Detections
Analytics

openSUSE 16 Security Update : gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer-plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins-base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer (openSUSE-SU-2026:20329-1)

medium Nessus Plugin ID 301473

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20329-1 advisory.

 Changes in gstreamer-rtsp-server:

 - Update to version 1.26.7:
 - Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT.
 - rtsp-server: tests: Switch to fixtures to ensure pool shutdown
 - rtsp-server: tests: Fix a few memory leaks

 Changes in gstreamer-plugins-ugly:

 - Update to version 1.26.7:
 - No changes, stable version bump only.

 Changes in gstreamer-plugins-rs:

 - Update to version 1.26.7+git0.6ab75814:

 * tracers: Fix inverted append logic when writing log files
 * threadshare:

 - examples: standalone: also handle buffer lists
 - Pad push_list: downgrade Pad flushing log level
 - sinks: fix / handle query()
 - backpressure: abort pending items on flush start
 - udpsink: fix panic recalculating latency from certain executors
 - audiotestsrc:
 . support more Audio formats . use AudioInfo . fix latency . act as a pseudo live source by default
 - runtime task: execute action in downward transition
 - example cleanups
 - udpsink: distinguish sync status for latency & report added latency
 - sink elements: implement `send_event`
 - dataqueue elements: report min and max latency

 * rtp:

 - Add linear audio (L8, L16, L24) RTP payloaders / depayloaders

 * rtp: basedepay: reuse last PTS, when possible
 * skia: Update to skia-safe 0.89
 * mp4: Update to mp4-atom 0.9
 * Update dependencies
 * webrtc: livekit: Drop connection lock after take()
 * onvifmetadatapay: copy metadata from source buffer
 * fallbacksrc: Fix custom source reuse case
 * add `rust-tls-native-roots` feature to the `reqwest` dep
 * rtpamrpay2:
 - Actually forward the frame quality indicator
 - Set frame quality indicator flag

 - Add patch to fix reproducibility of package build (boo#1237097)

 - Update to version 1.26.6+git20.e287e869:

 * Fix some new clippy 1.90 warnings
 * colordetect: Don't use deprecated color_name API
 * deny: Update
 * quinn: Update to web-transport-quinn 0.8
 * skia: Update to skia-safe 0.88
 * Update Cargo.lock
 * Allow windows-sys 0.61 too
 * intersink: add sync property
 * meson: Fix .pc files installation and simplify build output handling. This also fixes the .pc file install directory and ensures that the .pc files are only installed when static builds is enabled.
 - Drop devel subpackage following upstream changes.

 - Update to version 1.26.6:

 - aws: Ensure task stopping on paused-to-ready state change
 - fallbacksrc:

 - Don't panic during retries if the element was shut down in parallel
 - Don't restart source if the element is just being shut down
 - Fix some custom source deadlocks
 - Fix sources only being restarted once

 - gtk4: Try importing dmabufs withouth DMA_DRM caps
 - inter: Give the appsrc/appsink a name that has the parent element as prefix
 - mp4: Skip tests using x264enc if it does not exist
 - rtpgccbwe: avoid clamp() panic when min_bitrate > max_bitrate
 - rtpmp4gdepay2: allow only constantduration with neither constantsize nor sizelength set
 - rtprecv: fix race condition on first buffer
 - speechmatics: Specify rustls as an explicit dependency
 - spotify: update to librespot 0.7
 - threadshare:

 - add a blocking adapter element
 - always use block_on_or_add_subtask
 - audiotestsrc: fix setting samples-per-buffer...
 - blocking_adapter: fix Since marker in docs
 - fix resources not available when preparing asynchronously
 - fix ts-inter test one_to_one_up_first
 - have: have Task log its obj
 - intersink: return from blocking tasks when stopping
 - inter: update doc example
 - runtime/pad: lower log level pushing Buffer to flushing pad
 - separate blocking & throttling schedulers
 - update examples
 - Update to getifaddrs 0.5
 - Fix macOS build post getifaddrs 0.5 update
 - Bump up getiffaddrs to 0.1.5 and revert udp: avoid getifaddrs in android
 - Reapply udp: avoid getifaddrs in android

