Detections
Analytics

SUSE SLES15 Security Update : azure-storage-azcopy (SUSE-SU-2026:2466-1)

high Nessus Plugin ID 321919

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2466-1 advisory.

 This update for azure-storage-azcopy fixes the following issues

 Update to 10.32.4:

 - CVE-2025-47907: database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
 - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2:
 path pseudo- header (bsc#1260307).
 - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265841).
 - CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262962).
 - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266657).

 Changes:

 * Remove 32-bit Windows ARM7 build
 * Cover other open CVEs (bsc#1266657, CVE-2026-39821)
 * Update otel sdk
 * Update packages and add patch version
 * Update version.go
 * Error formatting
 * Add test to validate changes
 * Update Changelog
 * Alter intentional panics to return errors
 * Correct issues re: MSRC case #110341
 * Update offending packages
 * cloud.google.com/go/storage v1.45.0 -> v1.50.0
 * Golang 1.24.13 -> 1.25.8
 * Golangci-lint v1.64.8 -> v2.11.3
 * Fixed a regression where the folder tracker would panic with pre-existing folders and --overwrite=ifSourceNewer. (#3403)
 * Fixed a regression where cancellation was not working via stdin (#3373)
 * Fixed a regression where we hit segfaults from logging to a nil logger in the process checker. (#3384)
 * Fixed a race condition panic from concurrent access to a shared metadata resource by introducing thread safety. (#3341)
 * Fixed a bug where --posix-properties-style was not being chained through the copy flow correctly. (#3401)
 * Fixed a regression where in tandem use of --list-of-files and --include-pattern no longer worked. (#3389)
 * Golang 1.24.11 -> 1.24.13
 * Added support for AMLFS style posix metadata. (#3317)
 * Fixed a bug where hdi_isfolder metadata key would sometimes not be sent in all lowercase, resulting in unexpected behavior on the service side when fetching properties. (#3312)
 * Fixed a typo in the benchmark command, to allow the --put-md5 flag to work. (#3324)
 * Fixed a bug where network errors would not be retried on. (#3338)
 * Fixed a bug where unexpected requests would be logged in syslog. (#3339)
 * Fixed a bug where pre-existing folders would be recreated. (#3295)
 * Updated README to clarify supported source-destination pairs and authorization mechanisms. (#3213)
 * Updated format of wiki generated docs to improve readability. (#3311)
 * AzCopy download URLs starting with https://azcopyvnext-awgzd8g7aagqhzhe.b02.azurefd.net/ are no longer supported.
 * Fixed a bug where throughput was not being displayed for copy and resume. (#3271)
 * Fixed a bug where S3 and GCP transfers would panic. (#3273)
 * Refactored copy, sync, resume, login, logout, login status business logic into the azcopy package.
 * Golang 1.24.4 -> 1.24.11
 * golang.org/x/crypto 0.40.0 -> 0.45.0
 * Azure Files SMB -> Azure Files NFS transfers.
 * Symlink support for Azure Files NFS shares.
 * Introduced support for symbolic links in Azure Files NFS shares.
 * Symlinks can be preserved, skipped, or followed based on command-line flags.
 * Added a --check-version flag to make version checking an opt in feature. (#3173)
 * --include-root flag now allows customers to preserve root properties when used in conjunction with --preserve-XXXX flags. (#3163)
 * Golang 1.24.4 -> 1.24.6 (#3154)
 * Fixed a bug to retry on various network errors. (#3237) (#3252) (bsc#1266311)
 * Fixed a bug where remove would not work on paths with encoded characters. (#2977)
 * Fixed a bug where jobs resume would not produce any output for previously failed jobs. (#3103)
 * Fixed a bug where FileBlob transfers with EntraID on the source would pass the wrong service version. (#3242)
 * Fixed a bug to retry on WSAETIMEDOUT on Windows. (#3195)
 * Fixed a bug with the folder creation tracker which caused folder creation calls to happen more often than necessary. (#3151)
 * Fixed a bug to redact x-ams-credential from logs. (#3206)
 * Fixed a bug where powershell login would fail with older versions of Az.Accounts. (#3191)
 * Fixed a bug where symlink direct targets would be handled as a file instead of a symlink. (#3222)
 * Refactored traverser related code into its own package. (#3251)
 * Refactored OAuth token manager access to use a client-based pattern instead of global singleton access. (#3260)
 * Removed unused code related to credential management. (#3260)
 * Refactored Lifecycle UI code into the cmd package (#3262).
 * Error handling code is now injected into JobMgr, or appropriately bubbled upwards instead of using global LCM error handling. (#3262)
 * AzCopy no longer checks version by default. (#3173)
 * Fixed --exclude-path flag not available in remove operations. (#3165) (#3159)
 * Fixed regression where AzCopy was not honoring concurrency value in copy operations (#3192)
 * Fixed the incorrect JSON output format of the warning message when there are multiple AzCopy processes running. (#3188) (#3182)
 * Fixed latest_version.txt from being wrongly created in users current directory. (#3179)(#3176)
 * Fixed AzCopy crashing during sync operation from a nil pointer deref in the destination authentication policy. (#3186) (#3109) (#3156) (#3175)
 * Golang 1.24.2 -> 1.24.6 (CVE-2025-47907) (#3154)
 * For transfers involving Azure Files (NFS or SMB), AzCopy will not auto create file shares.
 * AzCopy binaries and latest version information will now be distributed from Github releases instead of the static website. (#3014)
 * Azure Files NFS Support via REST.
 * Added support to retry on copy source error code and status code for service to service copies. (#3105)
 * Added support for service to service copies from Azure Files to Blob Storage using EntraID. (#3053)
 * Fixed a bug where when copying a file that has already been deleted with
 --trailing-dot=Disable resulted in the wrong error instead of a 404. (#3092)
 * Removed the warning message when failing to create a container. This message can be misleading when there is insufficient permissions to create a container and the container already exists. (#3045)
 * Improved the error message returned when block size is larger than bandwidth limit. (#3051)
 * Warn user if transfer is going to exceed 10M objects. (#3111)
 * Warn user if multiple AzCopy processes are running. (#3128)
 * Golang 1.24.2 -> 1.24.4 (#3085)
 * Azure Files NFS Support via REST API

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected azure-storage-azcopy package.

See Also

https://bugzilla.suse.com/1247720

https://bugzilla.suse.com/1260307

https://bugzilla.suse.com/1262962

https://bugzilla.suse.com/1265841

https://bugzilla.suse.com/1266311

https://bugzilla.suse.com/1266657

https://lists.suse.com/pipermail/sle-updates/2026-June/047440.html

https://www.suse.com/security/cve/CVE-2025-47907

https://www.suse.com/security/cve/CVE-2026-33186

https://www.suse.com/security/cve/CVE-2026-33814

https://www.suse.com/security/cve/CVE-2026-34986

https://www.suse.com/security/cve/CVE-2026-39821

Plugin Details

Severity: High

ID: 321919

File Name: suse_SU-2026-2466-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/22/2026

Updated: 6/22/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-33814

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:azure-storage-azcopy, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 8/7/2025

Reference Information

CVE: CVE-2025-47907, CVE-2026-33186, CVE-2026-33814, CVE-2026-34986, CVE-2026-39821

SuSE: SUSE-SU-2026:2466-1