Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
202
security advisorysecurity issueimportantopenSUSE Flannel Important Security Update CVE-2026-33343 CVE-2026-33413
An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for flannel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0149-1 Rating: important References: #1260847 #1260853 Cross-References: CVE-2026-33343 CVE-2026-33413 CVSS scores: CVE-2026-33343 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-33413 (SUSE): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for flannel fixes the following issues: - Update to version 0.28.4: * fix go version (don't set patch version) (#2428) * Bump flannel-cni-plugin to v1.9.1-flannel1 (#2427) * Bump the other-go-modules group across 1 directory with 3 updates (#2425) * Bump the tencent group with 2 updates (#2417) * Bump the etcd group with 4 updates (#2398), includes fix for CVE-2026-33413 (boo#1260853) and CVE-2026-33343 (boo#1260847) * Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#2420) * Bump go to 1.25 (#2424) * Bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 * Bump docker/build-push-action from 7.0.0 to 7.1.0 * Bump docker/login-action from 4.0.0 to 4.1.0 * Verify the kubectl sha256sum * Secure makefile (#2414) * Improve the security of Dockerfile * Bump github/codeql-action from 4.34.1 to 4.35.1 (#2409) * Bump actions/deploy-pages from 4.0.5 to 5.0.0 * lease: only print BackendData when json.Marshal succeeds * vxlan: delete v6 direct route with correct Route struct * fix: honor --stderrthreshold flag when --logtostderr is enabled * Bump actions/configure-pages from 5.0.0to 6.0.0 * Bump actions/setup-go from 6.3.0 to 6.4.0 * don't use unquoted shell vars in extensions backend example * Don't use shell invocations in extensions backend. * Bump google.golang.org/grpc from 1.71.1 to 1.79.3 * Bump ossf/scorecard-action from 2.4.1 to 2.4.3 * Bump actions/upload-artifact from 4.6.1 to 7.0.0 * Bump docker/metadata-action from 5.10.0 to 6.0.0 * Bump actions/checkout from 4.2.2 to 6.0.2 * Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 * Bump aquasecurity/trivy-action from 0.33.1 to 0.35.0 * Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 * [StepSecurity] Apply security best practices * Bump actions/attest-build-provenance from 3.2.0 to 4.1.0 * Fix logic in AddBlackholeV4Route and AddBlackholeV6Route to correctly check for existing routes * Added check for nftables before checking br_netfilter module * Bump golang.org/x/crypto from 0.36.0 to 0.45.0 * Bump k8s deps to v0.32.10 * Bump golang-ci-lint to v2.7.2 * Bump golangci/golangci-lint-action from 6.1.1 to 9.2.0 * Additional check on podCIDR * ip: improve primary address selection to account for address flags * Added TAG to fix bin version Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-149=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): flannel-0.28.4-bp157.2.6.1 - openSUSE Backports SLE-15-SP7 (noarch): flannel-k8s-yaml-0.28.4-bp157.2.6.1 References: https://www.suse.com/security/cve/CVE-2026-33343.html https://www.suse.com/security/cve/CVE-2026-33413.html https://bugzilla.suse.com/1260847 https://bugzilla.suse.com/1260853 . Critical update available for openSUSE flannel addressingimportant security issues including CVE-2026-33343 and CVE-2026-33413.. openSUSE security update flannel important CVE-2026. . Severity: Important. LinuxSecurity.com Team
Apr 24, 2026
•Important
OpenSUSE
202
security advisoryupdateremote accessopenSUSE Backports Flannel Important Security Update 2026-0150-1
