::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.7::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.8::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"multicluster engine for Kubernetes 2.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine:2.9::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Assisted Installer for Red Hat OpenShift Container Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:assisted_installer:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"cert-manager Operator for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cert_manager:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Confidential Compute Attestation\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:confidential_compute_attestation:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Kernel Module Management Operator for Red Hat Openshift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:kernel_module_management:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logging Subsystem for Red Hat OpenShift\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:logging:5\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Containers\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhmt:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Virtualization\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:migration_toolkit_virtualization:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Engine for Kubernetes\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Lightspeed\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_lightspeed\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Serverless\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:serverless:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:acm:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop - Tech Preview\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Connectivity Link 1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:connectivity_link:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Cluster Manager CLI\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_cluster_manager_cli:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Openshift Data Foundation 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_data_foundation:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift GitOps\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_gitops:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift on AWS\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_service_on_aws:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Trusted Artifact Signer\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:trusted_artifact_signer:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Security Profiles Operator\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_security_profiles_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Zero Trust Workload Identity Manager - Tech Preview\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:zero_trust_workload_identity_manager:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"External Secrets Operator for Red Hat OpenShift\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:external_secrets_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Logical Volume Manager Storage\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:lvms:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Network Observability Operator\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:network_observ_optr:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Node HealthCheck Operator\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:workload_availability_nhc:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Power monitoring for Red Hat OpenShift\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift_power_monitoring\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Kueue\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:kueue_operator:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift for Windows Containers\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:windows_machine_config\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Virtualization 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:container_native_virtualization:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenStack Platform 18.0\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openstack:18.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Zero Trust Workload Identity Manager\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:zero_trust_workload_identity_manager:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-07T14:21:42.477191Z\",\"id\":\"CVE-2026-34986\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-131\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.5\",\"matchCriteriaId\":\"C8F16FC9-40BA-4C17-9ABD-614143E86BFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.1.4\",\"matchCriteriaId\":\"DC2FEC8C-1ECF-40EA-A074-86B4C7688B60\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Technical Description\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10125\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10130\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10135\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10175\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11070\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11217\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11512\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11688\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11856\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11916\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11996\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12116\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12277\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12279\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:13791\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:13829\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:16696\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17040\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17121\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17123\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17287\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17448\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17458\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17459\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17468\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17474\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17547\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17550\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17598\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:17789\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:18584\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:18585\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19017\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19099\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19108\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19135\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19173\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19186\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19353\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19375\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19712\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19719\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19720\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19721\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20034\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20041\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20569\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20607\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20609\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:20946\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21017\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21703\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21709\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21769\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21931\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21932\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22258\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22260\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22347\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22423\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22450\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22465\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22629\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22714\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22840\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22937\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23228\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23241\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23345\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23361\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24471\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24475\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24477\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24479\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24482\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24484\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24853\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24977\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25127\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25187\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25194\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25206\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25248\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25250\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25252\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26054\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26568\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26585\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26636\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27001\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27004\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27044\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27063\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27856\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:28198\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:29854\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:30650\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:32991\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8490\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8491\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8493\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:9385\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:9388\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:9448\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:9453\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-34986\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2455470\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34986.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34986\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-07T14:21:42.477191Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-07T14:21:49.130Z\"}}], \"cna\": {\"title\": \"Go JOSE affect by a panic in JWE decryption\", \"source\": {\"advisory\": \"GHSA-78h2-9frx-2jm8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"go-jose\", \"product\": \"go-jose\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.1.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8\", \"name\": \"https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants\", \"name\": \"https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-06T16:22:45.353Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34986\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-07T14:21:54.041Z\", \"dateReserved\": \"2026-03-31T19:38:31.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-06T16:22:45.353Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:9448
Vulnerability from csaf_redhat - Published: 2026-04-21 17:23 - Updated: 2026-06-30 17:36Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.1.7
Severity
Important
Notes
Topic: Red Hat OpenShift Service Mesh 3.1.7
This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh 3.1.7, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.
Fixes/Improvements:
Security Fix(es):
* istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
* istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)
* istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)
* istio-cni-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* istio-pilot-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
Bug Fix(es):
* OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.
8.2 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 | — |
Workaround
|
Threats
Impact
Important
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Service Mesh 3.1.7\n\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh 3.1.7, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.\n\nFixes/Improvements:\n\nSecurity Fix(es):\n\n* istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n\n* istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)\n\n* istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)\n\n* istio-cni-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* istio-pilot-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\nBug Fix(es):\n\n* OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:9448",
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25679",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33747",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33748",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-25679",
"url": "https://access.redhat.com/security/cve/cve-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33186",
"url": "https://access.redhat.com/security/cve/cve-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33747",
"url": "https://access.redhat.com/security/cve/cve-2026-33747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33748",
"url": "https://access.redhat.com/security/cve/cve-2026-33748"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-34986",
"url": "https://access.redhat.com/security/cve/cve-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9448.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.1.7",
"tracking": {
"current_release_date": "2026-06-30T17:36:40+00:00",
"generator": {
"date": "2026-06-30T17:36:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:9448",
"initial_release_date": "2026-04-21T17:23:46+00:00",
"revision_history": [
{
"date": "2026-04-21T17:23:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-21T17:23:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:36:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-sail-operator-bundle@sha256%3A2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776677125"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238635"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776412783"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232570"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3Ae496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776256858"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776315466"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh-tech-preview\u0026tag=1776177800"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238635"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776412783"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3Abfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232570"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776256858"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776315466"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh-tech-preview\u0026tag=1776177800"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238635"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776412783"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232570"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3Aa55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776256858"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776315466"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh-tech-preview\u0026tag=1776177800"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238635"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776412783"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232570"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776256858"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776315466"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh-tech-preview\u0026tag=1776177800"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:23:46+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.1.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:23:46+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.1.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33747",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T02:01:29.921765+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452076"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "RHBZ#2452076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452076"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33747",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33747"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"
}
],
"release_date": "2026-03-27T00:49:06.165000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:23:46+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.1.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, avoid using untrusted BuildKit frontends. Restrict the use of custom BuildKit frontends to only those from verified and trusted sources. Do not specify untrusted frontends via `#syntax` or `--build-arg BUILDKIT_SYNTAX`.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend"
},
{
"cve": "CVE-2026-33748",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T15:02:00.107493+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452271"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "RHBZ#2452271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452271"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33748"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://docs.docker.com/build/concepts/context/#url-fragments",
"url": "https://docs.docker.com/build/concepts/context/#url-fragments"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg"
}
],
"release_date": "2026-03-27T14:00:21.200000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:23:46+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.1.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:23:46+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.1.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9448"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:1a1a9cf19de45b8920e70d8123da7f1e7b2568fe356d98203dc0053cee541339_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:46f11470d7627e5a74663770efb3e8118910f5e2f84a1191f6b14805efc10c73_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:883910879ec4940cd9221bd64fbfa392d1ca28503f4e63277169441cb0addeae_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:8e5be961ce5b17d43e49ad3a0bd5339af75f19d46d11881423c1e86b8bc45a0c_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:0f0dfc2423b897ec2b43dc9fff794690809d845f065c7ae4635191348f4af1d2_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2040cfbc531f36c1a8387e41911e3e9d26f53a4ef4a24bc712cbe7f33264f356_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:3ba4910ac8b0bed39310344d4cfa21c645922f80cd287b7f66f4b2873871a26a_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:65368e8e6648247d5efe4edb74085384e833d7cac67c93518f3a6efc059fafbd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:18dc040c6df63b00dbb419895f754d4d728122cf8e245d40cfd9d1f625609bfc_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:4d4ba0754e38ed8824e2a4c1c0e9f603b55650366883339acb67efdbcefae8e0_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5aee5dd20238fc15d863e2b700f4b510a758d6fcb696b384bcb7aa0854061428_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:629b6b3147b374e2ee5398b4778ef13d7377bc617391df92e0e7b19a4194a6aa_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:702f60c7aa0927bf2b8a4e2077d972222a0fe13b06a6afd5ce6d3e518cae42a5_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7bc9ffa1c1d9895be132f424d80643bc804a4e99d886762ed16bc8c3d2121c74_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:a55d6fe6d7d1d94134e35aa47f3578348b8f0185b7f2c51a69aecb6b8eb2e976_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:e496840d6cf9f281ba71596f477044f370530f37cc5a694d7d538eb37b4f903a_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:321be87a16bb3b4564223709a86bf2d00c831a249de86d48e03855855776d250_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:5d1dda2038649d6dcae41d9ef83d0391cdb7499bb6ebedf8453d197fb06ce055_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7055e7c41cc056bfb96e5b429a78e27e7a7584d97f26eec6601cad5eca403cc9_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7c918bae6c51890395296e41239ae3101226595d07b880aefd02e765119dbffb_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:149448cd15ef98964551a2527d3287851e3e7726a64e10f94b846a41ed756766_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:2fc0af6b178529161647bc102dd8c762dd850b2598296bf7b045e6b1e31b6606_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:8f18db5e45ba3934b5878c824cd38ffe989fedad1d28c7d1b39e472f4c0fb43a_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:bfd02648a63140c8f810011cbc3f345e0e883a6c3893bb785319fd74871b9ccd_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:2f1655b06910cc596ef10f55ad2d34882b82e30b4c6c1a2456bc25cf6e4928c5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
RHSA-2026:9453
Vulnerability from csaf_redhat - Published: 2026-04-21 17:29 - Updated: 2026-06-30 17:36Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.2.4
Severity
Important
Notes
Topic: Red Hat OpenShift Service Mesh 3.2.4
This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh 3.2.4, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.
