Detections
Analytics

openSUSE 16 : Feature update for himmelblau (SUSE-SU-openSUSE-FU-2026:20453-1)

medium Nessus Plugin ID 304855

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-openSUSE-FU-2026:20453-1 advisory.

 Update to himmelblau 2.3.8 (jsc#PED-14511):

 Security issues:

 - CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
 - CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
 - CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257904).
 - CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).

 Non security issues:

 - Fix SELinux module packaging to use standard policy macros (bsc#1258236).

 Changelog:

 Version 2.3.8:

 * Add PrivateTmp back to Tasks Daemon
 * Drop dead code
 * Drop krb5 ccache dir code
 * Add a TODO comment
 * Drop non working packaged krb5 snippet file
 * Write kerberos config snippet
 * Extend resolver interface to return kerberos config together with TGTs
 * Backport SELinux fixes from main
 * Use libkrimes to store TGTs

 Version 2.3.7:

 * cargo vet
 * Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
 * Revert dependency change which broke the nightly build
 * gen_dockerfiles: only himmelblaud has tpm feature, fix all others
 * fix(build): gen_dockerfiles.py mutates shared features list mid-loop

 Version 2.3.5:

 * Better handle Intune API version
 * Update make vet from main branch
 * pam_himmelblau: call split_username once in chauthtok
 * pam_himmelblau: return PAM_IGNORE in chauthtok for local users
 * Don't attempt a DAG when Hello fails with SSPR demand

 Version 2.3.4:

 * deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates
 * Revert sketching update (which breaks SLE16 build)

 Version 2.3.3:

 * /var/cache/private/himmelblaud should not be created tmpfiles
 * Updatee python vers for dataclasses dep
 * deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates
 * Generate pin init service file systemd < 250
 * Checkin missing himmelblaud.if file for SELinux
 * Resolve typos in selinux package commands

 Version 2.3.2:

 * Compile SELinux policy at install time for cross-distro compatibility
 * Improve PAM configuration on openSUSE/SLE
 * Fix SELinux policy
 * Add a git hook to ensure selinux policy is tested
 * Ignore generated himmelblau-hsm-pin-init service file
 * Refactor SELinux policy for cross-distro compatibility
 * Fix NSS lookup for mapped local users
 * Skip OS version compliance checks when min/max values are empty

 Version 2.3.1:

 * Remove references to qrcodegen (these are 3.x features)
 * QR Greeter compatibility for old GNOME
 * Enable QR greeter automatically
 * ci: Use latest cargo-vet from git to fix CI
 * Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x

 Version 2.3.0:

 * Autostart the daemons on fresh install or upgrade
 * Restart sshd when installing the ssh config
 * Allow tasks daemon to write krb ccache
 * Do not enumerate mapped users in NSS
 * Update libhimmelblau to latest version
 * Fix Tumbleweed build

 Version 2.2.0:

 * Update libhimmelblau to 0.8.x series
 * deps(rust): bump the all-cargo-updates group with 17 updates
 * Only use OpenSSH bug workaround for ssh service
 * Fix debug noise from removing user from sudo group
 * systemd: install files to /usr/lib/, not /etc/

 Version 2.1.0:

 * Fix nightly authselect build failure
 * Generate the authselect profiles for each distro
 * Improve pam config handling in aad-tool
 * Make `aad-tool configure-pam` detect location of pam files

 Version 2.0.5:

 * /var/lib/private/himmelblaud should be owned by root
 * Use tmpfiles.d to create himmelblaud private data directory
 * deps(rust): bump the all-cargo-updates group with 13 updates

 Version 2.0.4:

 * Update kanidm_build_profiles mask version
 * Utilize cargo vet from main
 * Add policies cache patch via systemd-tmpfiles

 * Fix man page comments about change idmap_range
 * Stub picky-krb for osc build
 * Stub a kanidm_build_profiles which builds in osc
 * Ensure nss cache is created on Ubuntu/Debian
 * Request a user token if NSS hasn't been called

 Version 2.0.3:

 * Add nss cache patch via systemd-tmpfiles

 Version 2.0.2:

 * Recommend `patch` with the pam package
 * Fix passwordless FIDO authentication not being used when available
 * Git workflow updates for stable-2.x
 * Only warn on Intune failure

 Version 2.0.1:

