Detections
Analytics

openSUSE 16 Security Update : build, product-composer (openSUSE-SU-2026:20676-1)

medium Nessus Plugin ID 313694

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20676-1 advisory.

 Changes in build:

 - Support a new IgnoreRebuild config.

 - build-recipe-kiwi:

 * Add support for oci containers
 * Avoid needlessly compressing container images
 * Detect container images based on build result file name

 - Fix queryrecipe to use the summary and the description from the main package

 - config: Add slfo-main build configuration
 - drop the inner quotes, not needed on bash 4 and breaks on bash 3
 - build: in the ccache case, after test -e also accept -L

 - container:

 * Add microdnf package manager support
 * Add experimental support for the container-timestamp build option

 - sbom:

 * allow to create v1 intoto data
 * spdx: connect OPERATING-SYSTEM package to the root package
 * Transfer product vcs and disturl

 - Support --cms-nocerts and --cms-keyid in the signdummy
 - Support chroot builds inside of containers
 - runservice tool, allow to specify the modes. Can be used on plain git source now also
 - Support --mtime option for cpio creation
 - generate_sbom:

 * Support also unzck compressed repomd files
 * Fail when given --product directory is missing
 * support zstd compressed repomd data

 - build-vm-lxc: support lxc >= 5
 - vc: Hide an annoying error message when not using NIS

 - added leap-16.0 and leap-16.1 build configs.
 (not named sl16.0 anymore, but using same string as the git branch)

 - Implement cmssign support in signdummy
 - pbuild: mark git assets with a fixed commit as immutable
 - mkosi
 * check if old parameters are supported before passing them
 * support old bash version
 - Do not crash on small files that start with the PE magic

 - Harden export_debian_orig_from_git (CVE-2024-22038, boo#1230469)

 Changes in product-composer:

 update to version 0.9.6:

 * Speed-up reading of rpm headers
 * Flush output lines to get get correct timestamps in OBS

 update to version 0.9.5:

 * Be a bit more verbose to track used times per step in OBS
 * Fix a crash when doing version compare with an epoch

 update to version 0.9.4:

 * Give an error when trying to add updateinfo meta data without all binary revisions.
 * Hand over vcs and disturl data to generate_sbom.
 (We require a recent build package therefore)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1230469

https://www.suse.com/security/cve/CVE-2024-22038

Plugin Details

Severity: Medium

ID: 313694

File Name: openSUSE-2026-20676-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/10/2026

Updated: 5/10/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:C/A:C

CVSS Score Source: CVE-2024-22038

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.8

Threat Score: 4.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:build-initvm-powerpc64le, p-cpe:/a:novell:opensuse:build, p-cpe:/a:novell:opensuse:build-initvm-x86_64, p-cpe:/a:novell:opensuse:build-initvm-aarch64, p-cpe:/a:novell:opensuse:build-mkdrpms, p-cpe:/a:novell:opensuse:product-composer, p-cpe:/a:novell:opensuse:build-mkbaselibs, p-cpe:/a:novell:opensuse:build-initvm-s390x

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2026

Vulnerability Publication Date: 11/28/2024

Reference Information

CVE: CVE-2024-22038