openSUSE 16 Security Update : apptainer (openSUSE-SU-2026:20730-1)

high Nessus Plugin ID 315032

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20730-1 advisory.

Changes in apptainer:

- Fix CVE-2026-34986 (bsc#1262956)
* github.com/go-jose/go-jose/[email protected] CVE-2026-33186 GO-2026-4762 (bsc#1260311)
* google.golang.org/[email protected] CVE-2026-24137 GO-2026-4358 (bsc#1264177)
* github.com/sigstore/[email protected] Fix fallout:
github.com/moby/[email protected] github.com/containers/image/v5=github.com/containers/image/[email protected]

- Fix HTML parser misimplementation of a part of the HTML specification for table related tags (CVE-2025-58190, GO-2026-4441, bsc#1258048).
- Fix issue where the HTML parser takes a very long time or even never returns (CVE-2025-47911, GO-2026-4440, bsc#1258047).

- Update ot 1.4.5
* Fix for moderate severity GO-2025-4176 / CVE-2025-65105 / GHSA-j3rw-fx6g-q46j (bsc#1255462):
Ineffective application of selinux / apparmor --security option.
Updates of a few dependent go libraries for related security fixes.
* Other fix Run FUSE processes in a separate process group. This detaches them from the main process so they don't receive signals such as interrupts sent to a terminal there. This was not a problem with interactive shells because they start their own group, but was a problem with some programs with interactive Read/Eval/Print/Loops such as python.
An interrupt there would kill the FUSE processes.
- From 1.4.4
* By applying patches to the bundled fuse2fs, allow again the possibility of using a non-writable ext3 image file as an overlay. Fixes regression introduced in 1.4.3.
* If an overlay or bound data image is asked to be mounted writable but the user has no write access to the image, show a warning message instead of silently switching to readonly.
* Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory.
* Fix 32-bit builds which were accidentally broken by a library upgrade that was done for a minor security issue.
- Fix CVEs:
* GO-2025-4135 - CVE-2025-47914 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent.
* GO-2025-4134 - CVE-2025-58181 - bsc#1253924 Unbounded memory consumption in golang.org/x/crypto/ssh.
* GO-2025-4116 - CVE-2025-47913 Potential denial of service in golang.org/x/crypto/ssh/agent.
* GO-2025-3595 - CVE-2025-22872 Incorrect Neutralization of Input During Web Page Generation in x/net.
* GO-2025-3503 - CVE-2025-22870 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
* GO-2025-3487 - CVE-2025-22869 Potential denial of service in golang.org/x/crypto.
* GO-2025-3485 - CVE-2025-27144 DoS in go-jose Parsing in github.com/go-jose/go-jose.
* GO-2025-3754 - CVE-2025-8556 CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl.

- No need for binutils-gold for aarch64

- Update to 1.4.3
* Corrected the mconfig -s option for statically building apptainer and starter binaries.
* Resolved an issue where the Makefile generated by mconfig -b failed when the build directory was not a subdirectory of the Apptainer source code.
* Fixed %files in definition files to correctly copy symlinks pointing above the destination directory but within the destination stage root filesystem.
* Addressed a typo in nvliblist.conf ( libnvoptix.so.1 was corrected to libnvoptix.so).
* Prevented timeouts during cleanup after building gocryptfs-encrypted SIF files.
* Fixed a bug that prevented build with --passphrase or --pem-path (without --encrypt) from implying fakeroot.
* Resolved a hang when copying files between build stages while using suid mode without user namespaces.
* Fixed issues with running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
* Corrected target: no such file or directory errors when extracting layers from certain OCI images that manipulate hard links across layers.
* Fixed a crash when executing a privilege-encrypted container as root.
* Improved documentation for the remote list command.
* Removed the fakerootcallback functionality.
* Updated the default pacman confURL for Bootstrap: arch container builds.
* Updated bundled fuse programs to their latest releases.
* Changed the default message level from silent to normal in nested apptainer executions of a build's %post section, and suppressed an unnecessary warning.
* Invalid environment variables are now ignored when pulling oci/docker containers.
- Add definition file for SLE 16 (SLE-16.def).
- Remove definition files for SLE15 SP5 (SLE-15SP5.def) and SP6 (SLE-15SP6.def).