 * Force o365 desktop files to always rebuild
 * Always rebuild the o365 apps
 * Add restart on-failure to systemd services
 * Clarify `domain` SHOULD match login domain
 * Remove warning about `domain` himmelblau.conf opt
 * Pseudo eliminate multi-tenant and domains section
 * Revert Fix Hello PIN lookup when an alias domain
 * Comment out `KbdInteractiveAuthentication on` in sshd conf
 * Check the nxset sooner, to avoid unwanted errors
 * Recommend oddjob_mkhomedir with authselect
 * Pin libhimmelblau to 0.7.x
 * Deprecate Fedora 41
 * deps(rust): bump the all-cargo-updates group with 11 updates
 * Bump github/codeql-action from 4.30.8 to 4.31.2
 * Bump cachix/install-nix-action from 31.8.1 to 31.8.2
 * Bump actions/upload-artifact from 4.6.2 to 5.0.0
 * cargo clippy and rebase fix
 * fixup! add extra debug output to NotFound error code
 * force error output to show up in CI logs
 * wrap repeated sources of IdpError::NotFound in helper functions
 * add extra debug output to NotFound error code
 * use direnv for loading the nix devshell
 * We should still encourage mapping by name
 * Add support for Fedora 43
 * Provide a offline 'breakglass' mode
 * cargo clippy
 * Add warning about incorrect nsswitch configuration
 * Distinguish between online and offline token fail
 * Ensure user token uses original name
 * Fix alias domain in auth result causing failure
 * Resolve cargo clippy warnings
 * Only map on cn name for the primary domain
 * Install systemd in build scripts for gen service
 * Fix systemd version parsing
 * Update libhimmelblau to 0.7.19
 * Resolve SELinux build failures in nightly (part 2)
 * Rocky container image updates were failing
 * Warn instead of error when no idmap_range specified
 * deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
 * Trim whitespace from local group names
 * Fix borrowing error
 * Fix reference to local_sudo_group in condition
 * Only run sudo_groups if local_groups does not contain local_sudo_group
 * Leave SELinux in permissive mode for Himmelblau
 * Resolve SELinux build failures in nightly
 * nix: add join_type option to nixos-module settings
 * Build host configuration changes
 * Ensure that hsm_pin isn't present decrypted
 * Document Soft HSM changes to TPM bound
 * Disable SELinux by default on NixOS
 * sh doesn't have `source`
 * Encrypt hsm-pin using systemd-creds
 * Recommend uuid id mapping
 * Improve himmelblau.conf man page formatting
 * Implement Local User Mapping
 * Add o365 dependency for jq
 * Add selinux rules for gdm login
 * Narrow the scope of selinux policy with audit2allow
 * Generate the systemd service files
 * Fix selinux build for SLE16
 * Resolve SLE16 build dependency failure
 * Fix the rawhide build
 * Mask the sshkey-attest package
 * Bump cachix/install-nix-action from 31.7.0 to 31.8.1
 * cargo vet dependency updates
 * deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates
 * Bump actions/dependency-review-action from 4.8.0 to 4.8.1
 * Bump cachix/install-nix-action from 31.7.0 to 31.8.0
 * Bump github/codeql-action from 3.30.5 to 4.30.8
 * Bump ossf/scorecard-action from 2.4.2 to 2.4.3
 * SELinux improvements
 * Fix a typo in package gen scripts
 * cargo fmt
 * Permit NSS response for mapped primary fake group
 * Fix Nix Error With Fuzz
 * Decrease CI fuzzer setup time
 * Document join types
 * Support for Entra registered devices
 * Run `cargo test` in a container
 * Bump cachix/install-nix-action from 31.6.2 to 31.7.0
 * deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates
 * Bump github/codeql-action from 3.30.4 to 3.30.5
 * Use pastey crate instead of unmaintained paste
 * Pin unmaintained serde_cbor dep to serde_cbor_2
 * Resolve tower-http `cargo audit` warning
 * Replace unmaintained fxhash with own version
 * Resolve warning about workflow top level write permissions
 * Remove dependabot automerge
 * Resolve division by 0 in idmap code
 * [StepSecurity] ci: Harden GitHub Actions
 * Only idmap against initialized domains
 * Resolve invalid init of idmap with same domain
