ESB-2026.7119
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.7119 Security update for aws-iam-authenticator 29 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: aws-iam-authenticator Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2024-39689 CVE-2024-3968 CVE-2026-33814 CVE-2022-1996 CVE-2025-47910 CVE-2026-39821 CVE-2022-2385 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-20262643-1 Comment: CVSS (Max): 9.8 CVE-2024-3968 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: [NIST], SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS (Max): 2.7% (84th) CVE-2022-1996 2026-06-28 - --------------------------BEGIN INCLUDED TEXT-------------------- Security update for aws-iam-authenticator Announcement ID: SUSE-SU-2026:2643-1 Release Date: 2026-06-26T08:35:07Z Rating: critical o bsc#1200528 o bsc#1201395 o bsc#1227519 References: o bsc#1239947 o bsc#1249141 o bsc#1265842 o bsc#1266651 o CVE-2022-1996 o CVE-2022-2385 o CVE-2024-39689 Cross-References: o CVE-2025-47910 o CVE-2026-33814 o CVE-2026-39821 o CVE-2022-1996 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:N o CVE-2022-1996 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:N o CVE-2022-1996 ( NVD ): 9.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/ S:C/C:H/I:H/A:N o CVE-2022-2385 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:H/I:H/A:N o CVE-2022-2385 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:H/I:H/A:H o CVE-2024-39689 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N /S:U/C:L/I:N/A:N o CVE-2024-39689 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:H/A:N o CVE-2024-39689 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:H/A:N CVSS scores: o CVE-2025-47910 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:L/I:L/A:N o CVE-2025-47910 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:L/I:L/A:N o CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2026-39821 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N /UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N o CVE-2026-39821 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N /S:U/C:H/I:H/A:N o CVE-2026-39821 ( NVD ): 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:C/C:H/I:H/A:N o Public Cloud Module 15-SP4 o Public Cloud Module 15-SP5 o Public Cloud Module 15-SP6 o Public Cloud Module 15-SP7 o SUSE Linux Enterprise High Performance Computing 15 SP4 o SUSE Linux Enterprise High Performance Computing 15 SP5 o SUSE Linux Enterprise Server 15 SP4 Affected o SUSE Linux Enterprise Server 15 SP5 Products: o SUSE Linux Enterprise Server 15 SP6 o SUSE Linux Enterprise Server 15 SP7 o SUSE Linux Enterprise Server for SAP Applications 15 SP4 o SUSE Linux Enterprise Server for SAP Applications 15 SP5 o SUSE Linux Enterprise Server for SAP Applications 15 SP6 o SUSE Linux Enterprise Server for SAP Applications 15 SP7 o SUSE Manager Proxy 4.3 o SUSE Manager Retail Branch Server 4.3 o SUSE Manager Server 4.3 An update that solves six vulnerabilities and has one security fix can now be installed. Description: This update for aws-iam-authenticator fixes the following issues o CVE-2022-1996: CORS bypass (bsc#1200528). o CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass (bsc# 1201395). o CVE-2024-39689: remove root certificates from GLOBALTRUST from the root store. o CVE-2025-47910: net/http: CrossOriginProtection bypass patterns are over-broad. o CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265842). o CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266651). Changes for aws-iam-authenticator: o Update to version 0.7.18 o Merge pull request (#1062) from CaidenBorrego/new-release o Creating new release for CVE mitigation o Merge pull request (#1057) from CaidenBorrego/caidenb-versionbump o Merge remote-tracking branch 'upstream/master' into caidenb-versionbump o Bump x/net and x/sys to remediate CVEs (bsc#1266651, CVE-2026-39821) o Update to 0.7.17 o Merge pull request #1051 from CaidenBorrego/caidenb-versionbump o bumping version from 0.7.16->0.7.17 o Merge pull request #1047 from CaidenBorrego/caidenb-reservedprefix-fix o fix: honor reservedPrefixConfig for ConfigMap and CRD backends o Merge pull request #1046 from CaidenBorrego/caidenb-gorunner-bump o fix: reject malformed mapping ARN in userIDStrict mode for dynamic files o Update to 0.7.16 o Merge pull request #1041 from ronaldngounou/rngounou/bump-go-1.26.3 o Pin GitHub Actions to full-length commit SHAs o fix: bump go version to 1.26.3 for CVEs o from version 0.7.15 o Merge pull request #1035 from Ganiredi/bump-version-0.7.15 o Bump version to 0.7.15 o Merge pull request #1030 from Ganiredi/1.36-k8s-deps o 1.36.0 dependency update o from version 0.7.14 o Merge pull request #1029 from CaidenBorrego/caidenb-gorunner-bump o Bump version to 0.7.14 o Bumping gorunner image tag in Dockerfile for