openSUSE 16 Security Update : trivy (openSUSE-SU-2026:20956-1)

high Nessus Plugin ID 321461

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20956-1 advisory.

This update for trivy fixes the following issues

- CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html:
multiple issues when parsing HTML files (bsc#1267047).
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265648).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266495).
- CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266075).
- CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266075).
- CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266075).
- CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266075).
- CVE-2026-46598: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent (bsc#1266075).
- CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267268).

Changes for trivy:

- Update to version 0.71.0 (bsc#1267268, CVE-2026-44740):
* release: v0.71.0 [main] (#10638)
* ci: use only the first line of commit message in release-please workflow (#10766)
* feat: add WithDriver and WithProvider options to ospkg detector (#10740)
* chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
* refactor(secret): normalize configPath once in Init (#10702)
* feat(secret): add Maven rules to detect passwords and passphrases in settings.xml and settings- security.xml files (#10704)
* chore(deps): bump the common group across 1 directory with 25 updates (#10758)
* chore: migrate from gomodguard to gomodguard_v2 (#10739)
* chore(deps): bump the docker group across 1 directory with 2 updates (#10709)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.302.0 to 1.303.0 in the aws group (#10752)
* ci: scope GitHub App tokens to minimum required permissions (#10755)
* chore(deps): upgrade go-redis from v8 to v9 (#10736)
* fix(misconf): fix rendering of nested values in terraform plan lists (#10746)
* fix(misconf): skip resources with no after changes (#10352)
* fix(misconf): reject nil plays during playbook parsing (#10273)
* fix(nodejs): silently skip subdirectory package.json files with invalid names (#10609)
* fix(misconf): skip null cty values in AsMapValue to prevent panic (#10723)
* refactor(misconf): replace custom Helm archive parsing with Helm SDK loaders (#10718)
* chore(deps): bump github.com/containerd/containerd/v2 to v2.3.1 (#10738)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#10686)
* fix(report): don't produce trailing comma in gitlab.tpl links array (#10728)
* fix(cloudformation): propagate AWS::EC2::Instance MetadataOptions (#10731)
* chore(deps): upgrade github.com/cenkalti/backoff dependency to v5 (#10705)
* chore: bump golangci-lint to v2.12 (#10726)
* feat(spdx): add SHA-512 hash algorithm support to SPDX serializer (#10719)
* feat(sbom): support for CycloneDX 1.7 (#10715)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.300.0 to 1.302.0 in the aws group (#10708)
* chore: migrate from helm.sh/helm/v3 to helm.sh/helm/v4 (#10678)
* fix(image): correctly reconstruct RUN instructions built without BuildKit (#10714)
* feat(java): support <mirrors> from settings.xml (#10692)
* fix(java): surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693)
* chore: bump go to 1.26.3 (#10683)
* fix(nodejs): handle legacy license formats in npm lockfile parser (#10684)
* fix(secret): correctly skip secret-scanner config file from scanning (#10666)
* feat(ubuntu): detect Ubuntu 26.04 LTS (#10592)
* refactor(nodejs): deduplicate license traversal across package managers (#10681)
* fix: overwrite OS packages PURLs after overwrite OS (#10298)
* feat(secret): add Azure secret detection rules (#10562)
* fix(misconf): prevent path traversal in Terraform filesystem functions (#10664)
* feat(secret): add a way to customize skipped folders, files and exts (#10550)
* ci: migrate PAT tokens to GitHub App (#10628)
* chore(deps): bump the aws group across 1 directory with 6 updates (#10598)
* chore(deps): bump the docker group across 1 directory with 3 updates (#10596)
* chore(deps): bump the github-actions group across 2 directories with 9 updates (#10608)
* chore(deps): bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 (#10641)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#10648)
* ci: migrate PAT tokens to GITHUB_TOKEN for reusable-release workflow (#10655)
* feat(seal): add vendor support for language file detection. (#10297)
* fix(misconf): make identifiers in ignore rules case-insensitive (#10375)
* fix: pull instead of clone when test repo already exists (#10636)
* docs: document how to disable check.trivy.dev connections (#10623)
* docs(misconf): fix typo in misconfiguration config (#10619)
* ci: remove secrets from run block (#10590)
* docs: fix typos (#10605)
* refactor(deps): replace archived go-homedir with os.UserHomeDir (#10484)
* chore(deps): Bump `go-ini` and fix the import path. (#10489)
* chore(deps): bump the github-actions group across 2 directories with 9 updates (#10495)
* chore(deps): bump github.com/aquasecurity/testdocker (#10543)
* docs: convert README demonstration videos to mp4 (#10419)
* chore(deps): upgrade vm scan dependency for bug fix (#10575)
* docs(nodejs): clarify package.json behavior in image scanning (#10572)
* chore(deps): replace xeipuuv/gojsonschema and invopop/jsonschema with google/jsonschema-go (#10528)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 (#10554)
* chore(deps): bump alpine to 3.23.4 (#10552)
* ci(helm): bump Trivy version to 0.70.0 for Trivy Helm Chart 0.22.0 (#10547)
- update x/net to v0.55.0 ( bsc#1266495, CVE-2026-39821 bsc#1267047, CVE-2026-25680, CVE-2026-42502, CVE-2026-27136, CVE-2026-25681, CVE-2026-42506)
- update x/crypto to 0.52.0 (bsc#1266075, CVE-2026-39827, CVE-2026-39834,CVE-2026-39828,CVE-2026-39829,CVE-2026-39831, CVE-2026-42508,CVE-2026-39833,CVE-2026-39830,CVE-2026-39832, CVE-2026-46597,CVE-2026-46598,CVE-2026-46595,CVE-2026-39835) bsc#1265648, CVE-2026-33814,

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected trivy package.

Plugin Details

Severity: High

ID: 321461

File Name: openSUSE-2026-20956-1.nasl

Version: 1.1

Type: Local

Agent: unix

Family: SuSE Local Security Checks

Published: 6/17/2026

Updated: 6/17/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-33814

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:trivy, cpe:/o:novell:opensuse:16.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/11/2026

Vulnerability Publication Date: 5/7/2026

Reference Information

CVE: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-33814, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-44740, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598

Detections

Analytics

openSUSE 16 Security Update : trivy (openSUSE-SU-2026:20956-1)

high Nessus Plugin ID 321461

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

Vulnerability Information

Reference Information