Synopsis
The remote openSUSE host is missing one or more security updates.
Description
The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21251-1 advisory.
Update to version 1.17.0.
Security issues fixed:
- CVE-2026-25680: golang.org/x/net/html: parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service (bsc#1267185).
- CVE-2026-25681: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-27136: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-33532: yaml: parsing input with deeply nestes collections may throw a `RangeError` due to a stack overflow and cause to a denial of service (bsc#1260981).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266654).
- CVE-2026-39827: golang.org/x/crypto/ssh: authenticated SSH clients that repeatedly open channels which were rejected by the server can cause unbounded memory growth and a crash (bsc#1266196).
- CVE-2026-39828: golang.org/x/crypto/ssh: permissions discarded when an SSH server authentication callback returns `PartialSuccessError` with non-`nil` permissions (bsc#1266196).
- CVE-2026-39829: golang.org/x/crypto/ssh: unenforced size limits on key parameters by the the RSA and DSA public key parsers can lead to excessive CPU consumption when processing a crafted public key (bsc#1266196).
- CVE-2026-39830: golang.org/x/crypto/ssh: malicious SSH peers sending unsolicited global request responses can block a connection's read loop and cause a resource leak (bsc#1266196).
- CVE-2026-39831: golang.org/x/crypto/ssh: missing `User Presence` flag checks in the `Verify()` method for FIDO/U2F security key types cause signatures generated without physical touch to be accepted (bsc#1266196).
- CVE-2026-39832: golang.org/x/crypto/ssh: destination restrictions are silently stripped when forwarding keys and allow for unrestricted use of a key on a remote host (bsc#1266196).
- CVE-2026-39833: golang.org/x/crypto/ssh: in-memory keyring returned by `NewKeyring()` silently accepts keys with the `ConfirmBeforeUse` constraint but never enforces it (bsc#1266196).
- CVE-2026-39834: golang.org/x/crypto/ssh: writing data larger than 4GB in a single `Write` call on an SSH channel leads to an integer overflow and an infinite loop that sends empty packets (bsc#1266196).
- CVE-2026-39835: golang.org/x/crypto/ssh: processing of certificates by SSH servers using `CertChecker` as a public key callback without setting `IsUserAuthority` or `IsHostAuthority` can lead to a panic (bsc#1266196).
- CVE-2026-41889: github.com/jackc/pgx/v5/internal/sanitize: use placeholders in dollar-quoted string literals in an SQL query can lead to a SQL injection (bsc#1265440).
- CVE-2026-42502: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-42506: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-42508: golang.org/x/crypto/ssh: revoked `SignatureKey`s belonging to a CA are not correctly checked for revocation (bsc#1266196).
- CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267333).
- CVE-2026-45678: go.opentelemetry.io/obi: Postgres BIND parsing can lead to a panic when malformed payloads are processed (bsc#1267481).
- CVE-2026-45682: go.opentelemetry.io/obi: keys not deleted by `CappedConcurrentHashMap` after removals allows repeated connection churn to grow the queue without bound and exhaust heap memory (bsc#1267485).
- CVE-2026-45685: go.opentelemetry.io/obi: MongoDB TCP parser panics on malformed wire messages and causes a DoS (bsc#1267488).
- CVE-2026-45686: go.opentelemetry.io/obi: integer overflow in memcached text protocol parser can crash the OBI process and cause denial of service (bsc#1267489).
- CVE-2026-46595: golang.org/x/crypto/ssh: source-address validation is skipped if any other type of callback is passed other than public key (bsc#1266196).
- CVE-2026-46597: golang.org/x/crypto/ssh: incorrectly placed cast from bytes to int in the AES-GCM packet decoder when processing specially crafted input can lead to for server-side panic (bsc#1266196).
- CVE-2026-46598: golang.org/x/crypto/ssh: `ed25519.PrivateKey` created by casting malformed wire bytes due to processing of certain crafted inputs can lead to panic when used (bsc#1266196).
Other updates and bugfixes:
- Version 1.17.0:
* Features
* Add GraphQL server and `gql` subcommand.
* `otelcol`: Add Nginx receiver.
* `otelcol.exporter.prometheus`: Convert classic histograms to NHCB.
* `database_observability`: Various enhancements for MySQL and Postgres.
* `faro.receiver`: Support gzip-compressed request bodies.
* Update to Beyla 3.9.8.
* Bug Fixes
* security: Update `x/crypto`, `x/net`, `jackc/pgx/v5`, and `obi`.
* cluster: Fix nodes failing to join the cluster with TLS enabled.
* `loki.process`: Fix potential deadlocks and limit stage shutdown.
* Update Go to v1.26.4.
- Version 1.16.3:
* cluster: Fix nodes failing to join the cluster when TLS is enabled.
- Version 1.16.2:
* `loki.process`: No longer mutate rules in `stage.truncate` causing every config update to reload pipeline when this stage is used.
* `loki.process`: Potential deadlock on update with stage and receiver changes.
* `otelcol.exporter.awss3`: Add missing `unique_key_func_name` attribute.
- Remove dependency on vulnerable `yaml` library.
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected alloy package.
Plugin Details
File Name: openSUSE-2026-21251-1.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:alloy
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 7/7/2026
Vulnerability Publication Date: 3/25/2026
Reference Information
CVE: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-33532, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-41889, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-44740, CVE-2026-45678, CVE-2026-45682, CVE-2026-45685, CVE-2026-45686, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598