openSUSE Security Update: Security update for cadvisor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0103-1 Rating: moderate References: #1222192 #1239291 Cross-References: CVE-2022-27664 CVE-2025-22868 CVSS scores: CVE-2022-27664 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-22868 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for cadvisor fixes the following issues: - update to 0.52.1: * Make resctrl optional/pluggable - update to 0.52.0: * bump containerd related deps: api v1.8.0; errdefs v1.0.0; ttrpc v1.2.6 * chore: Update Prometheus libraries * bump runc to v1.2.4 * Add Pressure Stall Information Metrics * Switch to opencontainers/cgroups repository (includes update from golang 1.22 to 1.24) * Bump to newer opencontainers/image-spec @ v1.1.1 - update to 0.49.2: * Cp fix test * Revert "reduce_logs_for_kubelet_use_crio" - CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (boo#1239291) - Update to version 0.49.1: * build docker - add --provenance=false flag * Remove s390x support * Disable libipmctl in build * Ugrade base image to 1.22 and alpine 3.18 * fix type of C.malloc in cgo * Bump runc to v1.1.12 * Bump to bullseye * Remove section about canary image * Add note about WebUI auth * Remove mentions of accelerator from the docs * reduce_logs_for_kubelet_use_crio * upgrade actions/checkout and actions/setup-go and actions/upload-artifact * build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /cmd * add cadvisor and crio upstream changes * Avoid using container/podman in manager.go * container: skip checking for files in non-existent directories. * Adjust the log level of Initialize Plugins * add ignored device * fix: variable naming * build(deps): bump golang.org/x/net from 0.10.0 to 0.17.0 in /cmd * manager: require higher verbosity level for container info misses * Information should be logged on increased verbosity only * Running do mod tidy * Running go mod tidy * Running go mod tidy * container/libcontainer: Improve limits file parsing perf * container/libcontainer: Add limit parsing benchmark * build(deps): bump github.com/cyphar/filepath-securejoin in /cmd * build(deps): bump github.com/cyphar/filepath-securejoin * Set verbosity after flag definition * fix: error message typo * vendor: bump runc to 1.1.9 * Switch to use busybox from registry.k8s.io * Bump golang ci lint to v1.54.1 * Bump github.com/docker/docker in /cmd * Bump github.com/docker/docker * Bump github.com/docker/distribution in /cmd * Bump github.com/docker/distribution * Update genproto dependency to isolated submodule * remove the check for the existence of NFS files, which will cause unnecessary requests. * reduce inotify watch * fix performance degradation of NFS * fix: fix type issue * fix: fix cgo memory leak * ft: export memory kernel usage * sysinfo: Ignore "hidden" sysfs device entries * Increasing required verbosity level * Patch to fix issue 2341 * podman support: Enable Podman support. * podman support: Create Podman handler. * podman support: Changes in Docker handler. * unit test: machine_swap_bytes * Add documentation for machine_swap_bytes metric * Add a machine_swap_bytes metric * fix: add space trimming for label allowlist * Upgrade to blang/semver/v4 v4.0.0 * docs(deploy/k8s): remote build for kustomize * Update dependencies * Change filepaths to detect online CPUs * Update actions/checkout to v3 * Fix flags typo * Updating location of kubernetes/pause image * Using t.TempDir() in tests * Unit test: MachineInfo Clone() method * Bugfix: MachineInfo Clone() - clone SwapCapacity * Optimize network metrics collection * Removing calls to deprecates io/ioutil package * Updating minimum Go version to 1.19 * Request the pid of another container if current pid is not longer valid * Restructure * Add CRI-O client timeout setting * Set containerd grpc.MaxCallRecvMsgSize to 16MB * Fix asset build * feat(logging): add verbosity to non-NUMA node warning * add nerdctl to ignoredDevices * nvm: Change the "no NVM devices" log. * nvm: Fix typo. * Fix CVE-2022-27664 (#3248) * resctrl: Reduce size and mode files check (#3264) * readme: Update Creatone contributor info. (#3265) * Fix comment to refer to correct client * build: bump golang to 1.20 * ci: Update golang ci-lint to v1.51.2 * build: Update shebang to python3 * Revert "dockerfile: Fix typo in go build tags." * Decreasing verbosity level for "Cannot read vendor id correctly, set empty" * dockerfile: Fix typo in go build tags. * deps: Move from cloud.google.com/go/compute -> cloud.google.com/go * use memory.min for reservation memory instead of high * Mark GOPATH as git safe.directory to fix CI build * switch to gomodule/redigo from garyburd/redigo * update go.mod/sum both in root and cmd/ * Drop accelerator metrics and nvidia integration * Add s390x support for docker image * typo in MachineInfo spec for SwapCapacity * add support for swap in machine/info Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-103=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): cadvisor-0.52.1-bp156.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-27664.html https://www.suse.com/security/cve/CVE-2025-22868.html https://bugzilla.suse.com/1222192 https://bugzilla.suse.com/1239291