Fixes/Improvements:
Security Fix(es):
* istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
* istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)
* istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)
* istio-cni-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* istio-pilot-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
Bug Fix(es):
* Ztunnel default value in operator contains older istio version (OSSM-13103)
* OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.
8.2 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 | — |
Workaround
|
Threats
Impact
Important
References
45 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Service Mesh 3.2.4\n\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh 3.2.4, which is based on the open source Istio project, addresses a variety of problems in a microservice architecture by creating a centralized point of control in an application.\n\nFixes/Improvements:\n\nSecurity Fix(es):\n\n* istio-rhel9-operator: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-cni-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-pilot-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-proxyv2-rhel9: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n\n* istio-proxyv2-rhel9: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n\n* istio-proxyv2-rhel9: BuildKit: Arbitrary file write and code execution via untrusted frontend (CVE-2026-33747)\n\n* istio-proxyv2-rhel9: BuildKit: Unauthorized file access via Git URL fragment subdir components (CVE-2026-33748)\n\n* istio-cni-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* istio-pilot-rhel9: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\nBug Fix(es):\n\n* Ztunnel default value in operator contains older istio version (OSSM-13103)\n\n* OSSM operator metrics reader ClusterRole conflicts with other operators (OSSM-13106)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:9453",
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25679",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33747",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33748",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-25679",
"url": "https://access.redhat.com/security/cve/cve-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33186",
"url": "https://access.redhat.com/security/cve/cve-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33747",
"url": "https://access.redhat.com/security/cve/cve-2026-33747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-33748",
"url": "https://access.redhat.com/security/cve/cve-2026-33748"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2026-34986",
"url": "https://access.redhat.com/security/cve/cve-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9453.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.2.4",
"tracking": {
"current_release_date": "2026-06-30T17:36:41+00:00",
"generator": {
"date": "2026-06-30T17:36:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:9453",
"initial_release_date": "2026-04-21T17:29:36+00:00",
"revision_history": [
{
"date": "2026-04-21T17:29:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-21T17:29:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:36:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-sail-operator-bundle@sha256%3A615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776677282"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178280"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238602"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232405"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178059"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3Af62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776291540"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3Acf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232170"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178280"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238602"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3Adfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232405"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178059"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776291540"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232170"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178280"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3A5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238602"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232405"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178059"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3A9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776291540"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232170"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-cni-rhel9@sha256%3A1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178280"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-must-gather-rhel9@sha256%3Ac592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776238602"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-rhel9-operator@sha256%3A3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232405"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-pilot-rhel9@sha256%3A8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776178059"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-proxyv2-rhel9@sha256%3Aa2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776291540"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/istio-ztunnel-rhel9@sha256%3A74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1776232170"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:29:36+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:29:36+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33747",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T02:01:29.921765+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452076"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "RHBZ#2452076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452076"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33747",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33747"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"
}
],
"release_date": "2026-03-27T00:49:06.165000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:29:36+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, avoid using untrusted BuildKit frontends. Restrict the use of custom BuildKit frontends to only those from verified and trusted sources. Do not specify untrusted frontends via `#syntax` or `--build-arg BUILDKIT_SYNTAX`.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend"
},
{
"cve": "CVE-2026-33748",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T15:02:00.107493+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452271"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "RHBZ#2452271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452271"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33748"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://docs.docker.com/build/concepts/context/#url-fragments",
"url": "https://docs.docker.com/build/concepts/context/#url-fragments"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg"
}
],
"release_date": "2026-03-27T14:00:21.200000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:29:36+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:29:36+00:00",
"details": "See Red Hat OpenShift Service Mesh 3.2.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9453"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:1aa2834ce676ef21f5a67e3144fe62677d9bf7b57a9401d74fab7cf569da9911_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4d39ae3b09ef2ee139705831bff3f9070d2590d59887a488bfdbb36b590dec13_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:4f5e7e28f111429e2c9376ac5f42d717f13eea1c3a80357fe001a9caf5c25fba_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:727908a49c6edf57609ac8a75d5aab182a79530e88819ea8a1df8a9610826c02_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:284458d236e45ffa8a865917bf6253764dbe0f6602173ba3f6733b0a40c5a741_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2b6f5aa276fe5848c6f377c51be574045b04ea784374bcb54e496f2a297f02b0_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:5b95c5cfc63958a16f3b30a42f16b9ff26b2f2c9f8e3c539fcec75b721edfb88_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:c592a7d2b6b5997972ed7a2deda29c5e9bb03c2b28e42d1f6f57ae1639629c11_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:193b36cc5bc389b68c6e8080e1d47c3860aab22f7a4ee262c90b864967e23a97_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:31e020f606b687b82712fe32823a392ed1abcc9563845ea81fbfce616b99e6b1_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7e688abcea40cae3f552b2dc5abf0da092e8a0d7a3f04f3cb5d15c5b4fb1a1f2_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:8111afc971379ee93fef9ebddfccf75102309c134d25f9d6d3de46f59e809001_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:3e210dcd0cab9c18bc0629a3a20b27e75bc09c09decbfcc9f6ab69f7c29670e1_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:9d1e9ff2ab9a3f84328cdbe49d4263d34e9ef1ef14d689a32d87534d7631cb0d_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:a2904680a45ff398adce27c1cbc539bf08e7f53aa64fadf0d6db74f1296421ad_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:f62ae2005f3c153975695253d786a00a1a5827b92f96328a0be425fdd4125e69_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:3f1d2206dea7630015fac80f8b8c6f7a6a1e1c17e477d1d54db4690b4453e6a0_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:6015e887371eed1bd162363ebd16ca4f20bd8077df166b455685579e808a9292_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:87953048140227569e7028187ed92cc0960bbc055d62a6755c5a1fdcf10510ec_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-rhel9-operator@sha256:dfb94112b66ce7fe56a642371749bf87e979b0136652328b124cc384818ef6c3_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-sail-operator-bundle@sha256:615f4ab167e82d54f5cd9bea15e0673293ec42bf19cfa0ccc15eb1d20b7db18a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:56140955dffe7c205dc944835637f83f04c5a82ba6f192dcfb034aa9cf800f8f_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:62b18afbdedf572866fd0dca6aa9e2426608d0b1cf011acef9f9044f4fbe4711_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:74b244e23b80d7996138a01814de1cb9d679ce7ed4156b5521fd76efc1bb5db5_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:cf5b5c9c6ba78281d0080d426f71c5b7b3e2b46db3644d153862268c0b4bf538_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
SUSE-SU-2026:1935-1
Vulnerability from csaf_suse - Published: 2026-05-18 07:40 - Updated: 2026-05-18 07:40Summary
Security update for google-cloud-sap-agent
Severity
Important
Notes
Title of the patch: Security update for google-cloud-sap-agent
Description of the patch: This update for google-cloud-sap-agent fixes the following issue:
- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key
wrapping algorithm set can lead to a denial of service (bsc#1262936).
