openSUSE 16 Security Update : alloy (openSUSE-SU-2026:21251-1)

low Nessus Plugin ID 326022

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21251-1 advisory.

Update to version 1.17.0.

Security issues fixed:

- CVE-2026-25680: golang.org/x/net/html: parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service (bsc#1267185).
- CVE-2026-25681: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-27136: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-33532: yaml: parsing input with deeply nestes collections may throw a `RangeError` due to a stack overflow and cause to a denial of service (bsc#1260981).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266654).
- CVE-2026-39827: golang.org/x/crypto/ssh: authenticated SSH clients that repeatedly open channels which were rejected by the server can cause unbounded memory growth and a crash (bsc#1266196).
- CVE-2026-39828: golang.org/x/crypto/ssh: permissions discarded when an SSH server authentication callback returns `PartialSuccessError` with non-`nil` permissions (bsc#1266196).
- CVE-2026-39829: golang.org/x/crypto/ssh: unenforced size limits on key parameters by the the RSA and DSA public key parsers can lead to excessive CPU consumption when processing a crafted public key (bsc#1266196).
- CVE-2026-39830: golang.org/x/crypto/ssh: malicious SSH peers sending unsolicited global request responses can block a connection's read loop and cause a resource leak (bsc#1266196).
- CVE-2026-39831: golang.org/x/crypto/ssh: missing `User Presence` flag checks in the `Verify()` method for FIDO/U2F security key types cause signatures generated without physical touch to be accepted (bsc#1266196).
- CVE-2026-39832: golang.org/x/crypto/ssh: destination restrictions are silently stripped when forwarding keys and allow for unrestricted use of a key on a remote host (bsc#1266196).
- CVE-2026-39833: golang.org/x/crypto/ssh: in-memory keyring returned by `NewKeyring()` silently accepts keys with the `ConfirmBeforeUse` constraint but never enforces it (bsc#1266196).
- CVE-2026-39834: golang.org/x/crypto/ssh: writing data larger than 4GB in a single `Write` call on an SSH channel leads to an integer overflow and an infinite loop that sends empty packets (bsc#1266196).
- CVE-2026-39835: golang.org/x/crypto/ssh: processing of certificates by SSH servers using `CertChecker` as a public key callback without setting `IsUserAuthority` or `IsHostAuthority` can lead to a panic (bsc#1266196).
- CVE-2026-41889: github.com/jackc/pgx/v5/internal/sanitize: use placeholders in dollar-quoted string literals in an SQL query can lead to a SQL injection (bsc#1265440).
- CVE-2026-42502: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-42506: golang.org/x/net/html: parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree and allows for XSS (bsc#1267185).
- CVE-2026-42508: golang.org/x/crypto/ssh: revoked `SignatureKey`s belonging to a CA are not correctly checked for revocation (bsc#1266196).
- CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267333).
- CVE-2026-45678: go.opentelemetry.io/obi: Postgres BIND parsing can lead to a panic when malformed payloads are processed (bsc#1267481).
- CVE-2026-45682: go.opentelemetry.io/obi: keys not deleted by `CappedConcurrentHashMap` after removals allows repeated connection churn to grow the queue without bound and exhaust heap memory (bsc#1267485).
- CVE-2026-45685: go.opentelemetry.io/obi: MongoDB TCP parser panics on malformed wire messages and causes a DoS (bsc#1267488).
- CVE-2026-45686: go.opentelemetry.io/obi: integer overflow in memcached text protocol parser can crash the OBI process and cause denial of service (bsc#1267489).
- CVE-2026-46595: golang.org/x/crypto/ssh: source-address validation is skipped if any other type of callback is passed other than public key (bsc#1266196).
- CVE-2026-46597: golang.org/x/crypto/ssh: incorrectly placed cast from bytes to int in the AES-GCM packet decoder when processing specially crafted input can lead to for server-side panic (bsc#1266196).
- CVE-2026-46598: golang.org/x/crypto/ssh: `ed25519.PrivateKey` created by casting malformed wire bytes due to processing of certain crafted inputs can lead to panic when used (bsc#1266196).

Other updates and bugfixes:

- Version 1.17.0:
* Features
* Add GraphQL server and `gql` subcommand.
* `otelcol`: Add Nginx receiver.
* `otelcol.exporter.prometheus`: Convert classic histograms to NHCB.
* `database_observability`: Various enhancements for MySQL and Postgres.
* `faro.receiver`: Support gzip-compressed request bodies.
* Update to Beyla 3.9.8.
* Bug Fixes
* security: Update `x/crypto`, `x/net`, `jackc/pgx/v5`, and `obi`.
* cluster: Fix nodes failing to join the cluster with TLS enabled.
* `loki.process`: Fix potential deadlocks and limit stage shutdown.
* Update Go to v1.26.4.
- Version 1.16.3:
* cluster: Fix nodes failing to join the cluster when TLS is enabled.
- Version 1.16.2:
* `loki.process`: No longer mutate rules in `stage.truncate` causing every config update to reload pipeline when this stage is used.
* `loki.process`: Potential deadlock on update with stage and receiver changes.
* `otelcol.exporter.awss3`: Add missing `unique_key_func_name` attribute.
- Remove dependency on vulnerable `yaml` library.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected alloy package.

See Also

https://bugzilla.suse.com/1260981

https://bugzilla.suse.com/1265440

https://bugzilla.suse.com/1266196

https://bugzilla.suse.com/1266654

https://bugzilla.suse.com/1267185

https://bugzilla.suse.com/1267333

https://bugzilla.suse.com/1267481

https://bugzilla.suse.com/1267485

https://bugzilla.suse.com/1267488

https://bugzilla.suse.com/1267489

https://www.suse.com/security/cve/CVE-2026-25680

https://www.suse.com/security/cve/CVE-2026-25681

https://www.suse.com/security/cve/CVE-2026-27136

https://www.suse.com/security/cve/CVE-2026-33532

https://www.suse.com/security/cve/CVE-2026-39821

https://www.suse.com/security/cve/CVE-2026-39827

https://www.suse.com/security/cve/CVE-2026-39828

https://www.suse.com/security/cve/CVE-2026-39829

https://www.suse.com/security/cve/CVE-2026-39830

https://www.suse.com/security/cve/CVE-2026-39831

https://www.suse.com/security/cve/CVE-2026-39832

https://www.suse.com/security/cve/CVE-2026-39833

https://www.suse.com/security/cve/CVE-2026-39834

https://www.suse.com/security/cve/CVE-2026-39835

https://www.suse.com/security/cve/CVE-2026-41889

https://www.suse.com/security/cve/CVE-2026-42502

https://www.suse.com/security/cve/CVE-2026-42506

https://www.suse.com/security/cve/CVE-2026-42508

https://www.suse.com/security/cve/CVE-2026-44740

https://www.suse.com/security/cve/CVE-2026-45678

https://www.suse.com/security/cve/CVE-2026-45682

https://www.suse.com/security/cve/CVE-2026-45685

https://www.suse.com/security/cve/CVE-2026-45686

https://www.suse.com/security/cve/CVE-2026-46595

https://www.suse.com/security/cve/CVE-2026-46597

https://www.suse.com/security/cve/CVE-2026-46598

Plugin Details

Severity: Low

ID: 326022

File Name: openSUSE-2026-21251-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/9/2026

Updated: 7/9/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-41889

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:alloy

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/7/2026

Vulnerability Publication Date: 3/25/2026

Reference Information

CVE: CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-33532, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-41889, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-44740, CVE-2026-45678, CVE-2026-45682, CVE-2026-45685, CVE-2026-45686, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598