SUSE-SU-2026:0592-1

Description

Security update for vexctl This update for vexctl fixes the following issues: - Update to version 0.4.1+git78.f951e3a: - CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2. (bsc#1239186) - CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto. (bsc#1234486) - CVE-2025-27144: Go JOSE's Parsing Vulnerable to Denial of Service. (bsc#1237611) - CVE-2025-22870: proxy bypass using IPv6 zone IDs. (bsc#1238683) - CVE-2025-22869: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh. (bsc#1239323) - CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing. (bsc#1240444) - CVE-2025-58181: invalidated number of mechanisms can cause unbounded memory consumption. (bsc#1253802) - CVE-2026-22772: MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services. (bsc#1256535) - CVE-2026-24137: legacy TUF client allows for arbitrary file writes with target cache path traversal. (bsc#1257138)

Affected Systems

• opensuse•vexctl&distro=openSUSE Leap 15.6

  < 0.4.1+git78.f951e3a-150000.1.11.1

References (19)

• https://www.suse.com/support/update/announcement/2026/suse-su-20260592-1/
• https://bugzilla.suse.com/1234486
• https://bugzilla.suse.com/1237611
• https://bugzilla.suse.com/1238683
• https://bugzilla.suse.com/1239186
• https://bugzilla.suse.com/1239323
• https://bugzilla.suse.com/1240444
• https://bugzilla.suse.com/1253802
• https://bugzilla.suse.com/1256535
• https://bugzilla.suse.com/1257138
• https://www.suse.com/security/cve/CVE-2024-45337
• https://www.suse.com/security/cve/CVE-2025-22868
• https://www.suse.com/security/cve/CVE-2025-22869
• https://www.suse.com/security/cve/CVE-2025-22870
• https://www.suse.com/security/cve/CVE-2025-27144
• https://www.suse.com/security/cve/CVE-2025-30204
• https://www.suse.com/security/cve/CVE-2025-58181
• https://www.suse.com/security/cve/CVE-2026-22772
• https://www.suse.com/security/cve/CVE-2026-24137