Patchnames: SUSE-2026-1935,SUSE-SLE-Module-Public-Cloud-12-2026-1935
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-cloud-sap-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-cloud-sap-agent fixes the following issue:\n\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key\n wrapping algorithm set can lead to a denial of service (bsc#1262936).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1935,SUSE-SLE-Module-Public-Cloud-12-2026-1935",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1935-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1935-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261935-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1935-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046548.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262936",
"url": "https://bugzilla.suse.com/1262936"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-cloud-sap-agent",
"tracking": {
"current_release_date": "2026-05-18T07:40:28Z",
"generator": {
"date": "2026-05-18T07:40:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1935-1",
"initial_release_date": "2026-05-18T07:40:28Z",
"revision_history": [
{
"date": "2026-05-18T07:40:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-6.63.1.aarch64",
"product": {
"name": "google-cloud-sap-agent-3.12-6.63.1.aarch64",
"product_id": "google-cloud-sap-agent-3.12-6.63.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-6.63.1.i586",
"product": {
"name": "google-cloud-sap-agent-3.12-6.63.1.i586",
"product_id": "google-cloud-sap-agent-3.12-6.63.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"product": {
"name": "google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"product_id": "google-cloud-sap-agent-3.12-6.63.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-6.63.1.s390x",
"product": {
"name": "google-cloud-sap-agent-3.12-6.63.1.s390x",
"product_id": "google-cloud-sap-agent-3.12-6.63.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-6.63.1.x86_64",
"product": {
"name": "google-cloud-sap-agent-3.12-6.63.1.x86_64",
"product_id": "google-cloud-sap-agent-3.12-6.63.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 12",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-6.63.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-6.63.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-6.63.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.ppc64le"
},
"product_reference": "google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-6.63.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.s390x"
},
"product_reference": "google-cloud-sap-agent-3.12-6.63.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-6.63.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 12",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-6.63.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 12:google-cloud-sap-agent-3.12-6.63.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T07:40:28Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
SUSE-SU-2026:1938-1
Vulnerability from csaf_suse - Published: 2026-05-18 07:42 - Updated: 2026-05-18 07:42Summary
Security update for google-cloud-sap-agent
Severity
Important
Notes
Title of the patch: Security update for google-cloud-sap-agent
Description of the patch: This update for google-cloud-sap-agent fixes the following issue:
- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key
wrapping algorithm set can lead to a denial of service (bsc#1262936).
Patchnames: SUSE-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP5-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP6-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP7-2026-1938
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-cloud-sap-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-cloud-sap-agent fixes the following issue:\n\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key\n wrapping algorithm set can lead to a denial of service (bsc#1262936).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP4-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP5-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP6-2026-1938,SUSE-SLE-Module-Public-Cloud-15-SP7-2026-1938",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1938-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1938-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261938-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1938-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046545.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262936",
"url": "https://bugzilla.suse.com/1262936"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-cloud-sap-agent",
"tracking": {
"current_release_date": "2026-05-18T07:42:43Z",
"generator": {
"date": "2026-05-18T07:42:43Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1938-1",
"initial_release_date": "2026-05-18T07:42:43Z",
"revision_history": [
{
"date": "2026-05-18T07:42:43Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"product": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"product_id": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.i586",
"product": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.i586",
"product_id": "google-cloud-sap-agent-3.12-150100.3.66.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"product": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"product_id": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"product": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"product_id": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"product": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"product_id": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.s390x"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.s390x"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.s390x"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le as component of SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x as component of SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.s390x"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64 as component of SUSE Linux Enterprise Module for Public Cloud 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.aarch64",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.ppc64le",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.s390x",
"SUSE Linux Enterprise Module for Public Cloud 15 SP7:google-cloud-sap-agent-3.12-150100.3.66.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T07:42:43Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
SUSE-SU-2026:21540-1
Vulnerability from csaf_suse - Published: 2026-05-04 10:09 - Updated: 2026-05-04 10:09Summary
Security update for google-cloud-sap-agent
Severity
Important
Notes
Title of the patch: Security update for google-cloud-sap-agent
Description of the patch: This update for google-cloud-sap-agent fixes the following issue:
- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key
wrapping algorithm set can lead to a denial of service (bsc#1262936).
Patchnames: SUSE-SLES-16.0-671
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-cloud-sap-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-cloud-sap-agent fixes the following issue:\n\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: processing of JWE object with empty `encrypted_key` field but key\n wrapping algorithm set can lead to a denial of service (bsc#1262936).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-671",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21540-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21540-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621540-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21540-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025978.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262936",
"url": "https://bugzilla.suse.com/1262936"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-cloud-sap-agent",
"tracking": {
"current_release_date": "2026-05-04T10:09:04Z",
"generator": {
"date": "2026-05-04T10:09:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21540-1",
"initial_release_date": "2026-05-04T10:09:04Z",
"revision_history": [
{
"date": "2026-05-04T10:09:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"product": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"product_id": "google-cloud-sap-agent-3.12-160000.2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"product": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"product_id": "google-cloud-sap-agent-3.12-160000.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64"
},
"product_reference": "google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-cloud-sap-agent-3.12-160000.2.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64"
},
"product_reference": "google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-cloud-sap-agent-3.12-160000.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-04T10:09:04Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
SUSE-SU-2026:21560-1
Vulnerability from csaf_suse - Published: 2026-05-06 00:44 - Updated: 2026-05-06 00:44Summary
Security update for distribution
Severity
Important
Notes
Title of the patch: Security update for distribution
Description of the patch: This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
- update to 3.1.0
* Adds support for tag pagination
* Fixes default credentials in Azure storage provider
* Drops support for go1.23 and go1.24 and updates to go1.25
* See the full changelog below for the full list of changes.
* docs: Update to refer to new image tag v3
* Fix default_credentials in azure storage provider
* chore: make function comment match function name
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in
the go_modules group across 1 directory
* fix: implement JWK thumbprint for Ed25519 public keys
* fix: Annotate code block from validation.indexes
configuration docs
* feat: extract redis config to separate struct
* Fix: resolve issue #4478 by using a temporary file for non-
append writes
* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
* docs: Add note about `OTEL_TRACES_EXPORTER`
* fix: set OTEL traces to disabled by default
* Fix markdown syntax for OTEL traces link in docs
* Switch UUIDs to UUIDv7
* refactor: replace map iteration with maps.Copy/Clone
* s3-aws: fix build for 386
* docs: Add OpenTelemetry links to quickstart docs
* Fix S3 driver loglevel param
* Fixed data race in TestSchedule test
* Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of
ecdsa keys
* build(deps): bump actions/checkout from 4 to 5
* Fix broken link to Docker Hub fair use policy
* fix(registry/handlers/app): redis CAs
* build(deps): bump actions/labeler from 5 to 6
* build(deps): bump actions/setup-go from 5 to 6
* build(deps): bump actions/upload-pages-artifact from 3 to 4
* build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
* build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
* build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
* chore: labeler: add area/client mapping for
internal/client/**
* client: add Accept headers to Exists() HEAD
* feat(registry): Make graceful shutdown test robust
* fix(registry): Correct log formatting for upstream challenge
* build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
* build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
* refactor: remove redundant variable declarations in for loops
* "should" -> "must" regarding redis eviction policy
* build(deps): bump actions/checkout from 5 to 6
* Incorrect warning hint
* Add return error when list object
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump peter-evans/dockerhub-description from 4 to
5
* fix: Logging regression for manifest HEAD requests
* Add boolean parsing util
* Expose `useFIPSEndpoint` for S3
* Add Cloudfleet Container Registry to adopters
* fix(ci): Fix broken Azure e2e storage tests
* BUG: Fix notification filtering to work with actions when