An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for flannel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0150-1 Rating: important References: #1260847 #1260853 Cross-References: CVE-2026-33343 CVE-2026-33413 CVSS scores: CVE-2026-33343 (SUSE): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-33413 (SUSE): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for flannel fixes the following issues: - Update to version 0.28.4: * fix go version (don't set patch version) (#2428) * Bump flannel-cni-plugin to v1.9.1-flannel1 (#2427) * Bump the other-go-modules group across 1 directory with 3 updates (#2425) * Bump the tencent group with 2 updates (#2417) * Bump the etcd group with 4 updates (#2398), includes fix for CVE-2026-33413 (boo#1260853) and CVE-2026-33343 (boo#1260847) * Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#2420) * Bump go to 1.25 (#2424) * Bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 * Bump docker/build-push-action from 7.0.0 to 7.1.0 * Bump docker/login-action from 4.0.0 to 4.1.0 * Verify the kubectl sha256sum * Secure makefile (#2414) * Improve the security of Dockerfile * Bump github/codeql-action from 4.34.1 to 4.35.1 (#2409) * Bump actions/deploy-pages from 4.0.5 to 5.0.0 * lease: only print BackendData when json.Marshal succeeds * vxlan: delete v6 direct route with correct Route struct * fix: honor --stderrthreshold flag when --logtostderr is enabled * Bump actions/configure-pages from 5.0.0to 6.0.0 * Bump actions/setup-go from 6.3.0 to 6.4.0 * don't use unquoted shell vars in extensions backend example * Don't use shell invocations in extensions backend. * Bump google.golang.org/grpc from 1.71.1 to 1.79.3 * Bump ossf/scorecard-action from 2.4.1 to 2.4.3 * Bump actions/upload-artifact from 4.6.1 to 7.0.0 * Bump docker/metadata-action from 5.10.0 to 6.0.0 * Bump actions/checkout from 4.2.2 to 6.0.2 * Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 * Bump aquasecurity/trivy-action from 0.33.1 to 0.35.0 * Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 * [StepSecurity] Apply security best practices * Bump actions/attest-build-provenance from 3.2.0 to 4.1.0 * Fix logic in AddBlackholeV4Route and AddBlackholeV6Route to correctly check for existing routes * Added check for nftables before checking br_netfilter module * Bump golang.org/x/crypto from 0.36.0 to 0.45.0 * Bump k8s deps to v0.32.10 * Bump golang-ci-lint to v2.7.2 * Bump golangci/golangci-lint-action from 6.1.1 to 9.2.0 * Additional check on podCIDR * ip: improve primary address selection to account for address flags * Added TAG to fix bin version Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2026-150=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): flannel-0.28.4-bp156.4.6.1 - openSUSE Backports SLE-15-SP6 (noarch): flannel-k8s-yaml-0.28.4-bp156.4.6.1 References: https://www.suse.com/security/cve/CVE-2026-33343.html https://www.suse.com/security/cve/CVE-2026-33413.html https://bugzilla.suse.com/1260847 https://bugzilla.suse.com/1260853 . Critical update for flannel resolves vulnerabilitiesaffecting openSUSE Backports. Stay secure with the latest patches.. openSUSE security update, flannel vulnerabilities, update patching process, remote access security, important security advisory. . Severity: Important. LinuxSecurity.com Team
Apr 24, 2026
•Important
OpenSUSE
202
security advisorymoderateupdateopenSUSE Tumbleweed Flannel Moderate Update CVE-2026-33413
An update that solves one vulnerability can now be installed.. # flannel-0.28.4-1.1 on GA media Announcement ID: openSUSE-SU-2026:10562-1 Rating: moderate Cross-References: * CVE-2026-33413 CVSS scores: * CVE-2026-33413 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H * CVE-2026-33413 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the flannel-0.28.4-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * flannel 0.28.4-1.1 * flannel-k8s-yaml 0.28.4-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33413.html . An update for openSUSE flannel 0.28.4-1.1 fixes a moderate vulnerability identified by CVE-2026-33413.. openSUSE flannel patch security fix CVE-2026-33413. . LinuxSecurity.com Team
Apr 17, 2026
OpenSUSE
202
security advisoryupdateimportantopenSUSE: Flannel Important Security Updates Advisory 2025:0491-1