- Update to 1.4.2
* Restore looking for registry mirrors in /etc/containers/registry.conf and related files. This had been inadvertently dropped beginning in 1.4.0.
* Fix use of the image cache when the home directory contains @ characters.
Previously it would assume that it was the start of a digest in the oci-dir.
* Fix signature verification failures on unsigned images.
* Add additional .deb packages to the release assets that include the label trixie+ to indicate that they are for installing on Debian 13 or later.
Those packages are necessary to work with the new libfuse3 library in Debian13. They also support libsubid, unlike the default packages because they are built on Debian 11 which doesn't have that library.
* Add automatic triggering of Ubuntu PPA builds whenever there's a new apptainer release.

- Update to 1.4.1
* Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2.
* Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to arm64v8 and resulted in a failure when pulling OCI containers.
* Fix user database lookup in master process preventing instance from starting correctly on systems using winbind.
* Check for existence of `/run/systemd/system` when verifying cgroups can be used via systemd manager.
* Add a clear error message if someone tries to use privileged network options while not using setuid mode.
* Allow multi-arch oci-archive files that have a nested index with the manifest. This is the default format (both for Docker and OCI) when using `nerdctl save`.
* Test if docker-archive is actually an oci-archive (since Docker version 25), and if it is oci then use the OCI parser to avoid bugs in the Docker parser. Save the daemon-daemon references to a temporary docker-archive, to benefit from the same improvements also for those references. Parse as oci-archive.

- New Features & Functionality in from ineherited 1.4.0
* Add new build option `--mksquashfs-args` to pass additional arguments to the `mksquashfs` command when building SIF files.
If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed.
* If the `mksquashfs` version is new enough (version 4.6 in Leaep 16.0), then show a percentage progress bar (with ETA) during SIF creation in the default log level. If the `mksquashfs` version is older, then in verbose or debug log level show the output of mksquashfs with its own progress bar.
* Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default.
* Add a `--sandbox` option to `apptainer pull`.
* Add configuration file binding to the `--nv` option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default `nvliblist.conf`.
* It is now possible to use multiple environment variable files using the `--env-file` flag. Files can be specified as a comma-separated list or by using the flag multiple times.
Variables defined in later files take precedence over earlier files.
* The registry login and registry logout commands now support a `--authfile <path>` option, which causes OCI credentials to be written to / removed from a custom file located at `<path>` instead of the default location (`$HOME/.apptainer/docker-config.json`).
The commands `pull`, `push`, `run`, `exec`, `shell` and instance start can now also be passed a `--authfile <path>` option, to read OCI registry credentials from this custom file.
* A new `--netns-path` option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new `allow netns paths` directive in `apptainer.conf`, if they are also listed in `allow net users` / `allow net groups` and apptainer is installed with setuid privileges. Not supported with `--fakeroot`.
* `apptainer.conf` now accepts setting the following options:
`allow ipc ns` -- Default value is `yes`; when set to `no`, it will disable the use of the `--ipc` flag.
`allow uts ns` -- Default value is `yes`; when set to `no`, it will invalidate the use of the `--uts` and `--hostname` flags.
`allow user ns` -- Default value is `yes`; when set to `no`, it will disable creation of user namespaces. Note that this will prevent execution of containers with the `--userns` or `--fakeroot` flags and with unprivileged installations of Apptainer.
- Changed defaults / behaviours
* Label the starter process seen in `ps` with the image filename, for example: Apptainer runtime parent: `example.sif`.
* Remove runtime and compute libraries from `rocmliblist.conf`.
They should instead be provided by the container image.
* Allow overriding the build architecture with `--arch` and `--arch-variant`, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (`binfmt_misc`).
* Complete the previously partial support for the riscv64 architecture.
* Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or `/`.
* Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.
* Skip attempting to bind inaccessible mount points when handling the `mount hostfs = yes` configuration option.
* Fix storage of credentials for `docker.io` to behave the same as for `index.docker.io`.
* Change message log level from warning to debug when environment variables set inside a container or by `APPTAINERENV` have a different value than the environment variable on the host.
* Change the default message level from silent to the normal level in the nested apptainer that executes a build's `%post` section, and suppress an unnecessary warning message.
* Ignore invalid environment variables when pulling oci/docker containers.
* Remove the little-known `fakerootcallback` functionality.
* Update the default pacman confURL for `Bootstrap: arch` container builds.
* Update the bundled fuse programs to their latest releases.
- Bug fixes
* Fix the `mconfig -s` option to build the apptainer and starter binaries statically as documented.
* `%files from` in a definition file will now correctly copy symlinks that `%point` to a target above the destination directory but inside the `%destination` stage root filesystem.
* Fixed typo in `nvliblist.conf` (`libnvoptix.so.1` -> `libnvoptix.so`).
* Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files.
* Fix bug that prevented build with `--passphrase` or `--pem-path` but without `--encrypt` from implying fakeroot.
* Fix hang when copying files between build stages while using suid mode without user namespaces.
* Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
* Fix `target: no such file or directory` error when extracting layers from certain OCI images that manipulate hard links across layers.
* Fix the crash that happened when executing a privilege-encrypted container as root.