mediatypes is empty
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* update golangci-lint to v2.9 and fix linting issues
* update to go1.25.7, alpine 3.23, xx v1.9.0
* vendor: github.com/sirupsen/logrus v1.9.4
* vendor: update golang.org/x/* dependencies
* vendor: github.com/docker/docker-credential-helpers v0.9.5
* vendor: github.com/opencontainers/image-spec v1.1.1
* vendor: github.com/klauspost/compress v1.18.4
* fix: prefer otel variables over hard coded service name
* vendor: github.com/spf13/cobra v1.10.2
* vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
* fix: sync parent dir to ensure data is reliably stored
* modernize code
* vendor: github.com/docker/go-events 605354379745
* vendor: github.com/go-jose/go-jose/v4 v4.1.3
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
* build(deps): bump docker/login-action from 3 to 4
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump docker/setup-buildx-action from 3 to 4
* build(deps): bump docker/bake-action from 6 to 7
* build(deps): bump docker/metadata-action from 5 to 6
* fix: nil-check scheduler in `proxyingRegistry.Close()`
* fix: set MD5 on GCS writer before first `Write` call in
`putContent`
* docs: pull through cache will pull from remote multiple times
* Update s3.md regionendpoint option
* chore(deps): Bump Go to latest 1.25 in CI workflows and
go.mod
* fix: correct Ed25519 JWK thumbprint `kty` from `"OTP"` to
`"OKP"`
* Update vacuum.go
* Opt: refector tag list pagination support (stage 1)
* Correctly match environment variables to YAML-inlined structs
in configuration
* Enable Redis TLS without client certificates
* build(deps): bump actions/deploy-pages from 4 to 5
* build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
* fix(registry/proxy): use detached context when flushing write
buffer
* ci: pin actions and apply zizmor auto-fixes
* build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to
4.1.4 in the go_modules group across 1 directory
* chore(app): warn when partial TLS config is used in Redis
* feat(registry): enhance authentication checks in htpasswd
implementation
* Opt: refactor tag list pagination support
* build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
* build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
* fix(vendor): fix broke vendor validation
* chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
* fix(vendor): fix broke vendpor validation
* fix redis repo-scoped blob descriptor revocation
* proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Patchnames: SUSE-SLES-16.0-703
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for distribution",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for distribution fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260283).\n- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of\n service (bsc#1262951).\n- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).\n\nNon security issues:\n\n- add distribution-registry.tmpfiles (jsc#PED-14747).\n- distribution builds against go1.24 EOL (bsc#1259718).\n\nChanges for distribution:\n\n- update to 3.1.0\n\n * Adds support for tag pagination\n * Fixes default credentials in Azure storage provider\n * Drops support for go1.23 and go1.24 and updates to go1.25\n * See the full changelog below for the full list of changes.\n * docs: Update to refer to new image tag v3\n * Fix default_credentials in azure storage provider\n * chore: make function comment match function name\n * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in\n the go_modules group across 1 directory\n * fix: implement JWK thumbprint for Ed25519 public keys\n * fix: Annotate code block from validation.indexes\n configuration docs\n * feat: extract redis config to separate struct\n * Fix: resolve issue #4478 by using a temporary file for non-\n append writes\n * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2\n * docs: Add note about `OTEL_TRACES_EXPORTER`\n * fix: set OTEL traces to disabled by default\n * Fix markdown syntax for OTEL traces link in docs\n * Switch UUIDs to UUIDv7\n * refactor: replace map iteration with maps.Copy/Clone\n * s3-aws: fix build for 386\n * docs: Add OpenTelemetry links to quickstart docs\n * Fix S3 driver loglevel param\n * Fixed data race in TestSchedule test\n * Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of\n ecdsa keys\n * build(deps): bump actions/checkout from 4 to 5\n * Fix broken link to Docker Hub fair use policy\n * fix(registry/handlers/app): redis CAs\n * build(deps): bump actions/labeler from 5 to 6\n * build(deps): bump actions/setup-go from 5 to 6\n * build(deps): bump actions/upload-pages-artifact from 3 to 4\n * build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3\n * build(deps): bump github/codeql-action from 3.26.5 to 4.30.7\n * build(deps): bump github/codeql-action from 4.30.7 to 4.30.8\n * chore: labeler: add area/client mapping for\n internal/client/**\n * client: add Accept headers to Exists() HEAD\n * feat(registry): Make graceful shutdown test robust\n * fix(registry): Correct log formatting for upstream challenge\n * build(deps): bump github/codeql-action from 4.30.8 to 4.30.9\n * build(deps): bump github/codeql-action from 4.30.9 to 4.31.3\n * refactor: remove redundant variable declarations in for loops\n * \"should\" -\u003e \"must\" regarding redis eviction policy\n * build(deps): bump actions/checkout from 5 to 6\n * Incorrect warning hint\n * Add return error when list object\n * build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n * build(deps): bump peter-evans/dockerhub-description from 4 to\n 5\n * fix: Logging regression for manifest HEAD requests\n * Add boolean parsing util\n * Expose `useFIPSEndpoint` for S3\n * Add Cloudfleet Container Registry to adopters\n * fix(ci): Fix broken Azure e2e storage tests\n * BUG: Fix notification filtering to work with actions when\n mediatypes is empty\n * build(deps): bump actions/checkout from 6.0.0 to 6.0.1\n * build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0\n * build(deps): bump github/codeql-action from 4.31.3 to 4.31.10\n * build(deps): bump github/codeql-action from 4.31.10 to 4.32.2\n * build(deps): bump actions/checkout from 6.0.1 to 6.0.2\n * update golangci-lint to v2.9 and fix linting issues\n * update to go1.25.7, alpine 3.23, xx v1.9.0\n * vendor: github.com/sirupsen/logrus v1.9.4\n * vendor: update golang.org/x/* dependencies\n * vendor: github.com/docker/docker-credential-helpers v0.9.5\n * vendor: github.com/opencontainers/image-spec v1.1.1\n * vendor: github.com/klauspost/compress v1.18.4\n * fix: prefer otel variables over hard coded service name\n * vendor: github.com/spf13/cobra v1.10.2\n * vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0\n * fix: sync parent dir to ensure data is reliably stored\n * modernize code\n * vendor: github.com/docker/go-events 605354379745\n * vendor: github.com/go-jose/go-jose/v4 v4.1.3\n * build(deps): bump github/codeql-action from 4.32.2 to 4.32.5\n * build(deps): bump docker/login-action from 3 to 4\n * build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0\n * build(deps): bump docker/setup-buildx-action from 3 to 4\n * build(deps): bump docker/bake-action from 6 to 7\n * build(deps): bump docker/metadata-action from 5 to 6\n * fix: nil-check scheduler in `proxyingRegistry.Close()`\n * fix: set MD5 on GCS writer before first `Write` call in\n `putContent`\n * docs: pull through cache will pull from remote multiple times\n * Update s3.md regionendpoint option\n * chore(deps): Bump Go to latest 1.25 in CI workflows and\n go.mod\n * fix: correct Ed25519 JWK thumbprint `kty` from `\"OTP\"` to\n `\"OKP\"`\n * Update vacuum.go\n * Opt: refector tag list pagination support (stage 1)\n * Correctly match environment variables to YAML-inlined structs\n in configuration\n * Enable Redis TLS without client certificates\n * build(deps): bump actions/deploy-pages from 4 to 5\n * build(deps): bump github/codeql-action from 4.32.5 to 4.34.1\n * fix(registry/proxy): use detached context when flushing write\n buffer\n * ci: pin actions and apply zizmor auto-fixes\n * build(deps): bump actions/setup-go from 6.3.0 to 6.4.0\n * build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to\n 4.1.4 in the go_modules group across 1 directory\n * chore(app): warn when partial TLS config is used in Redis\n * feat(registry): enhance authentication checks in htpasswd\n implementation\n * Opt: refactor tag list pagination support\n * build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0\n * build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0\n * fix(vendor): fix broke vendor validation\n * chore(ci): Prep for v3.1 release\n- Update to version 3.1.0:\n * fix(vendor): fix broke vendpor validation\n * fix redis repo-scoped blob descriptor revocation\n * proxy: bind bearer realms to upstream trust boundary\n- restore directory ownership after last change\n- Move config files in systemd tmpfiles dir for immutable mode\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-703",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21560-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21560-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621560-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21560-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046338.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259718",
"url": "https://bugzilla.suse.com/1259718"
},
{
"category": "self",
"summary": "SUSE Bug 1260283",
"url": "https://bugzilla.suse.com/1260283"
},
{
"category": "self",
"summary": "SUSE Bug 1261793",
"url": "https://bugzilla.suse.com/1261793"
},
{
"category": "self",
"summary": "SUSE Bug 1262096",
"url": "https://bugzilla.suse.com/1262096"
},
{
"category": "self",
"summary": "SUSE Bug 1262951",
"url": "https://bugzilla.suse.com/1262951"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35172 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35172/"
}
],
"title": "Security update for distribution",
"tracking": {
"current_release_date": "2026-05-06T00:44:14Z",
"generator": {
"date": "2026-05-06T00:44:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21560-1",
"initial_release_date": "2026-05-06T00:44:14Z",
"revision_history": [
{
"date": "2026-05-06T00:44:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product_id": "distribution-registry-3.1.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product_id": "distribution-registry-3.1.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product_id": "distribution-registry-3.1.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product_id": "distribution-registry-3.1.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33540"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33540",
"url": "https://www.suse.com/security/cve/CVE-2026-33540"
},
{
"category": "external",
"summary": "SUSE Bug 1261793 for CVE-2026-33540",
"url": "https://bugzilla.suse.com/1261793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "moderate"
}
],
"title": "CVE-2026-33540"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-35172",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35172"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35172",
"url": "https://www.suse.com/security/cve/CVE-2026-35172"
},
{
"category": "external",
"summary": "SUSE Bug 1262096 for CVE-2026-35172",
"url": "https://bugzilla.suse.com/1262096"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-35172"
}
]
}
SUSE-SU-2026:21852-1
Vulnerability from csaf_suse - Published: 2026-05-27 09:07 - Updated: 2026-05-27 09:07Summary
Security update for alloy
Severity
Important
Notes
Title of the patch: Security update for alloy
Description of the patch: This update for alloy fixes the following issues
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262955).
- CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer overflow
(bsc#1263530).
