Detections
Analytics

SUSE SLED15 / SLES15 Security Update : cargo-auditable (SUSE-SU-2026:0506-1)

medium Nessus Plugin ID 299042

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:0506-1 advisory.

 Update to version 0.7.2~0.

 Security issues fixed:

 - CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906).

 Other updates and bugfixes:

 - Update to version 0.7.2~0:

 * mention cargo-dist in README
 * commit Cargo.lock
 * bump which dev-dependency to 8.0.0
 * bump object to 0.37
 * Upgrade cargo_metadata to 0.23
 * Expand the set of dist platforms in config

 - Update to version 0.7.1~0:

 * Out out of unhelpful clippy lint
 * Satisfy clippy
 * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
 * Run apt-get update before trying to install packages
 * run `cargo dist init` on dist 0.30
 * Drop allow-dirty from dist config, should no longer be needed
 * Reorder paragraphs in README
 * Note the maintenance transition for the go extraction library
 * Editing pass on the adopters: scanners
 * clarify Docker support
 * Cargo clippy fix
 * Add Wolfi OS and Chainguard to adopters
 * Update mentions around Anchore tooling
 * README and documentation updates for nightly
 * Bump dependency version in rust-audit-info
 * More work on docs
 * Nicer formatting on format revision documentation
 * Bump versions
 * regenerate JSON schema
 * cargo fmt
 * Document format field
 * Make it more clear that RawVersionInfo is private
 * Add format field to the serialized data
 * cargo clippy fix
 * Add special handling for proc macros to treat them as the build dependencies they are
 * Add a test to ensure proc macros are reported as build dependencies
 * Add a test fixture for a crate with a proc macro dependency
 * parse fully qualified package ID specs from SBOMs
 * select first discovered SBOM file
 * cargo sbom integration
 * Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
 * Don't fail plan workflow due to manually changed release.yml
 * Bump Ubuntu version to hopefully fix release.yml workflow
 * Add test for stripped binary
 * Bump version to 0.6.7
 * Populate changelog
 * README.md: add auditable2cdx, more consistency in text
 * Placate clippy
 * Do not emit -Wl if a bare linker is in use
 * Get rid of a compiler warning
 * Add bare linker detection function
 * drop boilerplate from test that's no longer relevant
 * Add support for recovering rustc codegen options
 * More lenient parsing of rustc arguments
 * More descriptive error message in case rustc is killed abruptly
 * change formatting to fit rustfmt
 * More descriptive error message in case cargo is killed
 * Update REPLACING_CARGO.md to fix #195
 * Clarify osv-scanner support in README
 * Include the command required to view metadata
 * Mention wasm-tools support
 * Switch from broken generic cache action to a Rust-specific one
 * Fill in various fields in auditable2cdx Cargo.toml
 * Include osv-scanner in the list, with a caveat
 * Add link to blint repo to README
 * Mention that blint supports our data
 * Consolidate target definitions
 * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
 * Migrate to a maintained toolchain action
 * Fix author specification
 * Add link to repository to resolverver Cargo.toml
 * Bump resolverver to 0.1.0
 * Add resolverver crate to the tree

 - Update to version 0.6.6~0:

 * Note the `object` upgrade in the changelog
 * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
 * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
 * Update dependencies in the lock file
 * Populate changelog
 * apply clippy lint
 * add another --emit parsing test
 * shorter code with cargo fmt
 * Actually fix cargo-c compatibility
 * Attempt to fix cargo-capi incompatibility
 * Refactoring in preparation for fixes
 * Also read the --emit flag to rustc
 * Fill in changelogs
 * Bump versions
 * Drop cfg'd out tests
 * Drop obsolete doc line
 * Move dependency cycle tests from auditable-serde to cargo-auditable crate
 * Remove cargo_metadata from auditable-serde API surface.
 * Apply clippy lint
 * Upgrade miniz_oxide to 0.8.0
 * Insulate our semver from miniz_oxide semver
 * Add support for Rust 2024 edition
 * Update tests
 * More robust OS detection for riscv feature detection
 * bump version
 * update changelog for auditable-extract 0.3.5
 * Fix wasm component auditable data extraction
 * Update blocker description in README.md
 * Add openSUSE to adopters
 * Update list of know adopters
 * Fix detection of `riscv64-linux-android` target features
 * Silence noisy lint
 * Bump version requirement in rust-audit-info
 * Fill in changelogs
 * Bump semver of auditable-info
 * Drop obsolete comment now that wasm is enabled by default
 * Remove dependency on cargo-lock
 * Brag about adoption in the README
 * Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
 * Also build musl binaries
 * dist: update dist config for future releases
 * dist(cargo-auditable): ignore auditable2cdx for now
 * chore: add cargo-dist

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected cargo-auditable package.

See Also

https://bugzilla.suse.com/1257906

http://www.nessus.org/u?7a4c92f2

https://www.suse.com/security/cve/CVE-2026-25727

Plugin Details

Severity: Medium

ID: 299042

File Name: suse_SU-2026-0506-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/14/2026

Updated: 2/14/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-25727

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 3.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:cargo-auditable, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/13/2026

Vulnerability Publication Date: 2/5/2026

Reference Information

CVE: CVE-2026-25727

SuSE: SUSE-SU-2026:0506-1