 * Add fuzzing of idmap code
 * Add basic fuzzing of the config options
 * Resolve error found by fuzzing
 * cargo vet prune
 * deps(rust): bump regex in the all-cargo-updates group
 * Bump actions/dependency-review-action from 4.7.3 to 4.8.0
 * Bump actions/checkout from 3.6.0 to 5.0.0
 * Bump cachix/cachix-action from 14 to 16
 * Bump ossf/scorecard-action from 2.4.0 to 2.4.2
 * Bump cachix/install-nix-action from 25 to 31
 * Add the OpenSSF Best Practices badge
 * Add scorecard badge
 * [StepSecurity] Apply security best practices
 * Fix group static mapping
 * Move aad-tool idmap cache clear to the idmap cmd
 * Resolve errant Hello key missing. messages
 * Update flake.nix
 * Slow the dependabot update frequency
 * Audit dependabot updates
 * deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
 * feat: Add support for aarch64 on Debian-based distributions
 * Resolve possible invalid pointer dereferences
 * Avoid revealing account ids in debug log
 * Cause doc links to open in the correct apps
 * Permit opening multiple instances of Word/Excel
 * Modify systray and app close behavior
 * Don't use questionably licensed icons for o365
 * Resolve NixOS CI failure
 * Fix building w/out deprecated interactive feature
 * Update himmelblau.conf.5 sudo_groups example
 * Entra group based sudo access
 * Audited the cargo updates
 * deps(rust): bump the all-cargo-updates group with 6 updates
 * Vet libhimmelblau
 * Add `make vet` command
 * Update deny.toml
 * Remove incompatible licenses from deps
 * Fix RHEL8 package signing
 * Add SBOM generation
 * Add an IRP checklist for security incidents
 * Run the nixos build/release on the correct version
 * Add crate dependency auditing on MR
 * Add some exceptions
 * Initialize cargo vet
 * Remove in-tree kanidm dependencies
 * Fix Hello PIN lookup when an alias domain
 * Raise maximum group lookup from 100 to 999
 * Always work with lowercase account names
 * Modify FUNDING.yml for funding sources
 * Remove glib dependency
 * deps(rust): bump the all-cargo-updates group with 10 updates
 * Add CI check for licenses
 * Update dependabot.yml to target all stable branches
 * Add authselect module for Rocky/Fedora
 * Recommend packages, instead of require
 * Add a Contributing document
 * Add a Code of Conduct
 * add withSelinux flag to nix build, brings SELinux binaries into the build environment.
 * deps(rust): bump tracing-subscriber in the cargo group
 * Don't overwrite the himmelblau.conf on rpm upgrade
 * Add help output to the Makefile
 * Fix building packages with docker in root mode
 * Update to latest libhimmelblau and identity_dbus_broker
 * Make PRT SSO cookie via broker work as well for Edge
 * Make broker work for Edge
 * Generate Office 365 desktop apps
 * Update README
 * Add `make uninstall` command
 * Remove the deprecated tests suite
 * Himmelblau no longer has git submodules
 * Make install using packages
 * Add Debian 13 packages
 * Generate Dockerfiles automatically
 * Add SELinux configuration
 * Himmelblau daemon requires system tss user
 * Add cron dependency for Intune scripts
 * Do not mangle /usr/etc configuration files
 * deps(rust): bump the all-cargo-updates group with 7 updates
 * Add SLE16 (beta) build target
 * Automatically append to nsswitch.conf in postinst
 * Correct the RPM postinst script syntax
 * Fix Kerberos credential cache permissions
 * Set file owner and group before writing its content
 * Create SECURITY.md
 * Rev the dev version to 2.0.0
 * Ensure alias domains match when checking Intune device id
 * Debian 12 doesn't support ConditionPathExists and notify-reload
 * Write scripts policy to a readable directory
 * Apply Intune policies right after enrollment
 * Add more debug instrumentation
 * Provide device_id to Intune enrollment if not cached
 * Ensure nss cache directory is created during install
 * Remove /var/cache/himmelblaud access from tasks daemon
 * Resolve daemon startup absolute path warnings
 * Delay Intune enrollment on Device Auth fail
 * Do not leak the Intune IW service token in the logs