 - transcriberbin: Fix some deadlocks
 - Update dependencies
 - webrtc: Migrate to warp 0.4 and switch to tokio-rustls
 - webrtc/signalling: Fix setting of host address
 - ci: add script to check readme against plugins list
 - Fix various new clippy 1.89 warnings
 - Don't suggest running cargo cinstall after cargo cbuild
 - meson: Isolate built plugins from cargo target directory

 - Update to version 1.26.5+git11.949807a4 (boo#1248053, CVE-2025-55159):

 - rtprecv: fix race condition on first buffer + threadshare: intersink: return from blocking tasks when stopping + threadshare: inter: store upstream latency in InterContext + threadshare: add a blocking adapter element + transcriberbin: Fix settings/state lock order violation in set_property() + transcriberbin: Don't keep state locked while querying upstream latency + threadshare: audiotestsrc: fix setting samples-per-buffer...
 + rtpgccbwe: avoid clamp() panic when min_bitrate > max_bitrate + fallbacksrc: Don't restart source if the element is just being shut down + aws: Ensure task stopping on paused-to-ready state change + fallbacksrc: Don't panic during retries if the element was shut down in parallel + Update Cargo.lock.

 - Update to version 1.26.5:

 + awstranscriber2, awstranslate: Handle multiple stream-start event + ceaX08overlay: support ANY caps features, allowing e.g.
 memory:GLMemory if downstream supports the overlay composition meta + hlsmultivariantsink: Fix master playlist version + rtprecv: Drop state lock before chaining RTCP packets from the RTP chain function + Add rtpbin2 examples + rtpmp4apay2: fix payload size prefix + rtp: threadshare: fix some property ranges + mpegtslivesrc: Remove leftover debug message + ts-audiotestsrc fixes + threadshare: fix flush for ts-queue ts-proxy & ts-intersrc + threadshare: fix regression in ts-proxysrc + threadshare: improvements to some elements + threadshare: Enable windows Win32_Networking feature + threadshare: queue & proxy: fix race condition stopping + threadshare: Also enable windows Win32_Networking_WinSock feature + tracers: pipeline-snapshot: reduce WebSocket connection log level + tracers: queue-levels: add support for threadshare DataQueue related elements + tracers: Update to etherparse 0.19 + transcriberbin: Fix handling of upstream latency query + webrtcsink: Move videorate before videoconvert and videoscale to avoid processing frames that would be dropped + Fix various new clippy 1.89 warnings

 - Update to version 1.26.4:
 + aws: s3hlssink: Write to S3 on OutputStream flush + cea708mux: fix clipping function + dav1ddec: Use video decoder base class latency reporting API + elevenlabssynthesizer: fix running time checks + gopbuffer: Push GOPs in order of time on EOS + gtk4: Improve color-state fallbacks for unknown values + gtk4: Add YCbCr memory texture formats + gtk4: Promote set_caps debug log to info + hlssink3: Fix a comment typo + hlssink3: Use closed fragment location in playlist generation + livekit: add room-timeout + mccparse: Convert U to the correct byte representation + mp4mux: add TAI timestamp element and muxing + threadshare: add a ts-rtpdtmfsrc element + rtp: Update to rtcp-types 0.2 + rtpsend: Don't configure a zero min RTCP interval for senders + rtpbin2: Fix handling of unknown PTs and don't warn about incomplete RTP caps to allow for bundling + rtpbin2: Improve rtcp-mux support + rtpbin2: fix race condition on serialized Queries + rtpbin2: sync: fix race condition + rtprecv optimize src pad scheduling + rtprecv: fix SSRC collision event sent in wrong direction + skia: Add harfbuzz, freetype and fontconfig as dependencies in the meson build + tttocea{6,7}08: Disallow pango markup from input caps + ts-intersrc: handle dynamic inter-ctx changes + threadshare: src elements: don't pause the task in downward state transitions + webrtc: sink: avoid recursive locking of the session + webrtcsink: fix deadlock on error setting remote description + webrtcsink: add mitigation modes parameter and signal + webrtc: fix Safari addIceCandidate crash + webrtc-api: Set default bundle policy to max-bundle + WHIP client: emit shutdown after DELETE request + Fix various new clippy 1.88 warnings + Update dependencies

 - Update to version 1.26.3:

