SUSE alert openSUSE-SU-2026:0163-1 (trivy)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0163-1: important: Security update for trivy | |
| Date: | Mon, 04 May 2026 18:04:51 +0200 | |
| Message-ID: | <20260504160451.6E4FCFCE1@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for trivy ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0163-1 Rating: important References: #1255366 #1258094 #1258513 #1260193 #1260971 #1261052 #1262389 #1262893 Cross-References: CVE-2025-64702 CVE-2025-66564 CVE-2025-69725 CVE-2026-25934 CVE-2026-33186 CVE-2026-33747 CVE-2026-33748 CVE-2026-34986 CVE-2026-39984 CVSS scores: CVE-2025-64702 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-69725 (SUSE): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N CVE-2026-25934 (SUSE): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-33186 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-33747 (SUSE): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-33748 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-34986 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-39984 (SUSE): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for trivy fixes the following issues: Update to version 0.70.0 ( boo#1260193, CVE-2026-33186, boo#1260971, CVE-2026-33747, boo#1261052, CVE-2026-33748, boo#1262389, CVE-2026-39984, boo#1262893, CVE-2026-34986): * release: v0.70.0 [main] (#10105) * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#10496) * chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#10526) * chore(deps): bump the common group across 1 directory with 8 updates (#10540) * chore(deps): bump the docker group across 1 directory with 2 updates (#10538) * fix: use Development category for GoReleaser discussions (#10530) * chore(deps): bump testcontainers-go to v0.42.0 (#10531) * chore: update CODEOWNERS (#10529) * chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#10511) * chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#10510) * chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#10449) * ci: migrate from mkdocs-material-insiders to mkdocs-material (#10509) * chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#10508) * ci: update runners for workflows that interact with GitHub API (#10502) * ci: rename tokens and update runners (#10500) * ci: trigger helm chart publishing via helm-charts workflow (#10474) * ci: remove ruleset update step from release-please workflow (#10499) * ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#10498) * ci: trigger rpm/deb deployment via trivy-repo workflow (#10476) * fix: remove os.Stdout from wazero module config (#10403) * chore(deps): bump the common group across 1 directory with 22 updates (#10408) * chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#10407) * fix(flag): validate template file extension (#10296) * fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#10378) * fix: handle Go 1.26 GOEXPERIMENT version format change (#10351) * fix(python): handle multiple version specifiers in requirements.txt (#10361) * ci: run Trivy version bump in trivy-action (#10272) * fix(python): nil pointer dereference with optional poetry groups without dependencies (#10359) * ci: replace personal email with github-actions[bot] in workflows (#10369) * chore: replace smithy epoch parsing with stdlib time.Unix (#10286) * test: update golden files for purl changes (#10372) * ci: add zizmor to scan GitHub Actions workflows (#10322) * refactor: log statuses as strings (#10285) * ci: add build provenance attestations for release artifacts (#10316) * fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#10368) * fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#10366) * perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#10325) * docs: correct typos in CHANGELOG and diagram (#10320) * chore: delete roadmap wf (#10295) * ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#10310) * fix(cyclonedx): include CVSS v4 vulnerability ratings (#10313) * fix: detected vulnerability fields in azure and mariner detector (#10275) * ci: add persist-credentials: false to checkout steps (#10306) * ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#10270) * chore(deps): bump the common group across 1 directory with 8 updates (#10248) * chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#10257) * chore(deps): bump the aws group across 1 directory with 6 updates (#10249) * chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#10241) * ci: remove apidiff workflow (#10259) * chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#10221) * ci: bump golangci-lint to v2.10 in cache-test-assets (#10243) * feat(java): add support for proxy configuration from Maven settings.xml (#10187) * chore(deps): bump the github-actions group across 3 directories with 11 updates (#10242) * feat(python): add pylock.toml support (#10137) * chore: bump SPDX license IDs and exceptions to `v3.28.0` (#10233) * docs: fix typos and upgrade insecure HTTP links to HTTPS (#10219) * chore: bump golangci-lint to v2.10.0 (#10223) * feat(misconf): support for azurerm_network_interface_security_group_association (#10215) * ci: pin Docker Engine to v29 for integration tests (#10232) * feat(go): detect version from ELF symbol table for binaries built with -trimpath (#10197) * docs: migrate private registry documentation from GCR to GAR (#10208) * chore(deps): bump the common group across 1 directory with 24 updates (#10206) * chore(deps): update Docker client SDK to v29 (#10202) * test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#10199) * fix(misconf): initialize custom annotation field if empty (#10123) * feat(ubuntu): add eol data for 25.10 (#10181) * docs: fix incorrect count of Python package managers (#10175) * chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#10179) * feat(misconf): resolve Azure resources via resource_id (#10173) * ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#10155) * refactor: remove unused Insecure field from ServiceOption (#10113) * refactor: reduce complexity of init in detect.go (#10163) * feat(misconf): adapt ARM k8s clusters (#9696) (#10125) * docs: update version endpoint example in client/server documentation (#10151) * feat(vuln): skip third-party packages in common Detect function (#10129) * ci: add composite action for Go setup (#10146) * fix(misconf): apply check aliases when filtering results via .trivyignore (#10112) * docs(terraform): add limitation for data sources and computed resource attributes (#10128) * fix: update PhotonOS feed URL (#10122) * feat(server): include server version info in JSON output for client/server mode (#10075) * chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#10107) * refactor: unify scanner error limit and compiler limit (#10106) * ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#10103) * fix(java): Disable overwriting exclusions (#10088) * refactor(rust): use