rpm package

opensuse/rclone&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/rclone&distro=openSUSE%20Tumbleweed

Vulnerabilities (49)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-39832	Cri	9.1	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now
CVE-2026-39831	Cri	9.1	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the
CVE-2026-39830	Cri	9.1	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now
CVE-2026-39829	Hig	7.5	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
CVE-2026-39828	Med	6.3	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par
CVE-2026-39827	Med	6.5	< 1.74.2-1.1	1.74.2-1.1	May 22, 2026	An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
CVE-2026-33814	Hig	7.5	< 1.74.1-1.1	1.74.1-1.1	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-32952	Med	5.3	< 1.74.0-1.1	1.74.0-1.1	Apr 24, 2026	go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
CVE-2026-41179	Cri	9.8	< 1.73.5-1.1	1.73.5-1.1	Apr 23, 2026	Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` i
CVE-2026-41176	Cri	9.8	< 1.73.5-1.1	1.73.5-1.1	Apr 23, 2026	Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in v
CVE-2026-33813	Hig	7.5	< 1.74.0-1.1	1.74.0-1.1	Apr 21, 2026	Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVE-2026-33809	Med	5.3	< 1.74.2-1.1	1.74.2-1.1	Mar 25, 2026	A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
CVE-2026-33186	Cri	9.1	< 1.73.3-1.1	1.73.3-1.1	Mar 20, 2026	gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27141	Hig	7.5	< 1.73.2-1.1	1.73.2-1.1	Feb 26, 2026	Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-1229		—	< 1.73.2-1.1	1.73.2-1.1	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2025-68121	Cri	10.0	< 1.73.1-1.1	1.73.1-1.1	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-58181		—	< 1.72.0-1.1	1.72.0-1.1	Nov 19, 2025	SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-30204	Hig	7.5	< 1.69.2-1.1	1.69.2-1.1	Mar 21, 2025	golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
CVE-2025-22870	Med	4.4	< 1.69.2-1.1	1.69.2-1.1	Mar 12, 2025	Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22869		—	< 1.69.2-1.1	1.69.2-1.1	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

CVE-2026-39832CriMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now
CVE-2026-39831CriMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the
CVE-2026-39830CriMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now
CVE-2026-39829HigMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
CVE-2026-39828MedMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par
CVE-2026-39827MedMay 22, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
CVE-2026-33814HigMay 7, 2026
affected < 1.74.1-1.1fixed 1.74.1-1.1
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-32952MedApr 24, 2026
affected < 1.74.0-1.1fixed 1.74.0-1.1
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
CVE-2026-41179CriApr 23, 2026
affected < 1.73.5-1.1fixed 1.73.5-1.1
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` i
CVE-2026-41176CriApr 23, 2026
affected < 1.73.5-1.1fixed 1.73.5-1.1
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in v
CVE-2026-33813HigApr 21, 2026
affected < 1.74.0-1.1fixed 1.74.0-1.1
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVE-2026-33809MedMar 25, 2026
affected < 1.74.2-1.1fixed 1.74.2-1.1
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
CVE-2026-33186CriMar 20, 2026
affected < 1.73.3-1.1fixed 1.73.3-1.1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27141HigFeb 26, 2026
affected < 1.73.2-1.1fixed 1.73.2-1.1
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2026-1229Feb 24, 2026
affected < 1.73.2-1.1fixed 1.73.2-1.1
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2025-68121CriFeb 5, 2026
affected < 1.73.1-1.1fixed 1.73.1-1.1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-58181Nov 19, 2025
affected < 1.72.0-1.1fixed 1.72.0-1.1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-30204HigMar 21, 2025
affected < 1.69.2-1.1fixed 1.69.2-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
CVE-2025-22870MedMar 12, 2025
affected < 1.69.2-1.1fixed 1.69.2-1.1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22869Feb 26, 2025
affected < 1.69.2-1.1fixed 1.69.2-1.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Page 2 of 3