Detections
Analytics

openSUSE 16 Security Update : go-sendxmpp (openSUSE-SU-2026:20058-1)

medium Nessus Plugin ID 291338

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20058-1 advisory.

 Changes in go-sendxmpp:

 - Update to 0.15.1:
 Added
 * Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
 Changed
 * HTTP upload: Ignore timeouts on disco IQs as some components do not reply.
 - Upgrades the embedded golang.org/x/net to 0.46.0
 * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with quadratic complexity when parsing HTML documents
 * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption by 'html.ParseFragment' when processing specially crafted input

 - Update to 0.15.0:
 Added:
 * Add flag --verbose to show debug information.
 * Add flag --recipients to specify recipients by file.
 * Add flag --retry-connect to try after a waiting time if the connection fails.
 * Add flag --retry-connect-max to specify the amount of retry attempts.
 * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
 * Add support for punycode domains.
 Changed:
 * Update gopenpgp library to v3.
 * Improve error detection for MUC joins.
 * Don't try to connect to other SRV record targets if error contains 'auth-failure'.
 * Remove support for old SSDP version (via go-xmpp v0.2.15).
 * Http-upload: Stop checking other disco items after finding upload component.
 * Increase default TLS version to 1.3.
 - bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0

 - Update to 0.14.1:
 * Use prettier date format for error messages.
 * Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).

 - Update to 0.14.0:
 Added:
 * Add --fast-invalidate to allow invalidating the FAST token.
 Changed:
 * Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
 * Delete legacy Ox private key directory if it's empty.
 * Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).
 * Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).
 * Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).
 * Delete stored fast token if --fast-invalidate and --fast-off are set.
 * Show error when FAST creds are stored but non-FAST mechanism is requested.

 - Update to 0.13.0:
 Added:
 * Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).
 * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).
 * Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).
 Changed:
 * Don't automatically try other auth mechanisms if FAST authentication fails.

 - Update to 0.12.1:
 Changed:
 * Print error instead of quitting if a message of type error is received.
 * Allow upload of multiple files.
 Added:
 * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.

 - Update to 0.12.0:
 Added:
 * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).
 * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).
 Changed:
 * Disable PLAIN authentication per default.
 * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires go-xmpp >= 0.2.5).

 - Update to 0.11.4:
 * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).

 - Update to 0.11.3:
 * Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).
 * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).
 * [gocritic]: Improve code quality.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go-sendxmpp package.

See Also

https://bugzilla.suse.com/1241814

https://bugzilla.suse.com/1251461

https://bugzilla.suse.com/1251677

https://www.suse.com/security/cve/CVE-2025-22872

https://www.suse.com/security/cve/CVE-2025-47911

https://www.suse.com/security/cve/CVE-2025-58190

Plugin Details

Severity: Medium

ID: 291338

File Name: openSUSE-2026-20058-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/19/2026

Updated: 1/19/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-22872

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:go-sendxmpp

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/17/2026

Vulnerability Publication Date: 3/27/2025

Reference Information

CVE: CVE-2025-22872, CVE-2025-47911, CVE-2025-58190