CVE mitigation o from version 0.7.13 o Merge pull request #1020 from dheeraj-coding/master o feat: add manual dispatch function for create-release.yml o Merge pull request #1019 from dheeraj-coding/master o fix: create-release workflow failures o Merge pull request #1017 from Ganiredi/1.36-k8s-deps o Merge pull request #1018 from dheeraj-coding/master o fix: build failure due to stale gcb image by updating to latest o Release 0.7.13 o Merge pull request #1016 from Ganiredi/1.36-k8s-deps o Merge branch 'master' into 1.36-k8s-deps o Merge pull request #1013 from kubernetes-sigs/dependabot/go_modules/ misc-dependencies-be00ae3611 o 1.36.rc release o Merge pull request #1015 from dheeraj-coding/master o fix: bump go version 1.26.2 for CVEs o chore(deps): Bump the misc-dependencies group across 3 directories with 6 updates (bsc#1265842, CVE-2026-33814) o Merge pull request #1011 from kubernetes-sigs/dependabot/go_modules/ observability-dependencies-9e34dd3c34 o Merge pull request #1009 from kubernetes-sigs/dependabot/go_modules/ misc-dependencies-b5e1eeb2d5 o Merge pull request #1004 from bryantbiggs/chore/fix-goreleaser-deprecations o Merge pull request #1010 from kubernetes-sigs/dependabot/go_modules/ aws-dependencies-7118f1d525 o chore(deps): Bump the observability-dependencies group across 2 directories with 2 updates o chore(deps): Bump the aws-dependencies group across 2 directories with 6 updates o chore(deps): Bump the misc-dependencies group across 3 directories with 2 updates o Merge pull request #1008 from kubernetes-sigs/dependabot/go_modules/ aws-dependencies-3ce7b5fcac o chore(deps): Bump the aws-dependencies group across 2 directories with 12 updates o Merge pull request #1006 from kubernetes-sigs/dependabot/go_modules/ k8s-dependencies-09346e948b o chore(deps): Bump the k8s-dependencies group across 3 directories with 8 updates o Merge pull request #1005 from kubernetes-sigs/dependabot/go_modules/ aws-dependencies-508cd0fd8e o chore(deps): Bump the aws-dependencies group across 2 directories with 15 updates o fix: update Makefile goreleaser target for v2 compatibility o fix: resolve goreleaser v2 deprecations o Update to version 0.7.12 o Update OWNERS in reviewers and approvers list o Release 0.7.12 o ci: add verify job to catch unrun gofmt and go mod tidy o chore(lint): harden linter config and fix coverage gaps o fix(lint): add revive and unparam linters with full compliance o ci: add unit test job, expand golangci config, add make update/verify o docs(e2e): fix Go version, remove non-existent make target, fix typo o docs(release): remove stale ECR image update instructions and fix asset version placeholders o fix: address code review findings in repo cleanup branch o docs: rewrite development.md as a practical local dev guide o chore: repo cleanup, developer experience improvements o chore: reduce binary size by 59% (80 MB -> 33 MB) o fix(lint): replace deprecated NewSimpleClientset and fix embedded field selector o fix(tests): address code review findings in integration test framework o fix(tests): address post-refactor issues and add go workspace o refactor(tests): remove k8s.io/kubernetes dependency from test modules o chore: update all dependencies to latest versions o Set GOWORK=off to make building with vendored dependencies work o Update to version 0.7.11 o Merge pull request #988 from dstdfx/bump-version o Bump version to 0.7.11 o Merge pull request #985 from dstdfx/bump-go-version-1.25.7 o Update go.mod for e2e/int tests o Update go.mod o Merge pull request #986 from ShiriNmi1520/master o Clarify README "Run the server" deployment instructions o Bump go to 1.25.7 o Merge pull request #983 from eks-distro-pr-bot/eks-distro-pr-bot/ go-version-bumps o Creating PR to update Go version to 1.25.6 o Update to version 0.7.10: o 1.35.0 dependency update o Creating PR to update Go version to 1.25.5 o chore(deps): Bump the observability-dependencies group across 2 directories with 1 update o chore(deps): Bump the misc-dependencies group across 3 directories with 13 updates o chore(deps): Bump the observability-dependencies group across 1 directory with 2 updates o chore(deps): Bump the misc-dependencies group across 3 directories with 27 updates o chore(deps): Bump the aws-dependencies group across 2 directories with 11 updates o chore(deps): Bump the misc-dependencies group across 2 directories with 17 updates o Update to version 0.7.9 o Creating PR to update Go version to 1.25.4 o chore(deps): Bump the aws-dependencies group across 2 directories with 13 updates o chore(deps): Bump golangci/golangci-lint-action in the actions group o chore(deps): Bump the observability-dependencies group across 3 directories with 2 updates o chore(deps): Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client o chore(deps): Bump the aws-dependencies