An update that fixes three vulnerabilities is now available.. openSUSE Security Update: Security update for flannel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0491-1 Rating: important References: #1218694 #1236522 #1240516 Cross-References: CVE-2019-14697 CVE-2023-45288 CVE-2025-30204 CVSS scores: CVE-2023-45288 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-30204 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for flannel fixes the following issues: - Update to version 0.27.4: * Removed PodSecurityPolicy manifest creation * Fix interface IP address detection in dual-stack mode * Fix: recreate VXLAN device (flannel.*) when external interface is deleted and re-added (#2247) * golangci-lint: fix iptables_test * firewall: add option to disable fully-random mode for MASQUERADE * Bump the tencent group with 2 updates * Bump github.com/coreos/go-systemd/v22 in the other-go-modules group * Bump golang.org/x/sys in the other-go-modules group * Bump the etcd group with 4 updates * Bump etcd version in tests * Stop using deprecated cache.NewIndexerInformer function * Bump k8s test version * Bump k8s deps to v0.31.11 * Bump the other-go-modules group with 2 updates * helm chart: add nodeSelector in the helm chart * Updated Alpine image * Added flag to enable blackhole route locally for Canal * Bump golang.org/x/sync in the other-go-modules group * make enqueueLeaseEvent context aware and prevent dangling goroutines when context is done - fixed atypo/build error * make retry interval exp backoff * cont_when_cache_not_ready configurable with fail by default * use semaphore as opposed to raw signal channel * Update pkg/subnet/kube/kube.go * Fix deadlock in startup for large clusters * enable setting resources in helm chart * capture close() err on subnet file save (#2248) * doc: document flag --iptables-forward-rules * Bump netlink to v1.3.1 * fix: clean-up rules when starting instead of shutting down * Bump k8s and sles test version * Add modprobe br_netfilter step in test workflows * test: don't run the workflows on "push" events * Update to the latest flannel cni-plugins v1.7.1 * Move to go 1.23.6 - Update to version 0.26.6: * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump the etcd group with 4 updates * Bump the tencent group with 2 updates * Organize dependabot PR's more clearly by using groups * Use peer's wireguard port, not our own * Bump to codeql v3 * Pin all GHA to a specific SHA commit * Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (fix CVE-2025-30204, boo#1240516) * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump go.etcd.io/etcd/tests/v3 from 3.5.18 to 3.5.20 * add missing GH_TOKEN env var in release.yaml * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Upload chart archive with the release files * make deps * refactor release.yaml to reduce use of potentially vulnerable GH Actions * Bump golang.org/x/net from 0.34.0 to 0.36.0 * enable setting CNI directory paths in helm chart * Added cni file configuration on the chart * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/avast/retry-go/v4 from 4.6.0 to 4.6.1 - Update to version 0.26.4: * Moved to github container registry * Bumpgithub.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump go.etcd.io/etcd/tests/v3 from 3.5.17 to 3.5.18 * fix: Fix high CPU usage when losing etcd connection and try to re-establish connection with exponential backoff * Bump github.com/containernetworking/plugins from 1.6.1 to 1.6.2 * Bump alpine from 20240923 to 20250108 in /images * Bump golang.org/x/net from 0.31.0 to 0.33.0 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0 * feat: add bool to control CNI config installation using Helm * fix: add missing MY_NODE_NAME env in chart * Bump k8s deps to 0.29.12 * Don't panic upon shutdown when running in standalone mode * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 * Bump alpine from 20240807 to 20240923 in /images * Bump github.com/containernetworking/plugins from 1.6.0 to 1.6.1 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 * Use the standard context library * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Updated flannel cni image to 1.6.0 * Updated CNI plugins version on the README * Bump sigs.k8s.io/knftables from 0.0.17 to 0.0.18 * Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.1 * Bump github.com/Microsoft/hcsshim from 0.12.8 to 0.12.9 * Added check to not check br_filter in case of windows * Bumo golangci-lint to latest version * Bump to go 1.23 * Added checks for br_netfilter module * Try not to cleanup multiple peers behind same PublicIP * fix