Detections
Analytics

openSUSE 16 Security Update : openQA, os-autoinst, openQA-devel-container (openSUSE-SU-2026:20261-1)

critical Nessus Plugin ID 300098

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20261-1 advisory.

 Changes in openQA:

 - Update to version 5.1771422749.560a3b26:
 * fix(mcp): set navbar check expression to read-only
 * feat: support inverted result filters in /tests/overview
 * fix(test): Enable helm install-chart test again
 * git subrepo pull (merge) --force external/os-autoinst-common
 * feat: Make allowed hosts for SCENARIO_DEFINITIONS_YAML_FILE configurable
 * test: Consider everything under `lib/OpenQA/Shared/` covered
 * fix: Provide specific error message if job was removed `enqueue__track`
 * refactor: Remove useless error message in `enqueue_and_keep_track`
 * test: Cover case of successful executing in `enqueue_and_keep_track`
 * refactor: Simplify error handling of `enqueue_and_keep_track`
 * test: Cover error handling of `enqueue_and_keep_track`
 * test: Consider shared session controller fully covered
 * refactor: Avoid duplications in sessions controller
 * refactor: Use signatures in session controller code
 * test: Cover error handling in case of a bad CRSF token
 * test: Cover test route for session
 * fix(worker): reject jobs explicitly when worker is stopping
 * feat: Remove workaround for codecov and gpg
 * feat: Switch to Leap 16 in Helm charts
 * feat: Switch to Leap 16.0 in openqa_data container
 * feat: Replace all Leap 15.6 with 16.0 in docs and scripts
 * test: Cover showing special image when backend has terminated
 * fix: Use new apachectl command
 * Update openQA containers to Leap 16.0
 * test: Extend tests for controller handling live view
 * refactor: Move throttling into its own function
 * feat(throttling): throttle jobs resources based on parameters size
 * refactor: Avoid repeated use of `$t->app->minion` in gru tasks tests
 * feat: Allow archiving jobs with infinite important storage durations
 * feat: Flag jobs without results as archived for consistency
 * feat: Remove one corner case preventing jobs from being archived

 - Update to version 5.1770718745.ce2072d3:
 * feat(ui): use clickable test overview summary counts for quick filtering
 * build(Makefile): fix uninterruptable tests
 * docs: Mention caveats of `_cleanup_max_free_percentage` setting
 * test(25-cache-service): fix race conditions
 * test(ui/21-admin-needles): properly wait for modal dialog and deletion
 * test(ui/13-admin): properly wait for API key deletion
 * test(40-openqa-clone-job): properly isolate from system config
 * test(15-asset): bump timeout to current runtime
 * chore: fix CVE-2026-25547 (boo#1257852) by overriding minimatch
 * build(deps-dev): bump @eslint from 9.36.0 to 9.38.0
 * fix(eslint): correct style to be eslint-9.38 compliant
 * build(deps-dev): bump @eslint-community/regexpp from 4.12.1 to 4.12.2
 * build(deps-dev): bump @eslint/config-array from 0.21.0 to 0.21.1
 * build(deps-dev): bump @eslint/object-schema from 2.1.6 to 2.1.7
 * refactor: Improve variable names in function to determine expired jobs
 * test: Improve name of subtest for archiving
 * test: Verify that archiving works regardless of logs/results present
 * Dependency cron 2026-02-06
 * Bump js-yaml from 4.1.0 to 4.1.1
 * build(deps): bump ace-builds from 1.43.3 to 1.43.4

 - Update to version 5.1770308102.12dfd0e4:
 * fix: Configure sudoers correctly in Leap 16
 * Also use devel:openQA/16.0 in dependency bot workflow
 * test: Consider all controller code covered
 * refactor: Remove unused group connect endpoints
 * test: Cover `openqa_jobs_by_worker` field of InfluxDB endpoint
 * test: Cover all cases of search of audit log table
 * refactor: Simplify function to render audit log index page
 * test: Add test for `eventid` parameter of audit log page
 * test: Cover remaining lines of `Asset.pm`

 - Update to version 5.1769644379.ef069e9d:

 Changes in os-autoinst:

 - Update to version 5.1771353921.c8005c9:
 * git subrepo pull (merge) --force external/os-autoinst-common
 * style: Fix crop.py style issues
 * workaround: Remove get_mempolicy warning from qemu-img output
 * parse_extra_log: Allow passing additional args to upload_logs
 * refactor: Distinguish tests by the script path in `loadtest`
 * refactor: Simplify approach for avoiding redefine warnings

 - Update to version 5.1770715824.6a80a85:
 * style: Fix crop.py style issues
 * workaround: Remove get_mempolicy warning from qemu-img output
 * parse_extra_log: Allow passing additional args to upload_logs
 * refactor: Distinguish tests by the script path in `loadtest`
 * refactor: Simplify approach for avoiding redefine warnings
 * test: Allow running tests with `Test::Warnings<0.033`
 * test: Format test of `loadtestdir` in a more compact way

 - Update to version 5.1770127521.c249fe9:
 * refactor: Distinguish tests by the script path in `loadtest`
 * refactor: Simplify approach for avoiding redefine warnings
 * test: Allow running tests with `Test::Warnings<0.033`
 * test: Format test of `loadtestdir` in a more compact way
 * test: Use `ENABLE_MODERN_PERL_FEATURES=1` in test suite
 * feat: Allow enabling strict/warnings/signatures globally
 * fix: Improve wrong comment about enablement of modern Perl features

 Changes in openQA-devel-container:

 - Update to version 5.1771422749.560a3b26b:
 * Update to latest openQA version

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://www.suse.com/security/cve/CVE-2026-25547

https://bugzilla.suse.com/1257852

Plugin Details

Severity: Critical

ID: 300098

File Name: openSUSE-2026-20261-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/28/2026

Updated: 2/28/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-25547

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:openqa-continuous-update, p-cpe:/a:novell:opensuse:openqa-mcp, p-cpe:/a:novell:opensuse:os-autoinst-swtpm, p-cpe:/a:novell:opensuse:openqa-auto-update, p-cpe:/a:novell:opensuse:os-autoinst, p-cpe:/a:novell:opensuse:os-autoinst-openvswitch, p-cpe:/a:novell:opensuse:openqa-worker, p-cpe:/a:novell:opensuse:openqa-local-db, p-cpe:/a:novell:opensuse:os-autoinst-ipmi-deps, p-cpe:/a:novell:opensuse:openqa-devel, p-cpe:/a:novell:opensuse:openqa-python-scripts, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:openqa-common, p-cpe:/a:novell:opensuse:openqa-single-instance-nginx, p-cpe:/a:novell:opensuse:openqa-munin, p-cpe:/a:novell:opensuse:openqa, p-cpe:/a:novell:opensuse:os-autoinst-devel, p-cpe:/a:novell:opensuse:openqa-bootstrap, p-cpe:/a:novell:opensuse:os-autoinst-s390-deps, p-cpe:/a:novell:opensuse:os-autoinst-qemu-x86, p-cpe:/a:novell:opensuse:os-autoinst-qemu-kvm, p-cpe:/a:novell:opensuse:openqa-client, p-cpe:/a:novell:opensuse:openqa-single-instance

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/23/2026

Vulnerability Publication Date: 2/3/2026

Reference Information

CVE: CVE-2026-25547