VYPR

rpm package

suse/amazon-ssm-agent&distro=SUSE Linux Enterprise Module for Public Cloud 15 SP6

pkg:rpm/suse/amazon-ssm-agent&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6

Vulnerabilities (22)

  • CVE-2026-44740MedJun 1, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise

  • CVE-2026-39821CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-46598MedMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

  • CVE-2026-46597HigMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

  • CVE-2026-46595CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

  • CVE-2026-42508CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  • CVE-2026-39835MedMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

  • CVE-2026-39834CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent trunca

  • CVE-2026-39833CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns a

  • CVE-2026-39832CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now

  • CVE-2026-39831CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the

  • CVE-2026-39830CriMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now

  • CVE-2026-39829HigMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien

  • CVE-2026-39828MedMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par

  • CVE-2026-39827MedMay 22, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-41506MedMay 8, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0

  • CVE-2026-1229Feb 24, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-25934Feb 9, 2026
    affected < 3.3.4624.0-150000.5.37.1fixed 3.3.4624.0-150000.5.37.1

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

  • CVE-2025-47913Nov 13, 2025
    affected < 3.3.1611.0-150000.5.26.1fixed 3.3.1611.0-150000.5.26.1

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

  • CVE-2025-22870MedMar 12, 2025
    affected < 3.3.1611.0-150000.5.23.1fixed 3.3.1611.0-150000.5.23.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Page 1 of 2