SUSE-SU-2025:4330-1

Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container

Details

This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:

Updated kubevirt to version 1.6.3:

CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM construction in golang.org/x/net/html (bsc#1241772)
CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client TLS certificate (bsc#1253181)
CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)
CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler instance (bsc#1253186)
CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)
CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users (bsc#1253748)

References

Affected packages

SUSE:Linux Enterprise Module for Containers 15 SP7 / kubevirt

Package

Name: kubevirt
Purl: pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.3-150700.3.13.1

Ecosystem specific

{
    "binaries": [
        {
            "kubevirt-virtctl": "1.6.3-150700.3.13.1",
            "kubevirt-manifests": "1.6.3-150700.3.13.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:4330-1.json"