Synopsis
The remote SUSE host is missing a security update.
Description
The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:03448-1 advisory.
Update to version 4.6.4.
Security issues fixed:
- CVE-2025-58058: xz: excessive memory consuption when unpacking a large number of corrupted LZMA archives (bsc#1248906).
Other issues fixed:
- Convert disk booleans from `wwbool` to `*bool` which allows bools in disk to be set to false via command line (bsc#1248768).
- Fix `wwctl` upgrade nodes to handle kernel argument lists (bsc#1227686, bsc#1227465).
- Mark `slurm` as recommeneded in the `warewulf4-overlay-slurm` package (bsc#1246082).
- Switch to `dnsmasq` as default DHCP and TFTP provider.
- v4.6.4 release updates:
* Update NetworkManager Overlay
* Disable IPv4 in NetworkManager if no address or route is specified
* Fix(`wwctl`): create overlay edit `tempfile` in `tmpdir`
* Add default for systemd name for warewulf in `warewulf.conf`
* Atomic overlay file application in `wwclient`
* Simpler names for overlay methods
* Fix `warewulfd` API behavior when deleting distribution overlay
- v4.6.3 release updates:
* IPv6 iPXE support
* Fix a race condition in `wwctl` overlay edit
* Fixed handling of comma-separated mount options in `fstab` and `ignition` overlays
* Move `reexec.Init()` to beginning of `wwctl`
* Added `warewuld` configure option
* Address copilot review from #1945
* Bugfix: cloning a site overlay when parent dir does not exist
* Clone to a site overlay when adding files in `wwapi`
* Consolidated `createOverlayFile` and `updateOverlayFile` to `addOverlayFile`
* Support for creating and updating overlay file in `wwapi`
* Only return overlay files that refer to a path within the overlay
* Add overlay file deletion support
* `DELETE /api/overlays/{id}?force=true` can delete overlays in use
* Restore idempotency of `PUT /api/nodes/{id}`
* Simplify overlay mtime API and add tests
* Add node overlay buildtime
* Improved `netplan` support
* Rebuild overlays for discovered nodes
- v4.6.2 release updates:
* (preview) support for provisioning to local disk
- incoperated from v4.6.1:
* REST API, which is disabled in the default configuration
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.
Plugin Details
File Name: suse_SU-2025-03448-1.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:warewulf4-reference-doc, p-cpe:/a:novell:suse_linux:warewulf4-man, p-cpe:/a:novell:suse_linux:warewulf4, p-cpe:/a:novell:suse_linux:warewulf4-overlay, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:warewulf4-overlay-slurm, p-cpe:/a:novell:suse_linux:warewulf4-dracut
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 10/2/2025
Vulnerability Publication Date: 8/28/2025