 Version 1.4.2:

 * Revert libhimmelblau unstable update

 Version 1.4.1:

 * Update Intune to use app version 1.2511.7

 Version 1.4.0:

 * Resolve build failures
 * deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates

 Version 1.3.0:

 * Revert the self-hosted runner name
 * deps(rust): bump the all-cargo-updates group with 23 updates
 * Include latest branch in CI
 * Self hosted runners

 Version 1.1.0:

 * Fix policy application
 * Add remaining Linux password compliance policies
 * Add custom compliance enforcement
 * deps(rust): bump the all-cargo-updates group with 3 updates
 * deps(rust): bump the all-cargo-updates group with 5 updates
 * Add SLE15SP7 build target
 * Add RHEL 10 build target
 * Fix Intermittent auth issue AADSTSError 16000
 * Remove old utf8proc dependency
 * Add `fedora42` build target
 * Handle PRT expiration and tie to offline auth
 * Correctly delete the Hello keys on bad pin count
 * Add ability to disable Hello PIN per-service
 * Update NixOS support to 25.05
 * Handle disabled device by attempting re-enrollment
 * Always attempt confidential client creds for aad-tool
 * Include HSM option defs in himmelblau.conf man page
 * Improve the aad-tool cache-clear command
 * Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
 * Add the ability to remove confidential client creds
 * If bad PIN count is exceeded, delete the Hello key
 * deps(rust): bump the all-cargo-updates group with 4 updates
 * Add instructions for creating developer builds
 * Fix GDM3 first time login password prompt
 * Default HsmType should be soft
 * Add himmelblaud to tss group for TPM startup
 * Enforce strict order for the systemd units
 * Update libhimmelblau and compact_jwt
 * Fix builds w/tpm
 * aad-tool Authentication flow improvements
 * Filter out irrelevant debug in aad-tool
 * Create a unified login experience for aad-tool
 * Utilize confidential creds for aad-tool enumerate
 * himmelblau should get posix attributes w/out delegate user access
 * Always use the Object Id for mapping Group to GID
 * Update enhancement-request.md for SPI donations
 * Update bug_report.md with SPI donation
 * Update build requires in README.md
 * Update FUNDING.yml with SPI Paypal donation button
 * Don't break from tasks loop when policies fail
 * Enroll in Intune as soon as it is enabled
 * Implement `decoupled hello` behavior
 * Cache encrypted PRT to disk for offline login SSO
 * Update to latest hsm-crypto
 * Enable tpm functionality
 * Allow altering the password and PIN prompt messages
 * Ensure Hello PIN lockout happens when online
 * Cache the build target output to improve build times
 * Easier build selection w/ Makefile
 * Revert mistaken removal from Makefile
 * Make the user wait longer with each incorrect PIN
 * Make the bad PIN count configurable
 * Improve aad-tool manpage
 * aad-tool fails if the user has FIDO2 enabled
 * Offline auth permits authentication with invalid Hello PIN
 * PIN complexity to match Windows
 * Update to latest SSSD idmap code
 * Add aad-tool options for setting posix attrs
 * Add scopes and redirect uris aad-tool application create
 * Add aad-tool commands for managaging extension attrs
 * Utilize the sidtoname call for object id mapping
 * Add commands for listing/creating App registrations
 * Potential fix for code scanning alert no. 2: Workflow does not contain permissions
 * Potential fix for code scanning alert no. 4: Workflow does not contain permissions
 * Potential fix for code scanning alert: Workflow does not contain permissions
 * Never write the app_id to the server config
 * Disable passwordless Fido by default
 * Stop using deprecated `users` crate
 * When group membership lookup fails, use cached groups
 * aad-tool command for enumerating users and groups
 * Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
 * Add the configure-pam option to aad-tool man page
 * Add static idmap cache for on-prem to cloud migration
 * Update bug_report.md with request for himmelblau.conf
 * deps(rust): bump the all-cargo-updates group with 2 updates
 * Update crates in a group
 * Update crate bumps
 * Utilize new Intune compliance enforcement via libhimmelblau
 * Correct the README regarding Intune policy compliance
 * Disable Chromium policy
 * Re-enable Intune policy and add scripts and compliance policies
 * himmelblau.conf alias `domain` as `domains`
 * Support Fido auth in pam passwd
 * Add TAP support to himmelblaud and pam passwd
 * Mixed case names should properly identify Hello Key
 * Update linux-entra-sso to latest version
 * Fix group lookup for Entra Id group name
 * Fix mixed case name lookup from PRT cache
 * Crate updates
 * Fix tasks daemon debug output
 * Remove write locks where unecessary
 * Fix deadlock in nss
 * systemd notify fixes
 * Console
 * Address Feedback
 * Order services before gdb/nss-user-target
 * deps(rust): bump rpassword from 7.3.1 to 7.4.0