Changes for alloy:
- Update to version 1.16.1
* Bug Fixes
logging: Fix startup deadlock when components log before
logging config is evaluated
Update to Beyla 3.9.8
Migrate from Docker to Moby
Patchnames: SUSE-SLES-16.0-807
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alloy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alloy fixes the following issues\n\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of\n service (bsc#1262955).\n- CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer overflow\n (bsc#1263530).\n\nChanges for alloy:\n\n- Update to version 1.16.1\n * Bug Fixes\n logging: Fix startup deadlock when components log before\n logging config is evaluated\n Update to Beyla 3.9.8\n Migrate from Docker to Moby\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-807",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21852-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21852-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621852-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21852-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/046922.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262955",
"url": "https://bugzilla.suse.com/1262955"
},
{
"category": "self",
"summary": "SUSE Bug 1263530",
"url": "https://bugzilla.suse.com/1263530"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41602 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41602/"
}
],
"title": "Security update for alloy",
"tracking": {
"current_release_date": "2026-05-27T09:07:05Z",
"generator": {
"date": "2026-05-27T09:07:05Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21852-1",
"initial_release_date": "2026-05-27T09:07:05Z",
"revision_history": [
{
"date": "2026-05-27T09:07:05Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.1-160000.1.1.aarch64",
"product": {
"name": "alloy-1.16.1-160000.1.1.aarch64",
"product_id": "alloy-1.16.1-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.1-160000.1.1.ppc64le",
"product": {
"name": "alloy-1.16.1-160000.1.1.ppc64le",
"product_id": "alloy-1.16.1-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.1-160000.1.1.s390x",
"product": {
"name": "alloy-1.16.1-160000.1.1.s390x",
"product_id": "alloy-1.16.1-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.1-160000.1.1.x86_64",
"product": {
"name": "alloy-1.16.1-160000.1.1.x86_64",
"product_id": "alloy-1.16.1-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64"
},
"product_reference": "alloy-1.16.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.16.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x"
},
"product_reference": "alloy-1.16.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64"
},
"product_reference": "alloy-1.16.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64"
},
"product_reference": "alloy-1.16.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.16.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x"
},
"product_reference": "alloy-1.16.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
},
"product_reference": "alloy-1.16.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-27T09:07:05Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-41602",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41602"
}
],
"notes": [
{
"category": "general",
"text": "Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41602",
"url": "https://www.suse.com/security/cve/CVE-2026-41602"
},
{
"category": "external",
"summary": "SUSE Bug 1263496 for CVE-2026-41602",
"url": "https://bugzilla.suse.com/1263496"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-27T09:07:05Z",
"details": "important"
}
],
"title": "CVE-2026-41602"
}
]
}
SUSE-SU-2026:21989-1
Vulnerability from csaf_suse - Published: 2026-06-03 12:17 - Updated: 2026-06-03 12:17Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issues:
Update to version 20260430.00
* Update THIRD_PARTY_LICENSES to be package specific location. (#608)
* Update dependencies and go version to 1.26.2 (#607)
(bsc#1265762, CVE-2026-33814)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
(bsc#1260264, CVE-2026-33186)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
(bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260424.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260423.01
* Update THIRD_PARTY_LICENSES to be package specific location. (#608)
- from version 20260423.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260422.01
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260422.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260421.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260414.00
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
- Bump Go API version to 1.26
- Fix crafted JWE input with a missing encrypted key can lead to a denial
of service (bsc#1262926, CVE-2026-34986)
- Update to version 20260402.00: (bsc#1257010)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
- Update to version 20260108.00
* Source the contents of /var/google-users.d config files. (#586)
- Update to version 20251223.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251218.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251218.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251216.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251215.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251210.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251209.00
* Force remove core plugin configuration for windows (#587)
- Update to version 20251208.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list is passed
to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251206.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251205.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20251120.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251120.00
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251117.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251115.00
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251108.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251107.01
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251031.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.02
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251030.01
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251011.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251009.01
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251009.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- Update to version 20251007.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251006.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20251006.00
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251005.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250930.01
* Honor core plugin setting on windows package update (#576)
- from version 20250929.01
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250929.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250926.00
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250924.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Update to version 20250923.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250923.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250921.00
* Add extra debug logging around toggling OS Login (#572)
- from version 20250920.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250920.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250918.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250917.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250917.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250916.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250915.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service
- Update to version 20250908.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250907.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250905.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250905.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250902.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Build and install new gce_workload_cert_refresh binary
- Fix installation source of google_metadata_script_runner_adapt script
- Install new systemd service file
* gce-workload-cert-refresh.service
- Update to version 20250901.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.03
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250831.02
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250831.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250830.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250830.01
* Update go version to 1.25 (#565)
- from version 20250830.00
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250828.00
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
- from version 20250826.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250821.01
* Remove routes script from packaging (#566)
- Update Go API version to 1.25
- Update to version 20250718.00
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20250709.02
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250709.01
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250709.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250702.00
* Update adapt script to run on startup/shutdown both (#561)
- from version 20250701.01
* Update agent_uninstall.ps1 (#558)
- from version 20250701.00
* Stop core plugin before removing agent package (#554)
- from version 20250628.00
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
- from version 20250626.00
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) (#540)
- from version 20250625.00
* prepare stable release.
- Install google_metadata_script_runner_adapt script (bsc#1245759)
- Update to version 20250624.00
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250611.01
* prepare stable release.
- from version 20250611.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250609.00
* prepare stable release.
- from version 20250605.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are
written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata
script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of
modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250604.00
* Preparing stable build.
- from version 20250602.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250521.00
* Preparing stable build.
- from version 20250515.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250508.00
* Preparing stable build.
- from version 20250506.01 (bsc#1243254, bsc#1243505)
Patchnames: SUSE-SLE-Micro-6.0-741
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issues:\n\nUpdate to version 20260430.00\n\n * Update THIRD_PARTY_LICENSES to be package specific location. (#608)\n * Update dependencies and go version to 1.26.2 (#607)\n (bsc#1265762, CVE-2026-33814)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n (bsc#1260264, CVE-2026-33186)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n (bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260424.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260423.01\n * Update THIRD_PARTY_LICENSES to be package specific location. (#608)\n- from version 20260423.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260422.01\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260422.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260421.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260414.00\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n- Bump Go API version to 1.26\n\n- Fix crafted JWE input with a missing encrypted key can lead to a denial\n of service (bsc#1262926, CVE-2026-34986)\n\n- Update to version 20260402.00: (bsc#1257010)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n\n- Update to version 20260108.00\n * Source the contents of /var/google-users.d config files. (#586)\n\n- Update to version 20251223.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251218.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251218.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251216.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251215.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251210.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251209.00\n * Force remove core plugin configuration for windows (#587)\n\n- Update to version 20251208.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list is passed\n to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251206.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251205.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20251120.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251120.00\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251117.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251115.00\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251108.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251107.01\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251031.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.02\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251030.01\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251011.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251009.01\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251009.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n\n- Update to version 20251007.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251006.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20251006.00\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251005.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250930.01\n * Honor core plugin setting on windows package update (#576)\n- from version 20250929.01\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250929.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250926.00\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250924.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n\n- Update to version 20250923.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250923.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250921.00\n * Add extra debug logging around toggling OS Login (#572)\n- from version 20250920.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250920.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250918.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250917.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250917.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250916.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250915.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service\n\n- Update to version 20250908.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250907.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250905.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250905.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250902.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- Build and install new gce_workload_cert_refresh binary\n- Fix installation source of google_metadata_script_runner_adapt script\n- Install new systemd service file\n * gce-workload-cert-refresh.service\n\n- Update to version 20250901.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.03\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250831.02\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250831.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250830.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250830.01\n * Update go version to 1.25 (#565)\n- from version 20250830.00\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250828.00\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n- from version 20250826.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250821.01\n * Remove routes script from packaging (#566)\n- Update Go API version to 1.25\n\n- Update to version 20250718.00\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20250709.02\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250709.01\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250709.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250702.00\n * Update adapt script to run on startup/shutdown both (#561)\n- from version 20250701.01\n * Update agent_uninstall.ps1 (#558)\n- from version 20250701.00\n * Stop core plugin before removing agent package (#554)\n- from version 20250628.00\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n- from version 20250626.00\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523) (#540)\n- from version 20250625.00\n * prepare stable release.\n- Install google_metadata_script_runner_adapt script (bsc#1245759)\n\n- Update to version 20250624.00\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250611.01\n * prepare stable release.\n- from version 20250611.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250609.00\n * prepare stable release.\n- from version 20250605.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are\n written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata\n script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of\n modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250604.00\n * Preparing stable build.\n- from version 20250602.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- from version 20250521.00\n * Preparing stable build.\n- from version 20250515.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250508.00\n * Preparing stable build.\n\n- from version 20250506.01 (bsc#1243254, bsc#1243505)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-741",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21989-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21989-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621989-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21989-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047108.html"