- Fix CVE-2024-45338, CVE-2025-22870, CVE-2024-45337, CVE-2025-22869, CVE-2025-27144 CVE-2024-41110
* GO-2024-3333 CVE-2024-45338 (bsc#1234794) GO-2025-3503 CVE-2025-22870 (bsc#1238611):
Update to: golang.org/x/[email protected]
* GO-2024-3321 CVE-2024-45337 (bsc#1234595) GO-2025-3487 CVE-2025-22869 (bsc#1239341):
Update to: golang.org/x/[email protected]
* GO-2025-3485 CVE-2025-27144 (bsc#1237679):
Update to: github.com/go-jose/go-jose/[email protected]
* GO-2024-3005 CVE-2024-41110 (bsc#1228324):
Update to: github.com/docker/[email protected]+incompatible

- Update golang.org/x/net to v0.23 to fix CVE-2023-45288 (bnc#1236528).

- Update to version 1.3.6
* Avoid using kernel overlayfs when the lower layer is a sandbox on an incompatible filesystem type such as GPFS or Lustre.
For those cases use fuse-overlayfs instead. This fixes a regression introduced in 1.3.0. The regression didn't much impact Lustre because kernel overlayfs refused to try to use it and Apptainer proceeded to use fuse-overlayfs anyway, but with GPFS the kernel overlayfs allowed mounting but returned stale file handle errors.

- Version 1.3.5
* Fix a regression introduced in 1.3.4 that overwrote existing standard `/.singularity.d` files such as `runscript` in container images even if they had been modified.
* Skip attempting to bind inaccessible mount points when handling the `mount hostfs = yes` configuration option.
* Support parsing nested variables defined inside `%arguments` section of definition files.
* Ignore invalid environment variables when pulling oci/docker containers.