trivy check * check that the lease includes an IP address of the requested family before configuring the flannel interface * Fixed IPv6 chosen in case of public-ipv6 configured * add timeout to e2e test pipelines * Update k8s version ine2e tests to v1.29.8 * Update netlink to v1.3.0 *Fixed values file on flannel chart * Bump k8s.io/klog/v2 from 2.120.1 to 2.130.1 * Updated Flannel chart with Netpol containter and removed clustercidr * Fix bug in hostgw-windows * Fix bug in the logic polling the interface * Added node-public-ip annotation * Try several times to contact kube-api before failing * Fixed IPv6 0 initialization * wireguard backend: avoid error message if route already exists * Bump github.com/avast/retry-go/v4 from 4.5.1 to 4.6.0 * use wait.PollUntilContextTimeout instead of deprecated wait.Poll * troubleshooting.md: add `ethtool -K flannel.1 tx-checksum-ip-generic off` for NAT * Added configuration for pulic-ip through node annotation * extension/vxlan: remove arp commands from vxlan examples * Refactor TrafficManager windows files to clarify logs * Add persistent-mac option to v6 too * fix comparison with previous networks in SetupAndEnsureMasqRules * show content of stdout and stderr when running iptables-restore returns an error * Add extra check before contacting kube-api * remove unimplemented error in windows trafficmngr * remove --dirty flags in git describe * Added leaseAttr string method with logs on VxLan * remove multiClusterCidr related-code. * Implement nftables masquerading for flannel * fix: ipv6 iptables rules were created even when IPv6 was disabled * Add tolerations to the flannel chart * Added additional check for n.spec.podCIDRs * Remove net-tools since it's an old package that we are not using * fix iptables_windows.go * Clean-up Makefile and use docker buildx locally * Use manual test to ensure iptables-* binaries are present * Bump github.com/containerd/containerd from 1.6.23 to 1.6.26 * Bump github.com/joho/godotenv * SubnetManager should use the main context * Simplify TrafficManager interface * refactor iptables package to prepare for nftables-based implementation -flannel v0.26.4, includes `golang.org/x/net/http2` at v0.34.0, which fixes boo#1236522 (CVE-2023-45288) - Update to version 0.24.2: * Prepare for v0.24.2 release * Increase the time out for interface checking in windows * Prepare for v0.24.1 release * Provide support to select the interface in Windows * Improve the log from powershell * Wait all the jobs to finish before deploy the github-page * remove remaining references to mips64le * add multi-arch dockerfile * add missing riscv64 in docker manifest create step * prepare for v0.24.0 release * Bump golang.org/x/crypto from 0.15.0 to 0.17.0 * Add the VNI to the error message in Windows * chart: add possibility for defining image pull secrets in daemonset * Remove multiclustercidr logic from code * Update opentelemetry dependencies * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Add riscv64 arch in GH actions * vxlan vni should not be type uint16 * Quote wireguard psk in helm chart * add riscv64 support - Update to 0.14.0: * Add tencent cloud VPC network support * moving go modules to flannel-io/flannel and updating to go 1.16 * fix(windows): nil pointer panic * Preserve environment for extension backend * Fix flannel hang if lease expired * Documentation for the Flannel upgrade/downgrade procedure * Move from glog to klog * fix(host-gw): failed to restart if gateway hnsep existed * ipsec: use well known paths of charon daemon * upgrade client-go to 1.19.4 * move from juju/errors to pkg/errors * subnets: move forward the cursor to skip illegal subnet * Fix Expired URL to Deploying Flannel with kubeadm * Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1 * preserve AccessKey & AccessKeySecret environment on sudo fix some typo in doc. * iptables: handle errors that prevent rule deletes - Sync manifest withupstream (0.13.0 release). Includes the following changes: * Fix typo and invalid indent in kube-flannel.yml * Use stable os and arch label for node * set priorityClassName to system-node-critical * Add NET_RAW