group across 2 directories with 14 updates o bump golang version to 1.25.3 o Creating PR to update Go version to 1.25.3 o chore(deps): Bump github.com/onsi/ginkgo/v2 o chore(deps): Bump the observability-dependencies group across 3 directories with 1 update o chore(deps): Bump the misc-dependencies group across 3 directories with 11 updates o chore(deps): Bump the misc-dependencies group across 3 directories with 5 updates o chore(deps): Bump the aws-dependencies group across 2 directories with 3 updates o Update to version 0.7.8 o chore: Bump indirect Kubernetes dependencies to latest o chore: Bump Kubernetes dependencies to latest o Bump the misc-dependencies group across 3 directories with 18 updates o Bump the aws-dependencies group across 2 directories with 11 updates o Fix CVE-2025-47910 o Bump go.opentelemetry.io/auto/sdk o Bump the aws-dependencies group across 2 directories with 1 update o Bump the misc-dependencies group across 3 directories with 10 updates o from version 0.7.7 o add support for aws-eusc partition o chore: Commit changes from make codegen o fix: Use .go-version for the go version o feat: Add golanglint-ci pull request review; resolve all findings o Add haoranleo as approver o Bump the observability-dependencies group across 3 directories with 3 updates o Bump actions/setup-go from 5 to 6 in the actions group o Bump the misc-dependencies group across 3 directories with 8 updates o Bump github.com/coreos/go-oidc o Bump the observability-dependencies group across 3 directories with 12 updates o from version 0.7.6 o feat: Update go version to 1.25 ; update dependencies to latest to patch reported vulnerabilities o Force TCP URLs for etcd compatibility o Update go dependencies with 1.34.0 o Bump the k8s-dependencies group across 3 directories with 8 updates o Bump the k8s-dependencies group across 3 directories with 1 update o Bump actions/checkout from 4 to 5 in the actions group o Bump the aws-dependencies group across 2 directories with 13 updates o from version 0.7.5 o migrate hostname verification to sdk go v2 o from version 0.7.4 o chore: Move observability dependencies to separate dependabot update group o Bump the aws-dependencies group across 2 directories with 12 updates o from version 0.7.3 o update Approvers/reviewers o update go version to 1.24.4 o added logs for global region fallback o added global region fallback to imds o Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client o bumps kops and k8s versions, replaced node label "master" with "control-plane" o added imds logic back in, with EC2_METADATA enabled by default o removed headersourceacct from ststest, return err if no region cfg o added context chaining, cleanup o add context chaining, client config fixes o Move non problematic cache logs into debug o Rename log-level to log-verbosity, remove AutomaticEnv o lint fixes o get region from imds if not in config o added go.sum entries for tests/integration, fixed imds nil pointer dereference o Revert "Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client" o added some context chaining, fixed region config in GetWithOptions o updated arn, deleted v1-v2 creds converter o updated pkg/token to v2 o updated pkg/filecache o updated arn in pkg/server to use v2 o updated pkg/server to use v2 o upgraded ec2provider o Bump the misc-dependencies group across 3 directories with 5 updates o Bump the misc-dependencies group across 3 directories with 6 updates o Bump the misc-dependencies group across 3 directories with 9 updates o Use logrus for filecache logs o Add quiet mode (cache only) o from version 0.7.2 o Bump the misc-dependencies group across 3 directories with 43 updates o Bump the k8s-dependencies group across 3 directories with 2 updates o from version 0.7.1 o Revert "Add 2 more tag validation checks" o Update the gorunner to v0.18.0-eks-1-32-latest o update the go version to 1.24.2 o adding yue9944882 to owner o adds http2 support o Bump the aws-dependencies group across 2 directories with 3 updates o Update configmap.go o release authenticator from mainline with 0.7.0 o Bump goreleaser/goreleaser-action from 5 to 6 in the actions group o Bump the misc-dependencies group across 3 directories with 41 updates o Remove no-op err assignment o Fix credential expirability check o chore: Update golan x package transitive dependencies o fix: Correct codgen script due to deprecated script removal o Update configmap test per 1.32.0 change in client-go o Update upstream dependencies to v1.32.0 o chore: Update to go 1.23.4 o deps: Update golang.org/x/crypto library to remediate high CVE o chore: Add dependabot configuration to automatically check for package updates weekly o handle scenario when the file is created but doesn't have content o update code and add tests o remove nnmin-aws from approver list o add