Overview

File _patchinfo of Package patchinfo.37968

<patchinfo incident="37968">
  <issue tracker="cve" id="2025-22869"/>
  <issue tracker="cve" id="2025-22870"/>
  <issue tracker="bnc" id="1239322">VUL-0: CVE-2025-22869: TRACKERBUG: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
  <issue tracker="bnc" id="1238611">VUL-0: CVE-2025-22870: TRACKERBUG: golang.org/net/http, golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: proxy bypass using IPv6 zone IDs</issue>
  <issue tracker="bnc" id="1226654">[warewulf] With multiple Ether Devs available Dev Names may be mangled potentially making Network inaccessible</issue>
  <packager>eeich</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for warewulf4</summary>
  <description>This update for warewulf4 fixes the following issues:

warewulf4 was updated from version 4.5.8 to 4.6.0:

- Security issues fixed for version 4.6.0:

  * CVE-2025-22869: Fixed Denial of Service vulnerability in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322)
  * CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238611)

- User visible changes:

  * Default values `nodes.conf`:
    
    + The default values for `kernel command line`, `init parameters` and `root` are now set in the `default` profile
      and this profileshould be included in every profile.
      During the installation of an update an upgrade is done to `nodes.conf` which updates the database accordingly.

  * Overlay split up:

    + The overlays `wwinit` and `runtime` are now split up in different overlays named according to their role.
      The upgrade process will update the node database and replace the overlays `wwinit` and `runtime` with a list
      of overlays with same role.

  * Site and distribution overlays:

    + The overlays in `/var/lib/warewulf/overlays` should not be changed by the user any more. 
      Site specific overlays are now sorted under `/etc/warewulf/overlays`.
      On upgrade, changed overlays are stored with the `rpmsave` suffix and move to 
      `/etc/warewulf/overlays/$OVERLAYNAME`.
 
- Other changes and bugs fixed:

  * Fixed udev issue with assigning device names (bsc#1226654)
  * Implemented new package `warewulf-reference-doc` with the reference documentation for Warewulf 4 as PDF
  * The configuation files nodes.conf and warewulf.conf will be updated on upgrade and the unmodified configuration
    files will be saved as nodes.conf.4.5.x and warewulf.conf.4.5.x

- Summary of upstream changes:

  * New configuration upgrade system
  * Changes to the default profile
  * Renamed containers to (node) images
  * New kernel management system
  * Parallel overlay builds
  * Sprig functions in overlay templates
  * Improved network overlays
  * Nested profiles
  * Arbitrary "resources" data in nodes.conf
  * NFS client configuration in nodes.conf
  * Emphatically optional syncuser
  * Improved network boot observability
  * Particularly significant changes, especially those affecting the user interface, 
    are described in the release notes:

    + https://warewulf.org/docs/v4.6.x/release/v4.6.0.html
  
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places