capability to support cri-o * Use multi-arch Docker images in the Kubernetes manifest - Set GO111MODULE=auto to build with go1.16+ * Default changed to GO111MODULE=on in go1.16 * Set temporarily until using upstream version with go.mod - update to 0.13.0: * Use multi-arch Docker images in the Kubernetes manifest * Accept existing XMRF policies and update them intead of raising errors * Add --no-sanity-check to iptables-wrapper-installer.sh for architectures other than amd64 * Use "docker manifest" to publish multi-arch Docker images * Add NET_RAW capability to support cri-o * remove glide * switch to go modules * Add and implement iptables-wrapper-installer.sh from https://github.com/kubernetes-sigs/iptables-wrappers * documentation: set priorityClassName to system-node-critical * Added a hint for firewall rules * Disabling ipv6 accept_ra explicitely on the created interface * use alpine 3.12 everywhere * windows: replace old netsh (rakelkar/gonetsh) with powershell commands * fix CVE-2019-14697 * Bugfix: VtepMac would be empty when lease re-acquire for windows * Use stable os and arch label for node * doc(awsvpc): correct the required permissions - update to 0.12.0: * fix deleteLease * Use publicIP lookup iface if --public-ip indicated * kubernetes 1.16 cni error * Add cniVersion to general CNI plugin configuration. * Needs to clear NodeNetworkUnavailable flag on Kubernetes * Replaces gorillalabs go-powershell with bhendo/go-powershell * Make VXLAN device learning attribute configurable * change nodeSelector to nodeAffinity and schedule the pod to linux node * This PR adds the cni version to the cni-conf.yamlinside the kube-flannel-cfg configmap * EnableNonPersistent flag for Windows Overlay networks * snap package. * Update lease with DR Mac * main.go: add the "net-config-path" flag * Deploy Flannel with unprivileged PSP * Enable local host to local pod connectivity in Windows VXLAN * Update hcsshim for HostRoute policy in Windows VXLAN Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-491=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): flannel-0.27.4-bp156.4.3.1 - openSUSE Backports SLE-15-SP6 (noarch): flannel-k8s-yaml-0.27.4-bp156.4.3.1 References: https://www.suse.com/security/cve/CVE-2019-14697.html https://www.suse.com/security/cve/CVE-2023-45288.html https://www.suse.com/security/cve/CVE-2025-30204.html https://bugzilla.suse.com/1218694 https://bugzilla.suse.com/1236522 https://bugzilla.suse.com/1240516 . Important update for openSUSE to resolve multiple issues in Flannel. Secure your deployments with these fixes now.. Flannel Update, openSUSE Security, Networking Patches, Kernel Security, Important Flannel Fixes. . Severity: Important. LinuxSecurity.com Team
Dec 31, 2025
•Important
OpenSUSE
202
security advisorysecurity updateDoSopenSUSE: Flannel Important Update for CVE-2019-14697 2025:0474-1
An update that fixes three vulnerabilities is now available.. openSUSE Security Update: Security update for flannel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0474-1 Rating: important References: #1218694 #1236522 #1240516 Cross-References: CVE-2019-14697 CVE-2023-45288 CVE-2025-30204 CVSS scores: CVE-2023-45288 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-30204 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for flannel fixes the following issues: - Update to version 0.27.4: * Removed PodSecurityPolicy manifest creation * Fix interface IP address detection in dual-stack mode * Fix: recreate VXLAN device (flannel.*) when external interface is deleted and re-added (#2247) * golangci-lint: fix iptables_test * firewall: add option to disable fully-random mode for MASQUERADE * Bump the tencent group with 2 updates * Bump github.com/coreos/go-systemd/v22 in the other-go-modules group * Bump golang.org/x/sys in the other-go-modules group * Bump the etcd group with 4 updates * Bump etcd version in tests * Stop using deprecated cache.NewIndexerInformer function * Bump k8s test version * Bump k8s deps to v0.31.11 * Bump the other-go-modules group with 2 updates * helm chart: add nodeSelector in the helm chart * Updated Alpine image * Added