Detections
Analytics

openSUSE 15 Security Update : kanidm (openSUSE-SU-2025:0152-1)

low Nessus Plugin ID 235789

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2025:0152-1 advisory.

 - Update to version 1.6.2~git0.a20663ea8:
 * Release 1.6.2
 * fix: clippy
 * maint: typo in log message
 * Set kid manually to prevent divergence
 * Order keys in application JWKS / Fix rotation bug
 * Fix toml issues with strings

 - Update to version 1.6.1~git0.2e4429eca:
 * Release 1.6.1
 * Resolve reload of oauth2 on startup (#3604)

 - CVE-2025-3416: Fixed openssl use after free (boo#1242642)

 - Update to version 1.6.0~git0.d7ae0f336:
 * Release 1.6.0
 * Avoid openssl for md4
 * Fixes #3586, inverts the navbar button color (#3593)
 * Release 1.6.0-pre
 * chore: Release Notes (#3588)
 * Do not require instances to exist during optional config load (#3591)
 * Fix std::fmt::Display for some objects (#3587)
 * Drop fernet in favour of JWE (#3577)
 * docs: document how to configure oauth2 for opkssh (#3566)
 * Add kanidm_ssh_authorizedkeys_direct to client deb (#3585)
 * Bump the all group in /pykanidm with 2 updates (#3581)
 * Update dependencies, fix a bunch of clippy lints (#3576)
 * Support spaces in ssh key comments (#3575)
 * 20250402 3423 proxy protocol (#3542)
 * fix(web): Preserve SSH key content on form validation error (#3574)
 * Bump the all group in /pykanidm with 3 updates (#3572)
 * Bump the all group in /pykanidm with 2 updates (#3564)
 * Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group (#3560)
 * Improve token handling (#3553)
 * Bump tokio from 1.44.1 to 1.44.2 in the cargo group (#3549)
 * Update fs4 and improve klock handling (#3551)
 * Less footguns (#3552)
 * Unify unix config parser (#3533)
 * Bump openssl from 0.10.71 to 0.10.72 in the cargo group (#3544)
 * Bump the all group in /pykanidm with 8 updates (#3547)
 * implement notify-reload protocol (#3540)
 * Allow versioning of server configs (#3515)
 * 20250314 remove protected plugin (#3504)
 * Bump the all group with 10 updates (#3539)
 * Bump mozilla-actions/sccache-action from 0.0.8 to 0.0.9 in the all group (#3538)
 * Bump the all group in /pykanidm with 4 updates (#3537)
 * Add max_ber_size to freeipa sync (#3530)
 * Bump the all group in /pykanidm with 5 updates (#3524)
 * Update Concread
 * Update developer_ethics.md (#3520)
 * Update examples.md (#3519)
 * Make schema indexing a boolean instead of index types (#3517)
 * Add missing lld dependency and fix syntax typo (#3490)
 * Update shell.nix to work with stable nixpkgs (#3514)
 * Improve unixd tasks channel comments (#3510)
 * Update kanidm_ppa_automation reference to latest (#3512)
 * Add set-description to group tooling (#3511)
 * packaging: Add kanidmd deb package, update documentation (#3506)
 * Bump the all group in /pykanidm with 5 updates (#3508)
 * 20250313 unixd system cache (#3501)
 * Support rfc2307 memberUid in sync operations. (#3466)
 * Bump mozilla-actions/sccache-action from 0.0.7 to 0.0.8 in the all group (#3496)
 * Update Traefik config example to remove invalid label (#3500)
 * Add uid/gid allocation table (#3498)
 * 20250225 ldap testing in testkit (#3460)
 * Bump the all group in /pykanidm with 5 updates (#3494)
 * Bump ring from 0.17.10 to 0.17.13 in the cargo group (#3491)
 * Handle form-post as a response mode (#3467)
 * book: fix english (#3487)
 * Correct paths with Kanidm Tools Container (#3486)
 * 20250225 improve test performance (#3459)
 * Bump the all group in /pykanidm with 8 updates (#3484)
 * Use lld by default on linux (#3477)
 * 20250213 patch used wrong acp (#3432)
 * Android support (#3475)
 * Changed all CI/CD builds to locked (#3471)
 * Make it a bit clearer that providers are needed (#3468)
 * Fix incorrect credential generation in radius docs (#3465)
 * Add crypt formats for password import (#3458)
 * build: Create daemon image from scratch (#3452)
 * address webfinger doc feedbacks (#3446)
 * Bump the all group across 1 directory with 5 updates (#3453)
 * [htmx] Admin ui for groups and users management (#3019)
 * Fixes #3406: add configurable maximum queryable attributes for LDAP (#3431)
 * Accept invalid certs and fix token_cache_path (#3439)
 * Accept lowercase ldap pwd hashes (#3444)
 * TOTP label verification (#3419)
 * Rewrite WebFinger docs (#3443)
 * doc: fix formatting of URL table, remove Caddyfile instructions (#3442)
 * book: add OAuth2 Proxy example (#3434)
 * Exempt idm_admin and admin from denied names. (#3429)
 * Book fixes (#3433)
 * ci: uniform Docker builds (#3430)
 * 20240213 3413 domain displayname (#3425)
 * Correct path to kanidm config example in documentation. (#3424)
 * Support redirect uris with query parameters (#3422)
 * Update to 1.6.0-dev (#3418)
 * Remove white background from square logo. (#3417)
 * feat: Added webfinger implementation (#3410)
 * Bump the all group in /pykanidm with 7 updates (#3412)

 - Update to version 1.5.0~git2.21c2a1bd0:
 * fix: documentation fail (#3555)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kanidm, kanidm-clients, kanidm-server and / or kanidm-unixd-clients packages.

See Also

https://bugzilla.suse.com/1242642

http://www.nessus.org/u?e7b92075

https://www.suse.com/security/cve/CVE-2025-3416

Plugin Details

Severity: Low

ID: 235789

File Name: openSUSE-2025-0152-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 5/13/2025

Updated: 5/13/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-3416

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:15.6, p-cpe:/a:novell:opensuse:kanidm-server, p-cpe:/a:novell:opensuse:kanidm-clients, p-cpe:/a:novell:opensuse:kanidm, p-cpe:/a:novell:opensuse:kanidm-unixd-clients

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/12/2025

Vulnerability Publication Date: 4/8/2025

Reference Information

CVE: CVE-2025-3416