txtar format for cargo analyzer test data (#10104) * feat(python): add pylock.toml (PEP 751) parser (#9632) * chore(deps): bump the aws group across 1 directory with 6 updates (#10068) * fix(server): exclude JavaDB and CheckBundle from /version endpoint (#10100) - Update to version 0.69.3 (CVE-2026-25934, boo#1258094): * release: v0.69.3 [release/v0.69] (#10293) * fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291) * release: v0.69.2 [release/v0.69] (#10266) * fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267) * fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264) * ci: remove apidiff workflow * release: v0.69.1 [release/v0.69] (#10145) * ci: add composite action for Go setup [backport: release/v0.69] (#10150) * fix(misconf): apply check aliases when filtering results via .trivyignore [backport: release/v0.69] (#10143) * chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs [backport: release/v0.69] (#10135) - Update to version 0.69.0 (boo#1255366, CVE-2025-64702, boo#1258513, CVE-2025-69725): * release: v0.69.0 [main] (#9886) * chore: bump trivy-checks to v2 (#9875) * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 (#10091) * fix(repo): return a nil interface for gitAuth if missing (#10097) * fix(java): correctly inherit properties from parent fields for pom.xml files (#9111) * fix(rust): implement version inheritance for Cargo mono repos (#10011) * feat(activestate): add support ActiveState images (#10081) * feat(vex): support per-repo tls configuration (#10030) * refactor: allow per-request transport options override (#10083) * chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084) * chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#10085) * fix(java): correctly propagate repositories from upper POMs to dependencies (#10077) * feat(rocky): enable modular package vulnerability detection (#10069) * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 (#10079) * docs: fix mistake in config file example for skip-dirs/skip-files flag (#10070) * feat(report): add Trivy version to JSON output (#10065) * fix(rust): add cargo workspace members glob support (#10032) * feat: add AnalyzedBy field to track which analyzer detected packages (#10059) * fix: use canonical SPDX license IDs from embeded licenses.json (#10053) * docs: fix link to Docker Image Specification (#10057) * feat(secret): add detection for Symfony default secret key (#9892) * refactor(misconf): move common logic to base value and simplify typed values (#9986) * fix(java): add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880) * feat(misconf): use Terraform plan configuration to partially restore schema (#9623) * feat(misconf): add action block to Terraform schema (#10035) * fix(misconf): correct typos in block and attribute names (#9993) * test(misconf): simplify test values using *Test helpers (#9985) * fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980) * feat(misconf): support for ARM resources defined as an object (#9959) * feat(misconf): support for azurerm_*_web_app (#9944) * test: migrate private test helpers to `export_test.go` convention (#10043) * chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2 (#10048) * fix(secret): improve word boundary detection for Hugging Face tokens (#10046) * fix(go): use ldflags version for all pseudo-versions (#10037) * chore: switch to ID from AVDID in internal and user-facing fields (#9655) * refactor(misconf)!: use ID instead of AVDID for providers mapping (#9752) * fix: move enum into items for array-type fields in JSON Schema (#10039) * docs: fix incorrect documentation URLs (#10038) * feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033) * fix(docker): fix non-det scan results for images with embedded SBOM (#9866) * chore(deps): bump the github-actions group with 11 updates (#10001) * test: fix assertion after 2026 roll over (#10002) * fix(vuln): skip vulns detection for CentOS Stream family without scan failure (#9964) * fix(license): normalize licenses for PostAnalyzers (#9941) * feat(nodejs): parse licenses from `package-lock.json` file (#9983) * chore: update reference links to Go Wiki (#9987) * refactor: add xslices.Map and replace lo.Map usages (#9984) * fix(image): race condition in image artifact inspection (#9966) * feat(flag): add JSON Schema for trivy.yaml configuration file (#9971) * refactor(debian): use txtar format for test data (#9957) * chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973) * feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930) * feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932) * docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961) * perf(misconf): optimize string concatenation in azure scanner (#9969) * chore: add client option to install script (#9962) * ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956) * chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952) * docs: update binary signature verification for sigstore bundles (#9929) * chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935) * chore(alpine): add EOL date for alpine 3.23 (#9934) * feat(cloudformation): add support for Fn::ForEach (#9508) * ci: enable `check-latest` for `setup-go` (#9931) * feat(debian): detect third-party packages using maintainer list (#9917) * fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924) * feat(helm): add sslCertDir parameter (#9697) * fix(misconf): respect .yml files when Helm charts are detected (#9912) * feat(php): add support for dev dependencies in Composer (#9910) * chore(deps): bump the common group across 1 directory with 9 updates (#9903) * chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859) * fix: remove trailing tab in statefulset template (#9889) * feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800) * feat(misconf): initial ansible scanning support (#9332) * feat(misconf): Update Azure Database schema (#9811) * ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869) * chore: update the install script (#9874) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-163=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): trivy-0.70.0-bp157.2.9.1 References: https://www.suse.com/security/cve/CVE-2025-64702.html https://www.suse.com/security/cve/CVE-2025-66564.html https://www.suse.com/security/cve/CVE-2025-69725.html https://www.suse.com/security/cve/CVE-2026-25934.html https://www.suse.com/security/cve/CVE-2026-33186.html https://www.suse.com/security/cve/CVE-2026-33747.html https://www.suse.com/security/cve/CVE-2026-33748.html https://www.suse.com/security/cve/CVE-2026-34986.html https://www.suse.com/security/cve/CVE-2026-39984.html https://bugzilla.suse.com/1255366 https://bugzilla.suse.com/1258094 https://bugzilla.suse.com/1258513 https://bugzilla.suse.com/1260193 https://bugzilla.suse.com/1260971 https://bugzilla.suse.com/1261052 https://bugzilla.suse.com/1262389 https://bugzilla.suse.com/1262893