flag to enable blackhole route locally for Canal * Bump golang.org/x/sync in the other-go-modules group * make enqueueLeaseEvent context aware and prevent dangling goroutines when context is done - fixed atypo/build error * make retry interval exp backoff * cont_when_cache_not_ready configurable with fail by default * use semaphore as opposed to raw signal channel * Update pkg/subnet/kube/kube.go * Fix deadlock in startup for large clusters * enable setting resources in helm chart * capture close() err on subnet file save (#2248) * doc: document flag --iptables-forward-rules * Bump netlink to v1.3.1 * fix: clean-up rules when starting instead of shutting down * Bump k8s and sles test version * Add modprobe br_netfilter step in test workflows * test: don't run the workflows on "push" events * Update to the latest flannel cni-plugins v1.7.1 * Move to go 1.23.6 - Update to version 0.26.6: * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump the etcd group with 4 updates * Bump the tencent group with 2 updates * Organize dependabot PR's more clearly by using groups * Use peer's wireguard port, not our own * Bump to codeql v3 * Pin all GHA to a specific SHA commit * Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (fix CVE-2025-30204, boo#1240516) * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Bump go.etcd.io/etcd/tests/v3 from 3.5.18 to 3.5.20 * add missing GH_TOKEN env var in release.yaml * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Upload chart archive with the release files * make deps * refactor release.yaml to reduce use of potentially vulnerable GH Actions * Bump golang.org/x/net from 0.34.0 to 0.36.0 * enable setting CNI directory paths in helm chart * Added cni file configuration on the chart * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/avast/retry-go/v4 from 4.6.0 to 4.6.1 - Update to version 0.26.4: * Moved to github container registry * Bumpgithub.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump go.etcd.io/etcd/tests/v3 from 3.5.17 to 3.5.18 * fix: Fix high CPU usage when losing etcd connection and try to re-establish connection with exponential backoff * Bump github.com/containernetworking/plugins from 1.6.1 to 1.6.2 * Bump alpine from 20240923 to 20250108 in /images * Bump golang.org/x/net from 0.31.0 to 0.33.0 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0 * feat: add bool to control CNI config installation using Helm * fix: add missing MY_NODE_NAME env in chart * Bump k8s deps to 0.29.12 * Don't panic upon shutdown when running in standalone mode * Bump golang.org/x/crypto from 0.29.0 to 0.31.0 * Bump alpine from 20240807 to 20240923 in /images * Bump github.com/containernetworking/plugins from 1.6.0 to 1.6.1 * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc * Bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 * Use the standard context library * Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common * Updated flannel cni image to 1.6.0 * Updated CNI plugins version on the README * Bump sigs.k8s.io/knftables from 0.0.17 to 0.0.18 * Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.1 * Bump github.com/Microsoft/hcsshim from 0.12.8 to 0.12.9 * Added check to not check br_filter in case of windows * Bumo golangci-lint to latest version * Bump to go 1.23 * Added checks for br_netfilter module * Try not to cleanup multiple peers behind same PublicIP * fix trivy check * check that the lease includes an IP address of the requested family before configuring the flannel interface * Fixed IPv6 chosen in case of public-ipv6 configured * add timeout to e2e test pipelines * Update k8s version ine2e tests to v1.29.8 * Update netlink to v1.3.0 *Fixed values file on flannel chart * Bump k8s.io/klog/v2 from 2.120.1 to 2.130.1 * Updated Flannel chart with Netpol containter and removed clustercidr * Fix bug in hostgw-windows * Fix bug in the logic polling the interface * Added node-public-ip annotation * Try several times to contact kube-api before failing * Fixed IPv6 0 initialization * wireguard backend: avoid error message if route already exists * Bump github.com/avast/retry-go/v4 from 4.5.1 to 4.6.0 * use wait.PollUntilContextTimeout instead of deprecated wait.Poll * troubleshooting.md: add `ethtool -K flannel.1 tx-checksum-ip-generic off` for NAT * Added configuration for pulic-ip through node annotation * extension/vxlan: remove arp commands from vxlan examples * Refactor TrafficManager windows files to clarify logs * Add persistent-mac option to v6 too * fix comparison with previous networks in SetupAndEnsureMasqRules * show content of stdout and stderr when running iptables-restore returns an error * Add extra check before contacting kube-api * remove unimplemented error in windows trafficmngr * remove --dirty flags in git describe * Added leaseAttr string method with logs on VxLan * remove multiClusterCidr related-code. * Implement nftables masquerading for flannel * fix: ipv6 iptables rules were created even when IPv6 was disabled * Add tolerations to the flannel chart * Added additional check for n.spec.podCIDRs * Remove net-tools since it's an old package that we are not using * fix iptables_windows.go * Clean-up Makefile and use docker buildx locally * Use manual test to ensure iptables-* binaries are present * Bump github.com/containerd/containerd from 1.6.23 to 1.6.26 * Bump github.com/joho/godotenv * SubnetManager should use the main context * Simplify TrafficManager interface * refactor iptables package to prepare for nftables-based implementation -Update to version 0.24.2: * Prepare for v0.24.2 release * Increase the time out for interface checking in windows * Prepare for v0.24.1 release * Provide support to select the interface in Windows * Improve the log from powershell * Wait all the jobs to finish before deploy the github-page * remove remaining references to mips64le * add multi-arch dockerfile * add missing riscv64 in docker manifest create step * prepare for v0.24.0 release * Bump golang.org/x/crypto from 0.15.0 to 0.17.0 * Add the VNI to the error message in Windows * chart: add possibility for defining image pull secrets in daemonset * Remove multiclustercidr logic from code * Update opentelemetry dependencies * Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Add riscv64 arch in GH actions * vxlan vni should not be type uint16 * Quote wireguard psk in helm chart * add riscv64 support - Update to 0.14.0: * Add tencent cloud VPC network support * moving go modules to flannel-io/flannel and updating to go 1.16 * fix(windows): nil pointer panic * Preserve environment for extension backend * Fix flannel hang if lease expired * Documentation for the Flannel upgrade/downgrade procedure * Move from glog to klog * fix(host-gw): failed to restart if gateway hnsep existed * ipsec: use well known paths of charon daemon * upgrade client-go to 1.19.4 * move from juju/errors to pkg/errors * subnets: move forward the cursor to skip illegal subnet * Fix Expired URL to Deploying Flannel with kubeadm * Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1 * preserve AccessKey & AccessKeySecret environment on sudo fix some typo in doc. * iptables: handle errors that prevent rule deletes - update to 0.13.0: * Use multi-arch Docker images in the Kubernetes manifest * Accept existing XMRF policies and update them inteadof raising errors * Add --no-sanity-check to iptables-wrapper-installer.sh for architectures other than amd64 * Use "docker manifest" to publish multi-arch Docker images * Add NET_RAW capability to support cri-o * remove glide * switch to go modules * Add and implement iptables-wrapper-installer.sh from https://github.com/kubernetes-sigs/iptables-wrappers * documentation: set priorityClassName to system-node-critical * Added a hint for firewall rules * Disabling ipv6 accept_ra explicitely on the created interface * use alpine 3.12 everywhere * windows: replace old netsh (rakelkar/gonetsh) with powershell commands * fix CVE-2019-14697 * Bugfix: VtepMac would be empty when lease re-acquire for windows * Use stable os and arch label for node * doc(awsvpc): correct the required permissions - update to 0.12.0: * fix deleteLease * Use publicIP lookup iface if --public-ip indicated * kubernetes 1.16 cni error * Add cniVersion to general CNI plugin