},
{
"category": "self",
"summary": "SUSE Bug 1210938",
"url": "https://bugzilla.suse.com/1210938"
},
{
"category": "self",
"summary": "SUSE Bug 1239334",
"url": "https://bugzilla.suse.com/1239334"
},
{
"category": "self",
"summary": "SUSE Bug 1239944",
"url": "https://bugzilla.suse.com/1239944"
},
{
"category": "self",
"summary": "SUSE Bug 1243254",
"url": "https://bugzilla.suse.com/1243254"
},
{
"category": "self",
"summary": "SUSE Bug 1243505",
"url": "https://bugzilla.suse.com/1243505"
},
{
"category": "self",
"summary": "SUSE Bug 1245759",
"url": "https://bugzilla.suse.com/1245759"
},
{
"category": "self",
"summary": "SUSE Bug 1253889",
"url": "https://bugzilla.suse.com/1253889"
},
{
"category": "self",
"summary": "SUSE Bug 1257010",
"url": "https://bugzilla.suse.com/1257010"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE Bug 1262926",
"url": "https://bugzilla.suse.com/1262926"
},
{
"category": "self",
"summary": "SUSE Bug 1265762",
"url": "https://bugzilla.suse.com/1265762"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33814 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-06-03T12:17:52Z",
"generator": {
"date": "2026-06-03T12:17:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21989-1",
"initial_release_date": "2026-06-03T12:17:52Z",
"revision_history": [
{
"date": "2026-06-03T12:17:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-1.1.aarch64",
"product": {
"name": "google-guest-agent-20260430.00-1.1.aarch64",
"product_id": "google-guest-agent-20260430.00-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-1.1.s390x",
"product": {
"name": "google-guest-agent-20260430.00-1.1.s390x",
"product_id": "google-guest-agent-20260430.00-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-1.1.x86_64",
"product": {
"name": "google-guest-agent-20260430.00-1.1.x86_64",
"product_id": "google-guest-agent-20260430.00-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64"
},
"product_reference": "google-guest-agent-20260430.00-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x"
},
"product_reference": "google-guest-agent-20260430.00-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
},
"product_reference": "google-guest-agent-20260430.00-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33814"
}
],
"notes": [
{
"category": "general",
"text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33814",
"url": "https://www.suse.com/security/cve/CVE-2026-33814"
},
{
"category": "external",
"summary": "SUSE Bug 1264506 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1264506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "important"
}
],
"title": "CVE-2026-33814"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.aarch64",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.s390x",
"SUSE Linux Micro 6.0:google-guest-agent-20260430.00-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-03T12:17:52Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
SUSE-SU-2026:22128-1
Vulnerability from csaf_suse - Published: 2026-06-15 14:28 - Updated: 2026-06-15 14:28Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issues:
Changes in google-guest-agent:
Update to version 20260430.00
* Update OWNERS (#609)
* Update THIRD_PARTY_LICENSES to be package specific location. (#608)
* Update dependencies and go version to 1.26.2 (#607)
(bsc#1265762, CVE-2026-33814)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
(bsc#1260264, CVE-2026-33186)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
(bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260424.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260423.01
* Update THIRD_PARTY_LICENSES to be package specific location. (#608)
- from version 20260423.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260422.01
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260422.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260421.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260414.00
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
- Bump Go API version to 1.26
- Fix crafted JWE input with a missing encrypted
key can lead to a denial of service (bsc#1262926, CVE-2026-34986)
- Update to version 20260402.00: (bsc#1257010)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
- Update to version 20260108.00
* Source the contents of /var/google-users.d config files. (#586)
- Update to version 20251223.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251218.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251218.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251216.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251215.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251210.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251209.00
* Force remove core plugin configuration for windows (#587)
- Update to version 20251208.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list is passed
to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251206.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251205.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20251120.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251120.00
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251117.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251115.00
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251108.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251107.01
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251031.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.02
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251030.01
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251011.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251009.01
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251009.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- Update to version 20251007.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251006.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20251006.00
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251005.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250930.01
* Honor core plugin setting on windows package update (#576)
- from version 20250929.01
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250929.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250926.00
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250924.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Update to version 20250923.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250923.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250921.00
* Add extra debug logging around toggling OS Login (#572)
- from version 20250920.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250920.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250918.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250917.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250917.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250916.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250915.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service
- Update to version 20250908.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250907.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250905.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250905.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250902.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Build and install new gce_workload_cert_refresh binary
- Fix installation source of google_metadata_script_runner_adapt script
- Install new systemd service file
* gce-workload-cert-refresh.service
- Update to version 20250901.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.03
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250831.02
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250831.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250830.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250830.01
* Update go version to 1.25 (#565)
- from version 20250830.00
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250828.00
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
- from version 20250826.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250821.01
* Remove routes script from packaging (#566)
- Update to version 20250718.00
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20250709.02
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250709.01
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250709.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250702.00
* Update adapt script to run on startup/shutdown both (#561)
- from version 20250701.01
* Update agent_uninstall.ps1 (#558)
- from version 20250701.00
* Stop core plugin before removing agent package (#554)
- from version 20250628.00
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
- from version 20250626.00
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) (#540)
- from version 20250625.00
* prepare stable release.
- Install google_metadata_script_runner_adapt script (bsc#1245759)
- Update to version 20250624.00
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250611.01
* prepare stable release.
- from version 20250611.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250609.00
* prepare stable release.
- from version 20250605.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are
written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata
script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of
modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250604.00
* Preparing stable build.
- from version 20250602.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250521.00
* Preparing stable build.
- from version 20250515.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250508.00
* Preparing stable build.
- from version 20250506.01 (bsc#1243254, bsc#1243505)
- Update to version 20250411.00
* Re-enable disabled services if the core plugin was enabled (#521)
- Add -buildmode=pie to go build command line (bsc#1239944)
Patchnames: SUSE-SLES-16.0-934
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issues:\n\nChanges in google-guest-agent:\n\nUpdate to version 20260430.00\n\n * Update OWNERS (#609)\n * Update THIRD_PARTY_LICENSES to be package specific location. (#608)\n * Update dependencies and go version to 1.26.2 (#607)\n (bsc#1265762, CVE-2026-33814)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n (bsc#1260264, CVE-2026-33186)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n (bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260424.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260423.01\n * Update THIRD_PARTY_LICENSES to be package specific location. (#608)\n- from version 20260423.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260422.01\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260422.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260421.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260414.00\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n- Bump Go API version to 1.26\n\n- Fix crafted JWE input with a missing encrypted\n key can lead to a denial of service (bsc#1262926, CVE-2026-34986)\n\n- Update to version 20260402.00: (bsc#1257010)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n\n- Update to version 20260108.00\n * Source the contents of /var/google-users.d config files. (#586)\n\n- Update to version 20251223.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251218.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251218.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251216.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251215.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251210.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251209.00\n * Force remove core plugin configuration for windows (#587)\n\n- Update to version 20251208.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list is passed\n to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251206.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251205.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20251120.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251120.00\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251117.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251115.00\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251108.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251107.01\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251031.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.02\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251030.01\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251011.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251009.01\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251009.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n\n- Update to version 20251007.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251006.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20251006.00\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251005.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250930.01\n * Honor core plugin setting on windows package update (#576)\n- from version 20250929.01\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250929.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250926.00\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250924.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n\n- Update to version 20250923.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250923.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250921.00\n * Add extra debug logging around toggling OS Login (#572)\n- from version 20250920.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250920.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250918.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250917.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250917.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250916.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250915.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service\n\n- Update to version 20250908.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250907.