- Version 1.3.4
* Fixed sif-embedded overlay partitions for containers that are larger than 2 gigabytes.
* Fixed the failure when starting apptainer with `instance --fakeroot`.
* `apptainer build -B ...` can now be used to mount custom resolv.conf and hosts files from non-standard outside locations.
This can be used to run `apptainer build` in a nix-build sandbox that has no `/etc/resolv.conf`.
* Fixed failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g.
/var/tmp -> /tmp).
* Show info messages suggesting to use `enable underlay = preferred` or the `--underlay` flag when overlay is implied for bind mounts but the kernel is too old to support fuse mounts in user namespaces and so tries to use fusermount.
* When someone uses a `yum` bootstrap to build a container without using subuid-based fakeroot or root, warn that it is unlikely to work.
* Allow a writable `--overlay` to be used with `--nvccli` instead of `--writable-tmpfs`.
* If an error no descriptor found for reference is seen while getting an oci container, retry the operation up to five times.
* Make fakeroot Recommended for SUSE rpms instead of Required.
* Allow bind mounts onto existing files on r/o NFS filesystems.
* If an error is seen in the %post section when building a container using fakeroot mode 3 (with the fakeroot command) then show a message suggesting using `--ignore-fakeroot-command` and referring to the documentation about how to install and use it inside the container definition file.
* Show a more helpful error message when using fakeroot in suid mode and there's an `/etc/subuid` mapping even though user namespaces are not available (user namespaces are required for `/etc/subuid` mapping).

- Version 1.3.3
* Added libcudadebugger.so to nvliblist.conf to support cuda-gdb in CUDA 12+.
* Ensure opened/kept file descriptors in stage 1 are not closed during the Go garbage collection to avoid bad file descriptor errors at startup.
* Fixed a segmentation violation issue when running Apptainer checkpoint.
* Fixed an issue that Apptainer won't read default docker credentials.

- Version 1.3.2
* Fix for [CVE-2024-3727](https://bugzilla.suse.com/show_bug.cgi?id=1224114) in a dependent library which describes a flaw that can allow attackers to trigger unexpected authenticated registry accesses due to object digest values not being validated in all cases.
* Fixed the issue when nesting `apptainer instance start` inside a container on cgroups-v2 capable host.
* Fixed the issue that oras download progress bar gets stuck when downloading large images.

- Version 1.3.1
* Make 'apptainer build' work with signed Docker containers.
* Fixed regression introduced in 1.3.0 that prevented closing cryptsetup and the corresponding loop device after running an encrypted sif container file in suid mode.
* Stopped binding over the default timezone in the container with the host's timezone, which led to unexpected behavior if the application changed timezones.
* Added progress bars for `oras://` push and pull.
* Hide `Instance stats will not be available` message under `--sharens` mode.
* Fix problem where credentials locally stored with `registry login` command were not usable in some execution flows. Run `registry login` again with latest version to ensure credentials are stored correctly.
* Make runscript timeout configurable.
* Return invalid bind path mount options during bind path parsing.
* Make the INFO message more helpful when a running background process at exit time causes a FUSE mount to not shut down cleanly.
* Fixed the wrong mediaType in the oras push manifest.
- Add Apptainer definition template for SLE15-SP7.

- Make sure, build is reproducible by setting the GNU build ID to one derived from the Go one. See https://pkg.go.dev/cmd/link.

- Use go-jose version with fix for CVE-2024-28180 (bsc#1235211).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected apptainer, apptainer-leap, apptainer-sle15_7 and / or apptainer-sle16 packages.

Plugin Details

Severity: High

ID: 315032

File Name: openSUSE-2026-20730-1.nasl

Version: 1.1

Type: Local

Agent: unix

Family: SuSE Local Security Checks

Published: 5/16/2026

Updated: 5/16/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-65105

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-27144

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:apptainer, p-cpe:/a:novell:opensuse:apptainer-sle16, p-cpe:/a:novell:opensuse:apptainer-sle15_7, p-cpe:/a:novell:opensuse:apptainer-leap

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2026

Vulnerability Publication Date: 3/7/2024

Reference Information

CVE: CVE-2023-45288, CVE-2024-28180, CVE-2024-3727, CVE-2024-41110, CVE-2024-45337, CVE-2024-45338, CVE-2025-22869, CVE-2025-22870, CVE-2025-22872, CVE-2025-27144, CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-58190, CVE-2025-65105, CVE-2025-8556, CVE-2026-24137, CVE-2026-33186, CVE-2026-34986

IAVA: 2025-A-0877

Detections

Analytics