configuration. * Needs to clear NodeNetworkUnavailable flag on Kubernetes * Replaces gorillalabs go-powershell with bhendo/go-powershell * Make VXLAN device learning attribute configurable * change nodeSelector to nodeAffinity and schedule the pod to linux node * This PR adds the cni version to the cni-conf.yaml inside the kube-flannel-cfg configmap * EnableNonPersistent flag for Windows Overlay networks * snap package. * Update lease with DR Mac * main.go: add the "net-config-path" flag * Deploy Flannel with unprivileged PSP * Enable local host to local pod connectivity in Windows VXLAN * Update hcsshim for HostRoute policy in Windows VXLAN Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE BackportsSLE-15-SP7: zypper in -t patch openSUSE-2025-474=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): flannel-0.27.4-bp157.2.3.1 - openSUSE Backports SLE-15-SP7 (noarch): flannel-k8s-yaml-0.27.4-bp157.2.3.1 References: https://www.suse.com/security/cve/CVE-2019-14697.html https://www.suse.com/security/cve/CVE-2023-45288.html https://www.suse.com/security/cve/CVE-2025-30204.html https://bugzilla.suse.com/1218694 https://bugzilla.suse.com/1236522 https://bugzilla.suse.com/1240516 . An important update for flannel on openSUSE fixes three issues including critical threats in the system.. Linux Security, openSUSE Flannel Update, Important Security Fix, System Vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Dec 18, 2025
•Important
OpenSUSE
202
security advisorymoderatesoftware updateopenSUSE Tumbleweed: 2025:14989-1 moderate: flannel update
An update that solves one vulnerability can now be installed.. # flannel-0.26.6-1.1 on GA media Announcement ID: openSUSE-SU-2025:14989-1 Rating: moderate Cross-References: * CVE-2025-30204 CVSS scores: * CVE-2025-30204 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-30204 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the flannel-0.26.6-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * flannel 0.26.6-1.1 * flannel-k8s-yaml 0.26.6-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-30204.html . The release of flannel-0.26.6-1.1 on openSUSE Tumbleweed tackles a noteworthy security vulnerability. It is advisable to install this update to enhance system protection.. openSUSE Tumbleweed, flannel update, security patch. . LinuxSecurity.com Team
Apr 15, 2025
OpenSUSE
202
security advisorymoderatesecurity updateopenSUSE Tumbleweed: 2025:14744-1 moderate: flannel-0.26.4-1.1 security
An update that solves one vulnerability can now be installed.. # flannel-0.26.4-1.1 on GA media Announcement ID: openSUSE-SU-2025:14744-1 Rating: moderate Cross-References: * CVE-2023-45288 CVSS scores: * CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the flannel-0.26.4-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * flannel 0.26.4-1.1 * flannel-k8s-yaml 0.26.4-1.1 ## References: * https://www.suse.com/security/cve/CVE-2023-45288.html . Upgrade flannel-0.26.4-1.1 on openSUSE Tumbleweed to mitigate a moderate security vulnerability assessed with a CVSS score of 6.9.. openSUSE Tumbleweed, flannel update, security advisory, CVE-2023-45288. . LinuxSecurity.com Team
Feb 09, 2025
OpenSUSE
100
security advisorypatchimportantSUSE: 2019:2655-1 Important: kubernetes-salt Security Update
An update that contains security fixes can now be installed. . SUSE Security Update: Security update for kubernetes-salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2655-1 Rating: important References: #1121153 #1121154 #1141675 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes the following issues: * Flannel container ran with excess privileges (bsc#1121153 bsc#1121154) * Velum doesn't list available updates (due to failed transactional update timer restart) (bsc#1141675) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (noarch): kubernetes-salt-3.0.0+git_r999_f540bd3-3.77.1 References: https://bugzilla.suse.com/1121153 https://bugzilla.suse.com/1121154 https://bugzilla.suse.com/1141675 _______________________________________________ sle-security-updates mailing list
Oct 14, 2019
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!