 + Add new speech synthesis element around ElevenLabs API + cea708mux: fix another WouldOverflow case + cea708mux: support configuring a limit to how much data will be pending.
 + cea708overlay: also reset the output size on flush stop + gcc: handle out of order packets + fmp4mux: Fix panic on late GOP + livekit: expose a connection state property + mp4mux: add taic box + mp4mux: test the trak structure + pcap_writer: Make target-property and pad-path properties writable again + skia: Don't build skia plugin by default for now + threadshare: cleanups & usability improvements + threadshare: sync runtime with latest async-io + threadshare: fix kqueue reactor + threadshare: Update to getifaddrs 0.2 + threadshare: add new thread-sharing inter elements + threadshare: add a ts-rtpdtmfsrc element + transcriberbin: fix naming of subtitle pads + tttocea708: don't panic if a new service would overflow + webrtc: android: Update Gradle and migrate to FindGStreamerMobile + webrtc: add new examples for stream selection over data channel + webrtcsrc: the webrtcbin get-transceiver index is not mlineindex + webrtcsrc: send CustomUpstream events over control channel ..
 + webrtcsink: Don't require encoder element for pre-encoded streams + webrtcsink: Don't reject caps events if the codec_data changes + whip: server: pick session-id from the endpoint if specified + cargo: add config file to force CARGO_NET_GIT_FETCH_WITH_CLI=true + Cargo.lock, deny: Update dependencies and log duplicated targo-lexicon + Update windows-sys dependency from >=0.52, <=0.59 to >=0.52, <=0.60 + deny: Add override for windows-sys 0.59 + deny: Update lints + cargo_wrapper: Fix backslashes being parsed as escape codes on Windows + Fixes for Clock: non-optional return types + Rename relationmeta plugin to analytics

 Changes in gstreamer-plugins-libav:

 - Update to version 1.26.7:

 + No changes, stable versionbump only.

 Changes in gstreamer-plugins-good:

 - Update to version 1.26.7:

 + matroskamux: Properly check if pads are EOS in find_best_pad + qtdemux:
 - Bad performance with GoPro videos containing FDSC metadata tracks
 - Fix open/seek perf for GoPro files with SOS track
 - Handle unsupported channel layout tags gracefully
 - Set channel-mask to 0 for unknown layout tags + rtspsrc: Send RTSP keepalives in TCP/interleaved modes + v4l2:
 - Add GstV4l2Error handling in gst_v4l2_get_capabilities
 - Fix memory leak for DRM caps negotiation + v4l2transform: reconfigure v4l2object only if respective caps changed + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT

 - Update to version 1.26.6:

 + adaptivedemux2: fix crash due to log + adaptivedemux2: Crash in logging when Dropping EOS before next period + hlsdemux2: Fix parsing of byterange and init map directives + mpg123audiodec: Always break the decoding loop and relay downstream flow errors upstream + v4l2: Add support for WVC1 and WMV3 + Monorepo: dv plugin requires explicit enablement now for a build using the Meson subproject fallback

 - Update to version 1.26.5:

 + 4l2: fix memory leak for dynamic resolution change + videorate, imagefreeze: add support for JPEG XS

 - Update to version 1.26.4:

 + adaptivedemux2: Fixed reverse playback + matroskademux: Send tags after seeking + qtdemux: Fix incorrect FourCC used when iterating over sbgp atoms + qtdemux: Incorrect sibling type used in sbgp iteration loop + rtph265pay: add profile-id, tier-flag, and level-id to output rtp caps + rtpjpeg: fix copying of quant data if it spans memory segments + soup: Disable range requests when talking to Python's http.server + v4l2videodec: need replace acquired_caps on set_format success + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes

 - Update to version 1.26.3:

 + aacparse: Fix counting audio channels in program_config_element + adaptivedemux2: free cancellable when freeing transfer task + dashdemux2: Fix seeking in a stream with gaps + decodebin wavparse cannot pull header + imagefreeze: fix not negotiate log when stop + osxvideosink: Use gst_pad_push_event() and post navigation messages + qml6glsink: Allow configuring if the item will consume input events + qtmux: Update chunk offsets when converting stco to co64 with faststart + splitmuxsink: Only send closed message once per open fragment + rtph265depay: CRA_NUT can also start an (open) GOP + rtph265depay: fix codec_data generation + rtspsrc: Don't emit error during close if server is EOF + twcc: Fix reference timestamp wrapping (again) + v4l2: Fix possible internal pool leak + v4l2object: Add support for colorimetry bt2100-pq and 1:4:5:3 + wavparse: Don't error out always when parsing acid chunks

