openSUSE-SU-2025:20160-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20160-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2025:20160-1
Upstream
Related
Published
2025-12-12T13:20:11Z
Modified
2026-03-23T04:54:19.019904Z
Summary
Security update for hauler
Details

This update for hauler fixes the following issues:

  • Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, bsc#1248937, CVE-2025-58058):

    • bump github.com/containerd/containerd (#474)
    • another fix to tests for new tests (#472)
    • fixed typo in testdata (#471)
    • fixed/cleaned new tests (#470)
    • trying a new way for hauler testing (#467)
    • update for cosign v3 verify (#469)
    • added digests view to info (#465)
    • bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
    • update oras-go to v1.2.7 for security patches (#464)
    • update cosign to v3.0.2+hauler.1 (#463)
    • fixed homebrew directory deprecation (#462)
    • add registry logout command (#460)

  • Update to version 1.3.0:

    • bump the go_modules group across 1 directory with 2 updates (#455)
    • upgraded versions/dependencies/deprecations (#454)
    • allow loading of docker tarballs (#452)
    • bump the go_modules group across 1 directory with 2 updates (#449)

  • update to 1.2.5 (bsc#1246722, CVE-2025-46569):

    • Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in the go_modules group across 1 directory (CVE-2025-46569)
    • deprecate auth from hauler store copy
    • Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the go_modules group across 1 directory
    • Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 in the go_modules group across 1 directory
    • upgraded go and dependencies versions

  • Update to version 1.2.5:

    • upgraded go and dependencies versions (#444)
    • Bump github.com/go-viper/mapstructure/v2 (#442)
    • bump github.com/cloudflare/circl (#441)
    • deprecate auth from hauler store copy (#440)
    • Bump github.com/open-policy-agent/opa (#438)

  • update to 1.2.4 (CVE-2025-22872, bsc#1241804):

    • Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory
    • minor tests updates

  • Update to version 1.2.3:

    • formatting and flag text updates
    • add keyless signature verification (#434)
    • bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
    • add --only flag to hauler store copy (for images) (#429)
    • fix tlog verification error/warning output (#428)

  • Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):

    • cleanup new tlog flag typos and add shorthand (#426)
    • default public transparency log verification to false to be airgap friendly but allow override (#425)
    • bump github.com/golang-jwt/jwt/v4 (#423)
    • bump the go_modules group across 1 directory with 2 updates (#422)
    • bump github.com/go-jose/go-jose/v3 (#417)
    • bump github.com/go-jose/go-jose/v4 (#415)
    • clear default manifest name if product flag used with sync (#412)
    • updates for v1.2.0 (#408)
    • fixed remote code (#407)
    • added remote file fetch to load (#406)
    • added remote and multiple file fetch to sync (#405)
    • updated save flag and related logs (#404)
    • updated load flag and related logs [breaking change] (#403)
    • updated sync flag and related logs [breaking change] (#402)
    • upgraded api update to v1/updated dependencies (#400)
    • fixed consts for oci declarations (#398)
    • fix for correctly grabbing platform post cosign 2.4 updates (#393)
    • use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
    • Bump the go_modules group across 1 directory with 2 updates (#385)
    • replace mholt/archiver with mholt/archives (#384)
    • forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
    • cleaned up registry and improved logging (#378)
    • Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)

  • bump net/html dependencies (bsc#1235332, CVE-2024-45338)

  • Update to version 1.1.1:

