SUSE alert openSUSE-SU-2026:0150-1 (flannel)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0150-1: important: Security update for flannel | |
| Date: | Fri, 24 Apr 2026 00:05:24 +0200 | |
| Message-ID: | <20260423220524.32111F79C@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for flannel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0150-1 Rating: important References: #1260847 #1260853 Cross-References: CVE-2026-33343 CVE-2026-33413 CVSS scores: CVE-2026-33343 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-33413 (SUSE): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for flannel fixes the following issues: - Update to version 0.28.4: * fix go version (don't set patch version) (#2428) * Bump flannel-cni-plugin to v1.9.1-flannel1 (#2427) * Bump the other-go-modules group across 1 directory with 3 updates (#2425) * Bump the tencent group with 2 updates (#2417) * Bump the etcd group with 4 updates (#2398), includes fix for CVE-2026-33413 (boo#1260853) and CVE-2026-33343 (boo#1260847) * Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#2420) * Bump go to 1.25 (#2424) * Bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 * Bump docker/build-push-action from 7.0.0 to 7.1.0 * Bump docker/login-action from 4.0.0 to 4.1.0 * Verify the kubectl sha256sum * Secure makefile (#2414) * Improve the security of Dockerfile * Bump github/codeql-action from 4.34.1 to 4.35.1 (#2409) * Bump actions/deploy-pages from 4.0.5 to 5.0.0 * lease: only print BackendData when json.Marshal succeeds * vxlan: delete v6 direct route with correct Route struct * fix: honor --stderrthreshold flag when --logtostderr is enabled * Bump actions/configure-pages from 5.0.0 to 6.0.0 * Bump actions/setup-go from 6.3.0 to 6.4.0 * don't use unquoted shell vars in extensions backend example * Don't use shell invocations in extensions backend. * Bump google.golang.org/grpc from 1.71.1 to 1.79.3 * Bump ossf/scorecard-action from 2.4.1 to 2.4.3 * Bump actions/upload-artifact from 4.6.1 to 7.0.0 * Bump docker/metadata-action from 5.10.0 to 6.0.0 * Bump actions/checkout from 4.2.2 to 6.0.2 * Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 * Bump aquasecurity/trivy-action from 0.33.1 to 0.35.0 * Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 * [StepSecurity] Apply security best practices * Bump actions/attest-build-provenance from 3.2.0 to 4.1.0 * Fix logic in AddBlackholeV4Route and AddBlackholeV6Route to correctly check for existing routes * Added check for nftables before checking br_netfilter module * Bump golang.org/x/crypto from 0.36.0 to 0.45.0 * Bump k8s deps to v0.32.10 * Bump golang-ci-lint to v2.7.2 * Bump golangci/golangci-lint-action from 6.1.1 to 9.2.0 * Additional check on podCIDR * ip: improve primary address selection to account for address flags * Added TAG to fix bin version Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2026-150=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): flannel-0.28.4-bp156.4.6.1 - openSUSE Backports SLE-15-SP6 (noarch): flannel-k8s-yaml-0.28.4-bp156.4.6.1 References: https://www.suse.com/security/cve/CVE-2026-33343.html https://www.suse.com/security/cve/CVE-2026-33413.html https://bugzilla.suse.com/1260847 https://bugzilla.suse.com/1260853