 Changes in gstreamer-plugins-base:

 - Update to version 1.26.7:

 + discoverer: Mark gst_discoverer_stream_info_list_free() as transfer full + riff: Add channel reorder maps for 3 and 7 channel audio + sdp: proper usage of gst_buffer_append + videorate: fix assert fail due to invalid buffer duration + Fix build error with glib < 2.68

 - Update to version 1.26.6:

 + decodebin3: Update stream tags + rtpbasedepayload: Avoid potential use-after free + rtspconnection: Add get_url and get_ip return value annotation + gst_rtsp_connection_get_url return value transfer annotation missing + videometa: Fix valgrind warning when deserializing video meta + videorate: don't hold the reference to the buffer in drop-only mode + gst-device-monitor-1.0: Fix device-path regression on Windows + gst-device-monitor-1.0: Add quoting for powershell and cmd + Monorepo: opengl, vorbis, plugins require explicit enablement now for a build using the Meson subproject fallback

 - Update to version 1.26.5:

 + audioconvert: mix-matrix causes caps negotiation failure + decodebin3: Don't error on an incoming ONVIF metadata stream + gloverlay: Recompute geometry when caps change, and load texture after stopping and starting again + uridecodebin3: Add missing locking and NULL checks when adding URIs to messages + uridecodebin3: segfault in update_message_with_uri() if no decoder available + videorate, imagefreeze: add support for JPEG XS + gst-device-monitor-1.0: Add shell quoting for launch lines + gst-device-monitor-1.0: Fix criticals, and also accept utf8 in launch lines + gst-device-monitor-1.0: Use gst_print instead of g_print

 - Update to version 1.26.4:

 + Revert streamsynchronizer: Consider streams having received stream-start as waiting + alsa: free conf cache under valgrind + gst-device-monitor: Fix caps filter splitting + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes

 - Update to version 1.26.3:

 + GstAudioAggregator: fix structure unref in peek_next_sample() + audioconvert: Fix setting mix-matrix when input caps changes + encodebasebin: Duplicate encoding profile in property setter + gl: simplify private gst_gl_gst_meta_api_type_tags_contain_only() + osxvideosink: Use gst_pad_push_event() and post navigation messages + playsink: Fix race condition in stream synchronizer pad cleanup during state changes + python: Fix pulling events from appsink + streamsynchronizer: Consider streams having received stream-start as waiting + urisourcebin: Text tracks are no longer set as sparse stream in urisourcebin's multiqueue

 Changes in gstreamer-plugins-bad:

 - Update to version 1.26.7:

 + cuda: Fix runtime kernel compile with CUDA 13.0 + d3d12convert: Fix crop meta support + d3d12deinterlace: Fix passthrough handling + gst: Fix a few small leaks + matroskamux: Properly check if pads are EOS in find_best_pad + tsdemux: Directly forward Opus AUs without opus_control_header + tsmux: Write a full Opus channel configuration if no matching Vorbis one is found + unixfd: Fix case of buffer with big payload + vacompositor: Correct scale-method properties + webrtc: nice: Fix a use-after-free and a mem leak + Fix all compiler warnings on Fedora + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT

 - Update to version 1.26.6:

 + analytics: always add GstTensorMeta + cccombiner: Crash fixes + curlsmtpsink: adapt to date formatting issue + decklinkvideosrc: fix decklinkvideosrc becomes unrecoverable if it fails to start streaming + decklinkvideosrc gets into unrecoverable state if device is busy + dwrite: Fix D3D12 critical warning + hlsdemux: Fix parsing of byterange and init map directives + mpegtsmux: Caps event fails with stream type change error + vulkanh24xdec: couple of fixes + vulkanh26xdec: fix discont state handling + waylandsink: add some error handler for event dispatch + zbar: tests: Handle symbol-bytes as not null-terminated + Monorepo: avtp, codec2json, iqa, microdns, openjpeg, qroverlay, soundtouch, tinyalsa plugins require explicit enablement now for a build using the Meson subproject fallback

 - Update to version 1.26.5:

 + av1parse: Don't error out on currently undefined seq-level indices + av1parse: fails to parse AV1 bitstreams generated by FFmpeg using the av1_nvenc hardware encoder + d3d12screencapturedevice: Avoid false device removal on monitor reconfiguration + d3d12screencapturesrc: Fix OS handle leaks/random crash in WGC mode + meson: d3d12: Add support for MinGW DirectXMath package + va: Re-negotiate after FLUSH + vaXXXenc: calculate latency with corrected framerate + vaXXXenc: fix potential race condition + vkphysicaldevice: enable sampler ycbcr conversion, synchronization2 and timeline semaphore features + vulkan: ycbcr conversion extension got promoted in 1.1.0 + wasapi2: Port to IMMDevice based device selection

 - Fix really disabling faad when building without faad support.