    • fixed cli desc for store env var (#374)
    • updated versions for go/k8s/helm (#373)
    • updated version flag to internal/flags (#369)
    • renamed incorrectly named consts (#371)
    • added store env var (#370)
    • adding ignore errors and retries for continue on error/fail on error (#368)
    • updated/fixed hauler directory (#354)
    • standardize consts (#353)
    • removed cachedir code (#355)
    • removed k3s code (#352)
    • updated dependencies for go, helm, and k8s (#351)
    • [feature] build with boring crypto where available (#344)
    • updated workflow to goreleaser builds (#341)
    • added timeout to goreleaser workflow (#340)
    • trying new workflow build processes (#337)
    • improved workflow performance (#336)
    • have extract use proper ref (#335)
    • yet another workflow goreleaser fix (#334)
    • even more workflow fixes (#333)
    • added more fixes to github workflow (#332)
    • fixed typo in hauler store save (#331)
    • updates to fix build processes (#330)
    • added integration tests for non hauler tarballs (#325)
    • bump: golang >= 1.23.1 (#328)
    • add platform flag to store save (#329)
    • Update feature_request.md
    • updated/standardize command descriptions (#313)
    • use new annotation for 'store save' manifest.json (#324)
    • enable docker load for hauler tarballs (#320)
    • bump to cosign v2.2.3-carbide.3 for new annotation (#322)
    • continue on error when adding images to store (#317)
    • Update README.md (#318)
    • fixed completion commands (#312)
    • github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
    • pages: enable go install hauler.dev/go/hauler (#310)
    • Create CNAME
    • pages: initial workflow (#309)
    • testing and linting updates (#305)
    • feat-273: TLS Flags (#303)
    • added list-repos flag (#298)
    • fixed hauler login typo (#299)
    • updated cobra function for shell completion (#304)
    • updated install.sh to remove github api (#293)
    • fix image ref keys getting squashed when containing sigs/atts (#291)
    • fix missing versin info in release build (#283)
    • bump github.com/docker/docker in the go_modules group across 1 directory (#281)
    • updated install script (install.sh) (#280)
    • fix digest images being lost on load of hauls (Signed). (#259)
    • feat: add readonly flag (#277)
    • fixed makefile for goreleaser v2 changes (#278)
    • updated goreleaser versioning defaults (#279)
    • update feature_request.md (#274)
    • updated old references
    • updated actions workflow user
    • added dockerhub to github actions workflow
    • removed helm chart
    • added debug container and workflow
    • updated products flag description
    • updated chart for release
    • fixed workflow errors/warnings
    • fixed permissions on testdata
    • updated chart versions (will need to update again)
    • last bit of fixes to workflow
    • updated unit test workflow
    • updated goreleaser deprecations
    • added helm chart release job
    • updated github template names
    • updated imports (and go fmt)
    • formatted gitignore to match dockerignore
    • formatted all code (go fmt)
    • updated chart tests for new features
    • Adding the timeout flag for fileserver command
    • Configure chart commands to use helm clients for OCI and private registry support
    • Added some documentation text to sync command
    • Bump golang.org/x/net from 0.17.0 to 0.23.0
    • fix for dup digest smashing in cosign
    • removed vagrant scripts
    • last bit of updates and formatting of chart
    • updated hauler testdata
    • adding functionality and cleaning up
    • added initial helm chart
    • removed tag in release workflow
    • updated/fixed image ref in release workflow
    • updated/fixed platforms in release workflow
    • updated/cleaned github actions (#222)
    • Make Product Registry configurable (#194)
    • updated fileserver directory name (#219)
    • fix logging for files
    • add extra info for the tempdir override flag
    • tempdir override flag for load
    • deprecate the cache flag instead of remove
    • switch to using bci-golang as builder image
    • fix: ensure /tmp for hauler store load
    • added the copy back for now
    • remove copy at the image sync not needed with cosign update
    • removed misleading cache flag
    • better logging when adding to store
    • update to v2.2.3 of our cosign fork
    • add: dockerignore
    • add: Dockerfile
    • Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
    • Bump github.com/docker/docker
    • updated and added new logos
    • updated github files
References

Affected packages

openSUSE:Leap 16.0 / hauler

Package

Name
hauler
Purl
pkg:rpm/opensuse/hauler&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.1-bp160.1.1

Ecosystem specific 

{
    "binaries": [
        {
            "hauler": "1.3.1-bp160.1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20160-1.json"