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250905.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250905.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250902.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- Build and install new gce_workload_cert_refresh binary\n- Fix installation source of google_metadata_script_runner_adapt script\n- Install new systemd service file\n * gce-workload-cert-refresh.service\n\n- Update to version 20250901.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.03\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250831.02\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250831.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250830.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250830.01\n * Update go version to 1.25 (#565)\n- from version 20250830.00\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250828.00\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n- from version 20250826.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250821.01\n * Remove routes script from packaging (#566)\n\n- Update to version 20250718.00\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20250709.02\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250709.01\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250709.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250702.00\n * Update adapt script to run on startup/shutdown both (#561)\n- from version 20250701.01\n * Update agent_uninstall.ps1 (#558)\n- from version 20250701.00\n * Stop core plugin before removing agent package (#554)\n- from version 20250628.00\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n- from version 20250626.00\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523) (#540)\n- from version 20250625.00\n * prepare stable release.\n- Install google_metadata_script_runner_adapt script (bsc#1245759)\n\n- Update to version 20250624.00\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250611.01\n * prepare stable release.\n- from version 20250611.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250609.00\n * prepare stable release.\n- from version 20250605.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are\n written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata\n script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of\n modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250604.00\n * Preparing stable build.\n- from version 20250602.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- from version 20250521.00\n * Preparing stable build.\n- from version 20250515.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250508.00\n\n * Preparing stable build.\n\n- from version 20250506.01 (bsc#1243254, bsc#1243505)\n\n- Update to version 20250411.00\n\n * Re-enable disabled services if the core plugin was enabled (#521)\n- Add -buildmode=pie to go build command line (bsc#1239944)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-934",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22128-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22128-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622128-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22128-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047345.html"
},
{
"category": "self",
"summary": "SUSE Bug 1210938",
"url": "https://bugzilla.suse.com/1210938"
},
{
"category": "self",
"summary": "SUSE Bug 1239334",
"url": "https://bugzilla.suse.com/1239334"
},
{
"category": "self",
"summary": "SUSE Bug 1239944",
"url": "https://bugzilla.suse.com/1239944"
},
{
"category": "self",
"summary": "SUSE Bug 1243254",
"url": "https://bugzilla.suse.com/1243254"
},
{
"category": "self",
"summary": "SUSE Bug 1243505",
"url": "https://bugzilla.suse.com/1243505"
},
{
"category": "self",
"summary": "SUSE Bug 1245759",
"url": "https://bugzilla.suse.com/1245759"
},
{
"category": "self",
"summary": "SUSE Bug 1253889",
"url": "https://bugzilla.suse.com/1253889"
},
{
"category": "self",
"summary": "SUSE Bug 1257010",
"url": "https://bugzilla.suse.com/1257010"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE Bug 1262926",
"url": "https://bugzilla.suse.com/1262926"
},
{
"category": "self",
"summary": "SUSE Bug 1265762",
"url": "https://bugzilla.suse.com/1265762"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33814 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-06-15T14:28:51Z",
"generator": {
"date": "2026-06-15T14:28:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22128-1",
"initial_release_date": "2026-06-15T14:28:51Z",
"revision_history": [
{
"date": "2026-06-15T14:28:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-160000.1.1.aarch64",
"product": {
"name": "google-guest-agent-20260430.00-160000.1.1.aarch64",
"product_id": "google-guest-agent-20260430.00-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-160000.1.1.x86_64",
"product": {
"name": "google-guest-agent-20260430.00-160000.1.1.x86_64",
"product_id": "google-guest-agent-20260430.00-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64"
},
"product_reference": "google-guest-agent-20260430.00-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
},
"product_reference": "google-guest-agent-20260430.00-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64"
},
"product_reference": "google-guest-agent-20260430.00-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
},
"product_reference": "google-guest-agent-20260430.00-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33814"
}
],
"notes": [
{
"category": "general",
"text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33814",
"url": "https://www.suse.com/security/cve/CVE-2026-33814"
},
{
"category": "external",
"summary": "SUSE Bug 1264506 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1264506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2026-33814"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20260430.00-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-15T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
SUSE-SU-2026:22133-1
Vulnerability from csaf_suse - Published: 2026-06-12 08:44 - Updated: 2026-06-12 08:44Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issues:
Update to version 20260430.00:
* Update dependencies and go version to 1.26.2 (#607)
(bsc#1265762, CVE-2026-33814)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
(bsc#1260264, CVE-2026-33186)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
(bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260424.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260423.01
* Update THIRD_PARTY_LICENSES to be package specific location. (#608)
- from version 20260423.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260422.01
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260422.00
* Update dependencies and go version to 1.26.2 (#607)
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
* Source the contents of /var/google-users.d config files. (#586)
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key
list is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20260421.00
* Bring topic-stable up to latest point. (#606)
* Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20260414.00
* Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)
- Bump Go API version to 1.26
- CVE-2026-34986: Fixed crafted JWE input with a missing encrypted
key can lead to a denial of service (bsc#1262926)
- Update to version 20260402.00: (bsc#1257010)
* Backport oslogin changes for sles16 to legacy agent (#603)
* Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)
* Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)
* Actually finally fix the RPM spec (#601)
* Correct guest telemetry build target (#600)
* Add packaging for new telemetry extension (#599)
* Implement new scheduled job for routes monitor (#598)
* Add packaging changes for locally bundled extensions feature support (#593)
* Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)
* Disable certificates when security keys are enabled (#588)
* Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)
- Update to version 20260108.00
* Source the contents of /var/google-users.d config files. (#586)
- Update to version 20251223.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251218.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251218.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251216.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251215.00
* Force remove core plugin configuration for windows (#587)
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251210.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251209.00
* Force remove core plugin configuration for windows (#587)
- Update to version 20251208.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list is passed
to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251206.00
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251205.00
* network: force address manager to always consolidate the OS state (#585)
* Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20251120.01
* fix start mode for windows on stable release (#584)
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251120.00
* Don't delete the authorized_keys file when an empty key list
is passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251117.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251115.00
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251108.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251107.01
* Don't delete the authorized_keys file when an empty key list is
passed to updateAuthorizedKeysFile (#582)
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251031.00
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.02
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251030.01
* Update agent_uninstall.ps1 (#558) (#580)
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251030.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251011.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20251009.01
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251009.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- Update to version 20251007.00
* Add Tyler, Saswat, Hank to OWNERS (#577)
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251006.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20251006.00
* Honor core plugin setting on windows package update (#576)
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20251005.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250930.01
* Honor core plugin setting on windows package update (#576)
- from version 20250929.01
* Restart agent if core plugin is disabled (#575)
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250929.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250926.00
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250924.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250924.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Update to version 20250923.01
* Add extra debug logging around toggling OS Login (#572)
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250923.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250921.00
* Add extra debug logging around toggling OS Login (#572)
- from version 20250920.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250920.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250918.01
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250917.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250917.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250916.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250915.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service
- Update to version 20250908.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250907.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250905.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250905.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250902.00
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- Build and install new gce_workload_cert_refresh binary
- Fix installation source of google_metadata_script_runner_adapt script
- Install new systemd service file
* gce-workload-cert-refresh.service
- Update to version 20250901.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.03
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250831.02
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250831.01
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250831.00
* Update go version to 1.25 (#565)
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250830.02
* Update go version for stable branch to 1.25 (#571)
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent
and disable core plugin (#557)
- from version 20250830.01
* Update go version to 1.25 (#565)
- from version 20250830.00
* Add compat adapt script to windows in agent sysprep (#569)
* Fix adapt to use more portable shebang line (#567)
* Remove routes script from packaging (#566)
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250828.00
* Add adapt script in stable branch as per #569 (#570)
* Backport fix from #567 to stable branch (#568)
- from version 20250826.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and
disable core plugin (#557)
- from version 20250821.01
* Remove routes script from packaging (#566)
- Update Go API version to 1.25
- Update to version 20250718.00
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- Update to version 20250709.02
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250709.01
* Update adapt script to run on startup/shutdown both (#561)
* Update agent_uninstall.ps1 (#558)
* Stop core plugin before removing agent package (#554)
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
- from version 20250709.00
* Revert compat behavior and call known binary directly (#560)
* Revert compat behavior and call known binary directly (#559)
* Build rollforward package to re-enable original agent and disable core plugin (#557)
- from version 20250702.00
* Update adapt script to run on startup/shutdown both (#561)
- from version 20250701.01
* Update agent_uninstall.ps1 (#558)
- from version 20250701.00
* Stop core plugin before removing agent package (#554)
- from version 20250628.00
* Startup scripts should start after agent manager instead (#553)
* Update presets and install dependencies on systemd units (#552)
* Ensure agent service is disabled (#551)
- from version 20250626.00
* Disable legacy agent to enable core plugin (#550)
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523) (#540)
- from version 20250625.00
* prepare stable release.
- Install google_metadata_script_runner_adapt script (bsc#1245759)
- Update to version 20250624.00
* Final fix for RHEL packaging for routes setup (#549)
* Fix RHEL packaging for routes scripts (#548)
* Packaging changes to include routes script installation (#542)
* Update CLI name in packaging (#543)
* systemd should manage only the main process (#544)
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250611.01
* prepare stable release.
- from version 20250611.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
- from version 20250609.00
* prepare stable release.
- from version 20250605.00
* startup script: wrap compatibility decision into its own scripts (#538)
* Reapply "oslogin: Correctly handle newlines at the end of modified
files (#520)" (#523) (#540)
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are
written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata
script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of
modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250604.00
* Preparing stable build.
- from version 20250602.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250521.00
* Preparing stable build.
- from version 20250515.00
* Make sure agent added connections are activated by NM (#534)
* wrap NSS cache refresh in a goroutine (#533)
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Update to version 20250508.00
* Preparing stable build.