 - Do not build with faad in SLE16 where faad2 is not available.

 - Update to version 1.26.4:

 + avtp: crf: Setup socket during state change to ensure we handle failure + d3d12screencapture: Add support for monitor add/remove in device provider + mpegtsmux: fix double free caused by shared PMT descriptor + openh264: Ensure src_pic is initialized before use + rtmp2src: various fixes to make it play back AWS medialive streams + ssdobjectdetector: Use correct tensor data index for the scores + v4l2codecs: h265dec: Fix zero-copy of cropped window located at position 0,0 + vp9parse: Fix handling of spatial SVC decoding + vp9parse: Revert Always default to super-frame + vtenc: Fix negotiation failure with profile=main-422-10 + vulkan: Fix drawing too many triangles in fullscreenquad + vulkanfullscreenquad: add locks for synchronisation + Fix various valgrind/test errors when GST_DEBUG is enabled + More valgrind and test fixes + Various ASAN fixes

 - Provide and Obsolete gstreamer-1.20-plugin-openh264 too, not just gstreamer-plugin-openh264.

 - Update to version 1.26.3:

 + amc: Overhaul hw-accelerated video codecs detection + bayer2rgb: Fix RGB stride calculation + d3d12compositor: Fix critical warnings + dashsink: Fix failing test + decklink: calculate internal using values closer to the current clock times + decklinkvideosink: show preroll frame correctly + decklink: clock synchronization after pause + h266parser: Fix overflow when parsing subpic_level_info + lcevcdec: Check for errors after receiving all enhanced and base pictures + meson: fix building -bad tests with disabled soundtouch + mpegts: handle MPEG2-TS with KLV metadata safely by preventing out of bounds + mpegtsmux: Corrections around Teletext handling + srtsink: Fix header buffer filtering + transcoder: Fix uritranscodebin reference handling + tsdemux: Allow access unit parsing failures + tsdemux: Send new-segment before GAP + vulkanupload: fix regression for uploading VulkanBuffer + vulkanupload: fix regression when uploading to single memory multiplaned memory images + webrtcbin: disconnect signal ICE handlers on dispose + {d3d12,d3d11}compositor: Fix negative position handling + {nv,d3d12,d3d11}decoder: Use interlace info in input caps

 - Build with noopenh264, move plugin to main package.
 - Drop conditionals for fdk-aac, explicitly build it for all targets.

 - Move faad plugin to main package.

 Changes in gstreamer-docs:

 - Update to version 1.26.7:
 + No changes, stable bump only.
 + Update docs.

 Changes in gstreamer-devtools:

 - Update to version 1.26.7:

 + Fix issues with G_DISABLE_CHECKS & G_DISABLE_ASSERT

 - Update to version 1.26.6:

 + validate: http-actions: Replace GUri with GstURI for GLib 2.64 compatibility + Fix memory leak and use of incorrect context

 - Update to version 1.26.5:

 + No changes, stable bump only.

 - Update vendored dependencies (boo#1248053, CVE-2025-55159).

 - Update to version 1.26.4:

 + Update various Rust dependencies

 - Update to version 1.26.3:

 + validate: More memory leaks + validate: Valgrind fixes

 Changes in gstreamer:

 - Update to version 1.26.7:

 + Highlighted bugfixes in 1.26.7:

