Detections
Analytics
openSUSE 16 Security Update : sbctl (openSUSE-SU-2026:20105-1)
medium Nessus Plugin ID 296569
Synopsis
The remote openSUSE host is missing one or more security updates.Description
The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20105-1 advisory.Changes in sbctl:
- Upgrade the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251399, CVE-2025-47911: various algorithms with quadratic complexity when parsing HTML documents
* Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption by 'html.ParseFragment' when processing specially crafted input
- Update to version 0.18:
* logging: fixup new go vet warning
* workflows: add cc for cross compile
* workflow: add sudo to apt
* workflow: add pcsclite to ci
* workflow: try enable cgo
* go.mod: update golang.org/x/ dependencies
* fix: avoid adding bogus Country attribute to subject DNs
* sbctl: only store file if we did actually sign the file
* installkernel: add post install hook for Debian's traditional installkernel
* CI: missing libpcsclite pkg
* workflows: add missing depends and new pattern keyword
* Add yubikey example for create keys to the README
* Initial yubikey backend keytype support
* verify: ensure we pass args in correct order
- bsc#1248949 (CVE-2025-58058):
Bump xz to 0.5.14
- Update to version 0.17:
* Ensure we don't wrongly compare input/output files when signing
* Added --json supprt to sbctl verify
* Ensure sbctl setup with no arguments returns a helpful output
* Import latest Microsoft keys for KEK and db databases
* Ensure we print the path of the file when encountering an invalid PE file
* Misc fixups in tests
* Misc typo fixes in prints
- Update to version 0.16:
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is present
* Fixed a bug where sbctl would abort if the TPM eventlog contains the same byte multiple times
* Fixed a landlock bug where enroll-keys --export did not work
* Fixed a bug where an ESP mounted to multiple paths would not be detected
* Exporting keys without efivars present work again
* sbctl sign will now use the saved output path if the signed file is enrolled
* enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
* Fixed an issue where sign-all did not report a non-zero exit code when something failed
* Fixed and issue where we couldn't write to a file with landlock
* Fixed an issue where --json would print the human readable output and the json
* Fixes landlock for UKI/bundles by disabling the sandbox feature
* Some doc fixups that mentioned /usr/share/
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected sbctl package.See Also
https://bugzilla.suse.com/1248949
https://bugzilla.suse.com/1251399
https://bugzilla.suse.com/1251609
https://www.suse.com/security/cve/CVE-2025-47911
Plugin Details
Severity: Medium
ID: 296569
File Name: openSUSE-2026-20105-1.nasl
Version: 1.1
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 1/26/2026
Updated: 1/26/2026
Supported Sensors: Continuous Assessment, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS Score Source: CVE-2025-58190
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Temporal Score: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS Score Source: CVE-2025-58058
Vulnerability Information
CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:sbctl
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 1/23/2026
Vulnerability Publication Date: 8/28/2025