SUSE alert openSUSE-SU-2026:0100-1 (v2ray-core)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0100-1: important: Security update for v2ray-core | |
| Date: | Fri, 27 Mar 2026 15:04:46 +0100 | |
| Message-ID: | <20260327140446.454E0FD12@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for v2ray-core ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0100-1 Rating: important References: #1251404 #1260329 Cross-References: CVE-2025-47911 CVE-2026-33186 CVSS scores: CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-33186 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for v2ray-core fixes the following issues: - Update version to 5.47.0 * Add sticky choice option for leastping * Add support for enrollment links in tlsmirror * Add Wireguard Outbound (unreleased) * Add sticky choice option for leastping * Generalize IP address parsing in TUN stack options * Fix bugs - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (boo#1260329) - Update version to 5.44.1 * uTLS: bundled library updated to v1.8.2 for Chrome120 imitation profile identification * Update golang toolchain to v1.25.6, which fixed an vulnerable (tls.Config).Clone function * Fix bugs - Update version to 5.42.0 * Add TLSMirror bootstrap enrollment and self enrollment feature * TLSMirror Inverse Role Request Tripper Enrollment Server Support - CVE-2025-47911: v2ray-core: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (boo#1251404) * Update golang.org/x/net to 0.45.0 in vendor - Update version to 5.38.0 * TLSMirror Connection Enrollment System * Add TLSMirror Sequence Watermarking * LSMirror developer preview protocol is now a part of mainline V2Ray * proxy dns with NOTIMP error * Add TLSMirror looks like TLS censorship resistant transport protocol as a developer preview transport * proxy dns with NOTIMP error * fix false success from SOCKS server when Dispatch() fails * HTTP inbound: Directly forward plain HTTP 1xx response header * add a option to override domain used to query https record * Fix bugs * Update vendor Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2026-100=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): v2ray-core-5.47.0-bp156.2.6.1 - openSUSE Backports SLE-15-SP6 (noarch): golang-github-v2fly-v2ray-core-5.47.0-bp156.2.6.1 References: https://www.suse.com/security/cve/CVE-2025-47911.html https://www.suse.com/security/cve/CVE-2026-33186.html https://bugzilla.suse.com/1251404 https://bugzilla.suse.com/1260329