- from version 20250506.01 (bsc#1243254, bsc#1243505)
Patchnames: SUSE-SLE-Micro-6.1-577
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issues:\n\nUpdate to version 20260430.00:\n\n * Update dependencies and go version to 1.26.2 (#607)\n (bsc#1265762, CVE-2026-33814)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n (bsc#1260264, CVE-2026-33186)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n (bsc#1239334, CVE-2025-22869, bsc#1253889, CVE-2025-58181)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260424.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260423.01\n * Update THIRD_PARTY_LICENSES to be package specific location. (#608)\n- from version 20260423.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260422.01\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260422.00\n * Update dependencies and go version to 1.26.2 (#607)\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n * Source the contents of /var/google-users.d config files. (#586)\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key\n list is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20260421.00\n * Bring topic-stable up to latest point. (#606)\n * Bring stable branch up to 822ad49fd52b4d29869604af836a33cb22a667ba (#592)\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20260414.00\n * Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#604)\n- Bump Go API version to 1.26\n\n- CVE-2026-34986: Fixed crafted JWE input with a missing encrypted\n key can lead to a denial of service (bsc#1262926)\n\n- Update to version 20260402.00: (bsc#1257010)\n\n * Backport oslogin changes for sles16 to legacy agent (#603)\n * Bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.40.0 (#596)\n * Bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#602)\n * Actually finally fix the RPM spec (#601)\n * Correct guest telemetry build target (#600)\n * Add packaging for new telemetry extension (#599)\n * Implement new scheduled job for routes monitor (#598)\n * Add packaging changes for locally bundled extensions feature support (#593)\n * Ensure the uninstall script handles GCE metadata endpoint unavailability. (#591)\n * Disable certificates when security keys are enabled (#588)\n * Move sourcing of per-user configs to the end of sshd_config, fixing 2FA logins. (#590)\n\n- Update to version 20260108.00\n * Source the contents of /var/google-users.d config files. (#586)\n\n- Update to version 20251223.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251218.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251218.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251216.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251215.00\n * Force remove core plugin configuration for windows (#587)\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251210.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251209.00\n * Force remove core plugin configuration for windows (#587)\n\n- Update to version 20251208.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list is passed\n to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251206.00\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251205.00\n * network: force address manager to always consolidate the OS state (#585)\n * Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#583)\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20251120.01\n * fix start mode for windows on stable release (#584)\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251120.00\n * Don\u0027t delete the authorized_keys file when an empty key list\n is passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251117.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251115.00\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251108.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251107.01\n * Don\u0027t delete the authorized_keys file when an empty key list is\n passed to updateAuthorizedKeysFile (#582)\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251031.00\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.02\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251030.01\n * Update agent_uninstall.ps1 (#558) (#580)\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251030.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251011.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20251009.01\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251009.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n\n- Update to version 20251007.00\n * Add Tyler, Saswat, Hank to OWNERS (#577)\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251006.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20251006.00\n * Honor core plugin setting on windows package update (#576)\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20251005.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250930.01\n * Honor core plugin setting on windows package update (#576)\n- from version 20250929.01\n * Restart agent if core plugin is disabled (#575)\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250929.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250926.00\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250924.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250924.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n\n- Update to version 20250923.01\n * Add extra debug logging around toggling OS Login (#572)\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250923.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250921.00\n * Add extra debug logging around toggling OS Login (#572)\n- from version 20250920.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250920.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250918.01\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250917.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250917.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250916.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250915.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- Disable missing daemon google_guest_agent_manager referenced by google-startup-scripts.service\n\n- Update to version 20250908.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250907.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250905.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250905.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250902.00\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- Build and install new gce_workload_cert_refresh binary\n- Fix installation source of google_metadata_script_runner_adapt script\n- Install new systemd service file\n * gce-workload-cert-refresh.service\n\n- Update to version 20250901.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.03\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250831.02\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250831.01\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250831.00\n * Update go version to 1.25 (#565)\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250830.02\n * Update go version for stable branch to 1.25 (#571)\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent\n and disable core plugin (#557)\n- from version 20250830.01\n * Update go version to 1.25 (#565)\n- from version 20250830.00\n * Add compat adapt script to windows in agent sysprep (#569)\n * Fix adapt to use more portable shebang line (#567)\n * Remove routes script from packaging (#566)\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250828.00\n * Add adapt script in stable branch as per #569 (#570)\n * Backport fix from #567 to stable branch (#568)\n- from version 20250826.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and\n disable core plugin (#557)\n- from version 20250821.01\n * Remove routes script from packaging (#566)\n- Update Go API version to 1.25\n\n- Update to version 20250718.00\n\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n\n- Update to version 20250709.02\n\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n\n- from version 20250709.01\n\n * Update adapt script to run on startup/shutdown both (#561)\n * Update agent_uninstall.ps1 (#558)\n * Stop core plugin before removing agent package (#554)\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n- from version 20250709.00\n * Revert compat behavior and call known binary directly (#560)\n * Revert compat behavior and call known binary directly (#559)\n * Build rollforward package to re-enable original agent and disable core plugin (#557)\n- from version 20250702.00\n * Update adapt script to run on startup/shutdown both (#561)\n- from version 20250701.01\n * Update agent_uninstall.ps1 (#558)\n- from version 20250701.00\n * Stop core plugin before removing agent package (#554)\n- from version 20250628.00\n * Startup scripts should start after agent manager instead (#553)\n * Update presets and install dependencies on systemd units (#552)\n * Ensure agent service is disabled (#551)\n- from version 20250626.00\n * Disable legacy agent to enable core plugin (#550)\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523) (#540)\n- from version 20250625.00\n * prepare stable release.\n- Install google_metadata_script_runner_adapt script (bsc#1245759)\n\n- Update to version 20250624.00\n * Final fix for RHEL packaging for routes setup (#549)\n * Fix RHEL packaging for routes scripts (#548)\n * Packaging changes to include routes script installation (#542)\n * Update CLI name in packaging (#543)\n * systemd should manage only the main process (#544)\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250611.01\n * prepare stable release.\n- from version 20250611.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n- from version 20250609.00\n * prepare stable release.\n- from version 20250605.00\n * startup script: wrap compatibility decision into its own scripts (#538)\n * Reapply \"oslogin: Correctly handle newlines at the end of modified\n files (#520)\" (#523) (#540)\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are\n written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata\n script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of\n modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250604.00\n * Preparing stable build.\n- from version 20250602.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- from version 20250521.00\n * Preparing stable build.\n- from version 20250515.00\n * Make sure agent added connections are activated by NM (#534)\n * wrap NSS cache refresh in a goroutine (#533)\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n\n- Update to version 20250508.00\n * Preparing stable build.\n\n- from version 20250506.01 (bsc#1243254, bsc#1243505)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-577",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22133-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22133-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622133-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22133-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026810.html"
},
{
"category": "self",
"summary": "SUSE Bug 1210938",
"url": "https://bugzilla.suse.com/1210938"
},
{
"category": "self",
"summary": "SUSE Bug 1239334",
"url": "https://bugzilla.suse.com/1239334"
},
{
"category": "self",
"summary": "SUSE Bug 1239944",
"url": "https://bugzilla.suse.com/1239944"
},
{
"category": "self",
"summary": "SUSE Bug 1243254",
"url": "https://bugzilla.suse.com/1243254"
},
{
"category": "self",
"summary": "SUSE Bug 1243505",
"url": "https://bugzilla.suse.com/1243505"
},
{
"category": "self",
"summary": "SUSE Bug 1245759",
"url": "https://bugzilla.suse.com/1245759"
},
{
"category": "self",
"summary": "SUSE Bug 1253889",
"url": "https://bugzilla.suse.com/1253889"
},
{
"category": "self",
"summary": "SUSE Bug 1257010",
"url": "https://bugzilla.suse.com/1257010"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE Bug 1262926",
"url": "https://bugzilla.suse.com/1262926"
},
{
"category": "self",
"summary": "SUSE Bug 1265762",
"url": "https://bugzilla.suse.com/1265762"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33814 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-06-12T08:44:33Z",
"generator": {
"date": "2026-06-12T08:44:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22133-1",
"initial_release_date": "2026-06-12T08:44:33Z",
"revision_history": [
{
"date": "2026-06-12T08:44:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"product": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"product_id": "google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"product": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"product_id": "google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"product": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"product_id": "google-guest-agent-20260430.00-slfo.1.1_1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64",
"product": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64",
"product_id": "google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64"
},
"product_reference": "google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le"
},
"product_reference": "google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x"
},
"product_reference": "google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
},
"product_reference": "google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33814"
}
],
"notes": [
{
"category": "general",
"text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33814",
"url": "https://www.suse.com/security/cve/CVE-2026-33814"
},
{
"category": "external",
"summary": "SUSE Bug 1264506 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1264506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "important"
}
],
"title": "CVE-2026-33814"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20260430.00-slfo.1.1_1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-12T08:44:33Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…