 - cea608overlay: improve handling of non-system memory
 - cuda: Fix runtime kernel compile with CUDA 13.0
 - d3d12: Fix crop meta support in converter and passthrough handling in deinterlacer
 - fallbacksrc: source handling improvements; no-more-pads signal for streams-unaware parents
 - inter: add properties to fine tune the inner elements
 - qtdemux: surround sound channel layout handling fixes and performance improvements for GoPro videos
 - rtp: Add linear audio (L8, L16, L24) RTP payloaders / depayloaders
 - rtspsrc: Send RTSP keepalives in TCP/interleaved modes
 - rtpamrpay2: frame quality indicator flag related fixes
 - rtpbasepay2: reuse last PTS when possible, to work around problems with NVIDIA Jetson AV1 encoder
 - mpegtsmux, tsdemux: Opus audio handling fixes
 - threadshare: latency related improvements and many other fixes
 - matroskamux, tsmux, flvmux, cea608mux: Best pad determination fixes at EOS
 - unixfd: support buffers with a big payload
 - videorate unknown buffer duration assertion failure with variable framerates
 - editing services: Make GESTimeline respect SELECT_ELEMENT_TRACK signal discard decision; memory leak fixes
 - gobject-introspection annotation fixes
 - cerbero: Update meson to 1.9.0 to enable Xcode 26 compatibility
 - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements

 + gstreamer:

 - controller: Fix get_all() return type annotation
 - gst-launch: Do not assume error messages have a src element
 - multiqueue: Fix object reference handling in signal callbacks
 - netclientclock: Fix memory leak in error paths

 - Update to version 1.26.6:

 + Highlighted bugfixes in 1.26.6:

 - analytics GstTensorMeta handling changes (see note below)
 - closed caption combiner and transcriberbin stability fixes
 - decklinkvideosrc: fix unrecoverable state after failing to start streaming because device is busy
 - decodebin3 tag handling improvements
 - fallbacksrc: Fix sources only being restarted once, as well as some deadlocks and race conditions on shutdown
 - gtk4paintablesink: Try importing dmabufs withouth DMA_DRM caps
 - hlsdemux2: Fix parsing of byterange and init map directives
 - rtpmp4gdepay2: allow only constantduration with neither constantsize nor sizelength set
 - spotifysrc: update to librespot 0.7 to make work after recent Spotify changes
 - threadshare: new blocking adapter element for use in front of block elements such as sinks that sync to the clock
 - threadshare: various other threadshare element fixes and improvements
 - v4l2: Add support for WVC1 and WMV3
 - videorate: possible performance improvements when operating in drop-only mode
 - GstBaseParse fixes
 - Vulkan video decoder fixes
 - Fix gst-device-monitor-1.0 tool device-path regression on Windows
 - Monorepo development environment builds fewer plugins using subprojects by default, those require explicit enablement now
 - Python bindings: Handle buffer PTS, DTS, duration, offset, and offset-end as unsigned long long (regression fix)
 - Cerbero: Reduce recipe parallelism in various cases and dump cerbero and recipe versions into datadir during packaging
 - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements

 + Possibly breaking behavioural changes:

 - Previously it was guaranteed that there is only ever up to one GstTensorMeta per buffer. This is no longer true and code working with GstTensorMeta must be able to handle multiple GstTensorMeta now.

 + gstreamer:

 - baseparse: Try harder to fixate caps based on upstream in default negotiation ...

 Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1237097

https://bugzilla.suse.com/1248053

https://www.suse.com/security/cve/CVE-2025-55159

Plugin Details

Severity: Medium

ID: 301473

File Name: openSUSE-2026-20329-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/8/2026