 * deps(rust): bump tokio from 1.44.2 to 1.45.0
 * deps(rust): bump sha2 from 0.10.8 to 0.10.9
 * deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
 * deps(rust): bump clap from 4.5.31 to 4.5.38
 * Update notify-debouncer-full
 * Update opentelemetry
 * Update dependencies
 * deps(rust): bump time from 0.3.39 to 0.3.41
 * Replace source filter that blacklists files with filter that whitelists files.
 * Mark himmelblau.conf as config in rpm
 * Update README.md
 * Ensure only the base URL is printed to log
 * If unix_user_get fails, wait, and try again
 * Supplying a PRT cookie to SSO doesn't require network
 * Don't send a password prompt if the network is down
 * Auth via MFA if Hello PIN fails 3 times
 * Improve Hello PIN failed auth error
 * Fix rocky9 build
 * deps(rust): bump anyhow from 1.0.96 to 1.0.98
 * deps(rust): bump libc from 0.2.170 to 0.2.172
 * deps(rust): bump cc from 1.2.16 to 1.2.19
 * deps(rust): bump tokio from 1.43.0 to 1.44.2
 * deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
 * deps(rust): bump reqwest from 0.12.12 to 0.12.15
 * Update libhimmelblau in Cargo.lock
 * Fix nss and offline checks for domain aliases
 * Report error when MS Authenticator denies authorization
 * Bail out of invalid offline auth
 * Handle AADSTS errors from BeginAuth response
 * Never dump failed reqwests to the log
 * Update sccache-action version to use new cache service
 * Permit daemon to start when network is down
 * Add an nss cache for when daemon is down
 * Additional pam info cues
 * Proceed with Hello auth even with net down
 * Indicate to the user what the password and PIN are
 * Ensure pam messages are seen
 * Display the minimum PIN length during Hello setup
 * PAM should loop, not die on error
 * Ensure prompt msg remains for confirmation
 * Update bug_report.md
 * Ignore demands for setting up MS Authenticator
 * Login fails if Entra is configured to recommend MS authenticator
 * Add pam configure command to aad-tool
 * Update README.md with pam passwd instructions
 * aad-tool authtest needs to map names
 * Update demo video in README.md
 * Sign RPM packages
 * Ensure the pam module is installed correctly for SLE
 * Improve pam error handling and messaging
 * Only push cachix builds for stable releases
 * Terminate linux-entra-sso when browser terminates
 * On deb, push pam config after install
 * Increase priority of deb PAM passwd for Himmelblau
 * Improve offline state handling
 * Specify request for Entra Id password in PAM
 * QR Greeter also supports gnome-shell 47
 * Fix profile photo loading
 * Clarify pam_allow_groups in himmelblau.conf man page
 * Don't hide debug for pam_allow_groups miss
 * Handle failures in passwordless auth
 * build all root packages
 * split config options that can be defined per-domain from those which are global only
 * configure cachix signing and upload in ci
 * deps(rust): bump serde_json from 1.0.138 to 1.0.140
 * deps(rust): bump serde from 1.0.218 to 1.0.219
 * deps(rust): bump time from 0.3.37 to 0.3.39
 * deps(rust): bump bytes from 1.10.0 to 1.10.1
 * deps(rust): bump pkg-config from 0.3.31 to 0.3.32
 * Entra Id is case insensitive, cache lookup must match
 * deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
 * Support CompanionAppsNotification mfa method
 * QR code for gnome-shell greeter
 * Allow tasks to start if AccountsService dir missing
 * Remove invalid python dependency from sso package
 * Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
 * Clear server config when clearing cache
 * Update version in the Cargo.lock
 * deps(rust): bump async-trait from 0.1.86 to 0.1.87
 * deps(rust): bump chrono from 0.4.39 to 0.4.40
 * Fix himmelblau.conf man page cn_name_mapping entry
 * deps(rust): bump pem from 3.0.4 to 3.0.5
 * deps(rust): bump serde from 1.0.217 to 1.0.218

 Version 1.0.0:

 * deps(rust): bump cc from 1.2.15 to 1.2.16
 * Update workflow versions

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1249013

https://www.suse.com/security/cve/CVE-2025-58160

https://www.suse.com/security/cve/CVE-2026-25727

https://bugzilla.suse.com/1247735

https://bugzilla.suse.com/1257904

https://bugzilla.suse.com/1258236

https://bugzilla.suse.com/1259548

https://www.suse.com/security/cve/CVE-2025-54882

https://www.suse.com/security/cve/CVE-2026-31979

Plugin Details

Severity: Medium

ID: 304855

File Name: suse_SU-openFU-2026-20453-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/4/2026

Updated: 4/4/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-31979

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 5.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CVSS Score Source: CVE-2026-25727

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:16

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/1/2026

Vulnerability Publication Date: 8/7/2025

Reference Information

CVE: CVE-2025-54882, CVE-2025-58160, CVE-2026-25727, CVE-2026-31979