Detections
Analytics

openSUSE 16 Security Update : git-bug (openSUSE-SU-2025-20143-1)

critical Nessus Plugin ID 277676

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025-20143-1 advisory.

 Changes in git-bug:

 - Revendor to include fixed version of depending libraries:
 - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade golang.org/x/crypto to v0.43.0
 - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade github.com/go-viper/mapstructure/v2 to v2.4.0
 - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
 - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade github.com/cloudflare/circl to v1.6.1
 - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade golang.org/x/crypto/ssh to v0.45.0
 - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade golang.org/x/crypto/ssh/agent to v0.45.0

 - Revendor to include golang.org/x/net/html v 0.45.0 to prevent possible DoS by various algorithms with quadratic complexity when parsing HTML documents (bsc#1251463, CVE-2025-47911 and bsc#1251664, CVE-2025-58190).

 Update to version 0.10.1:

 - cli: ignore missing sections when removing configuration (ddb22a2f)

 Update to version 0.10.0:

 - bridge: correct command used to create a new bridge (9942337b)
 - web: simplify header navigation (7e95b169)
 - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
 - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)

 Update to version 0.10.0:

 - bridge: correct command used to create a new bridge (9942337b)
 - web: simplify header navigation (7e95b169)
 - web: remark upgrade + gfm + syntax highlighting (6ee47b96)

 Update to version 0.9.0:

 - completion: remove errata from string literal (aa102c91)
 - tui: improve readability of the help bar (23be684a)

 Update to version 0.8.1+git.1746484874.96c7a111:

 * docs: update install, contrib, and usage documentation (#1222)
 * fix: resolve the remote URI using url.*.insteadOf (#1394)
 * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
 * chore: gofmt simplify gitlab/export_test.go (#1392)
 * fix: checkout repo before setting up go environment (#1390)
 * feat: bump to go v1.24.2 (#1389)
 * chore: update golang.org/x/net (#1379)
 * fix: use -0700 when formatting time (#1388)
 * fix: use correct url for gitlab PATs (#1384)
 * refactor: remove depdendency on pnpm for auto-label action (#1383)
 * feat: add action: auto-label (#1380)
 * feat: remove lifecycle/frozen (#1377)
 * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
 * feat: support new exclusion label: lifecycle/pinned (#1375)
 * fix: refactor how gitlab title changes are detected (#1370)
 * revert: Create Dependabot config file (#1374)
 * refactor: rename //:git-bug.go to //:main.go (#1373)
 * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
 * fix: set GitLastTag to an empty string when git-describe errors (#1355)
 * chore: update go-git to v5@masterupdate_mods (#1284)
 * refactor: Directly swap two variables to optimize code (#1272)
 * Update README.md Matrix link to new room (#1275)

 - Update to version 0.8.0+git.1742269202.0ab94c9:
 * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)

 - Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494, CVE-2025-22869).

 - Add missing Requires to completion subpackages.

 Update to version 0.8.0+git.1733745604.d499b6e:

 * fix typos in docs (#1266)
 * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)

 - bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected git-bug, git-bug-bash-completion, git-bug-fish-completion and / or git-bug-zsh-completion packages.

See Also

https://bugzilla.suse.com/1234565

https://bugzilla.suse.com/1239494

https://bugzilla.suse.com/1251463

https://bugzilla.suse.com/1251664

https://bugzilla.suse.com/1253506

https://bugzilla.suse.com/1253930

https://bugzilla.suse.com/1254084

https://www.suse.com/security/cve/CVE-2024-45337

https://www.suse.com/security/cve/CVE-2025-22869

https://www.suse.com/security/cve/CVE-2025-47911

https://www.suse.com/security/cve/CVE-2025-47913

https://www.suse.com/security/cve/CVE-2025-47914

https://www.suse.com/security/cve/CVE-2025-58181

https://www.suse.com/security/cve/CVE-2025-58190

Plugin Details

Severity: Critical

ID: 277676

File Name: openSUSE-2025-20143-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/8/2025

Updated: 12/8/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-45337

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:git-bug-bash-completion, p-cpe:/a:novell:opensuse:git-bug-zsh-completion, p-cpe:/a:novell:opensuse:git-bug-fish-completion, p-cpe:/a:novell:opensuse:git-bug

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/4/2025

Vulnerability Publication Date: 12/11/2024

Reference Information

CVE: CVE-2024-45337, CVE-2025-22869, CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-58190