Updated: 3/8/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 5.2

Temporal Score: 3.8

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2025-55159

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:typelib-1_0-gst-1_0, p-cpe:/a:novell:opensuse:libgstvideo-1_0-0, p-cpe:/a:novell:opensuse:libgsturidownloader-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-utils, p-cpe:/a:novell:opensuse:libgstdxva-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstglwayland-1_0, p-cpe:/a:novell:opensuse:libgstplay-1_0-0, p-cpe:/a:novell:opensuse:libgsttranscoder-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstrtsp-1_0, p-cpe:/a:novell:opensuse:libgsttag-1_0-0, p-cpe:/a:novell:opensuse:libgstmpegts-1_0-0, p-cpe:/a:novell:opensuse:libgstriff-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstanalytics-1_0, p-cpe:/a:novell:opensuse:gstreamer-plugins-bad, p-cpe:/a:novell:opensuse:libgstpbutils-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstcodecs-1_0, p-cpe:/a:novell:opensuse:libgstphotography-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstvulkanwayland-1_0, p-cpe:/a:novell:opensuse:gstreamer-rtsp-server-devel, p-cpe:/a:novell:opensuse:libgstsctp-1_0-0, p-cpe:/a:novell:opensuse:libgstvalidate-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-plugins-ugly-lang, p-cpe:/a:novell:opensuse:typelib-1_0-gstvulkan-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-cudagst-1_0, p-cpe:/a:novell:opensuse:libgstsdp-1_0-0, p-cpe:/a:novell:opensuse:libgstmse-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-transcoder-devel, p-cpe:/a:novell:opensuse:gstreamer-plugins-good-gtk, p-cpe:/a:novell:opensuse:libgstcuda-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-devtools-devel, p-cpe:/a:novell:opensuse:gstreamer-plugins-good, p-cpe:/a:novell:opensuse:gstreamer-plugins-good-extra, p-cpe:/a:novell:opensuse:libgstrtsp-1_0-0, p-cpe:/a:novell:opensuse:libgstanalytics-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstplay-1_0, p-cpe:/a:novell:opensuse:libgstallocators-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstrtp-1_0, p-cpe:/a:novell:opensuse:gstreamer-plugins-base-lang, p-cpe:/a:novell:opensuse:libgstadaptivedemux-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstallocators-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstmpegts-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstwebrtc-1_0, p-cpe:/a:novell:opensuse:libgstisoff-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstdxva-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstplayer-1_0, p-cpe:/a:novell:opensuse:gstreamer-devtools, p-cpe:/a:novell:opensuse:gstreamer-plugins-good-qtqml6, p-cpe:/a:novell:opensuse:libgstva-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-plugins-ugly, p-cpe:/a:novell:opensuse:gstreamer-devel, p-cpe:/a:novell:opensuse:typelib-1_0-gsttag-1_0, p-cpe:/a:novell:opensuse:libgstrtp-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstapp-1_0, p-cpe:/a:novell:opensuse:gstreamer-plugins-good-lang, p-cpe:/a:novell:opensuse:libgstfft-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstvalidate-1_0, p-cpe:/a:novell:opensuse:libgstbasecamerabinsrc-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-plugins-rs, p-cpe:/a:novell:opensuse:gstreamer-plugins-base-devel, p-cpe:/a:novell:opensuse:libgstgl-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstinsertbin-1_0, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:libgstwayland-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-transcoder, p-cpe:/a:novell:opensuse:gstreamer-plugins-base, p-cpe:/a:novell:opensuse:libgstapp-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-plugins-good-jack, p-cpe:/a:novell:opensuse:typelib-1_0-gstcuda-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstpbutils-1_0, p-cpe:/a:novell:opensuse:libgstwebrtcnice-1_0-0, p-cpe:/a:novell:opensuse:libgstcodecs-1_0-0, p-cpe:/a:novell:opensuse:gstreamer, p-cpe:/a:novell:opensuse:typelib-1_0-gstvideo-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstva-1_0, p-cpe:/a:novell:opensuse:libgstrtspserver-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstbadaudio-1_0, p-cpe:/a:novell:opensuse:libgstcodecparsers-1_0-0, p-cpe:/a:novell:opensuse:gstreamer-plugins-libav, p-cpe:/a:novell:opensuse:libgstinsertbin-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstmse-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstrtspserver-1_0, p-cpe:/a:novell:opensuse:gstreamer-plugins-bad-lang, p-cpe:/a:novell:opensuse:libgstwebrtc-1_0-0, p-cpe:/a:novell:opensuse:libgstvulkan-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstsdp-1_0, p-cpe:/a:novell:opensuse:gstreamer-plugins-bad-chromaprint, p-cpe:/a:novell:opensuse:typelib-1_0-gstaudio-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstvulkanxcb-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gsttranscoder-1_0, p-cpe:/a:novell:opensuse:gstreamer-lang, p-cpe:/a:novell:opensuse:gstreamer-plugins-bad-devel, p-cpe:/a:novell:opensuse:libgstplayer-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstgl-1_0, p-cpe:/a:novell:opensuse:typelib-1_0-gstglegl-1_0, p-cpe:/a:novell:opensuse:libgstbadaudio-1_0-0, p-cpe:/a:novell:opensuse:typelib-1_0-gstglx11-1_0, p-cpe:/a:novell:opensuse:libgstreamer-1_0-0, p-cpe:/a:novell:opensuse:libgstaudio-1_0-0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/5/2026

Vulnerability Publication Date: 8/11/2025

Reference Information

CVE: CVE-2025-55159