kmala to the owners list o update metrics dimention to stsregion o add default timeout for http client o log sts host instead of global/regional o update log o remove typo and log line o remove typo o Bump test go versions o add logs and metrics dimentions to find sts call success/failures on global /regional endpoints o Bump go minor version o Update aws-iam-authenticator installation command o use protobuf content type instead of json for k8s client o Update RELEASE.md o Bump go-restful in e2e and integration tests o Bump go-restful o Remove outdated changelog artifacts o Bump deploy/example.yaml version o Update filecache to use AWS SDK Go V2 with wrappers o Refactored token filecache o Fix x-amz-expires header value o Remove parameterized AWS session from token.go o Parse source account from sourceARN o Add sourceArn to sts through headers o Add configurable Now time for signature generation o cleanup to use composite literals o update to sig.k8s.io namespace o retain original field o update the image to latest to fix CVE-2024-39689 o add a namespaced field o Update upstream dependencies to v1.31.0 o update the go version to 1.22.5 o Add unit test o skip service validation to get the default regions endpoint o fix: Run go mod tidy to fix go.sum files o fix: Update goreleaser workflow to fix warnings and artifact generation o update aws go sdk to 1.54.6 o chore: Remove emeritus reviewers from SECURITY_CONTACTS o fix: Add random string to e2e test role to avoid pipeline run conflicts o fix: Run go mod tidy from tests/integration directory o chore: Update CLI dependencies cobra and viper o updating google.golang.org/grpc/otelgrpc to v0.47.0 o chore: Update CI action versions, remove push trigger o chore: Align go versions and remove unused files o updating k8s client libraries and go version o adding new approvers - nnmin-aws o Bump go version to 1.21.8 o Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 o chore: Re-update to latest patch version of K8s packages o fix time formatting o refactor structs for dynamic file load o add support for adoption rate metrics for cam o add support for e2e latency for dynamic mode o Switch to GOTOOLCHAIN env setting from gimme o Switch back to use go-version from go-image-tag o Switch to use go-image-tag from go-version o Repo controlled build go version o chore: Re-update and align o fix semantic error o feat: Re-update K8s packages to latest release o fix: Use SIGDescribe o fix: Use framework.WithDisruptive() o fix: [Disruptive] in plain text is deprecated and must be added through WithDisruptive instead o chore: Update dependencies for e2e tests o fix: Add context to StartTestServer o fix: Align integration test replace versions in go.mod o fix: Fix codegen and update replace test integration dependencies o fix: Integration test dependencies run go mod tidy o fix: Downgrade k8s.io/sample-controller which requires updating context handling o chore: Update app K8s dependencies o adding nnmin-aws into reviewers o Replace deprecated ioutil package o fix base image to use latest o minor fix the IAM user arn verification o Fix role ARN comparison for user ID strict check (#669) o Check ARN for user ID strict check (#660) o Update go to 1.21.5 o Change s3 bucket for e2e tests, current default exists somewhere (#652) o Bump minimum Go version to 1.25 in BuildRequires o Update to version 0.6.31 o from version 0.6.30 o Small fixes missed during cherrypicking o Cherry-picked file changes from commit https://github.com/kubernetes-sigs/ aws-iam-authenticator/pull/554/commits o Simplify featuregate flag parsing for SSORoleMatch o Support un-canonicalized ARNs in filemapper o Add SSO Role suffix support (#416) o Chore: Update golang x package transitive dependencies o Add -buildmode=pie to go build command line (bsc#1239947) o Update to version 0.6.29 o from version 0.6.28 o Update owners list to sync master branch o Lpdate log o Add logs and metrics dimentions to find sts call success/failures on global /regional endpoints o Return 429 for STS throttling o Update to 0.6.27 o from version 0.6.26 o from version 0.6.25 o from version 0.6.24 o Update the image to latest to fix CVE-2024-3968 o from version 0.6.23 o Update to version 0.6.22 o Update to version 0.6.21 o from version 0.6.20 o Merge pull request #713 from jaidevmane/updating-otelgrpc-to-v0.51.0 o Merge pull request #709 from bryantbiggs/chore/update-ci-versions o Merge pull request #708 from jaidevmane/updating-deps o Merge pull request #707 from jaidevmane/adding-new-approvers o Merge pull request #687 from bryantbiggs/chore/update-app-k8s-dependencies o from version 0.6.19 o Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 o from version 0.6.18 o from version 0.6.17 o Fix base image to use latest and release v0.6.17 o from version 0.6.16 o from version 0.6.15 o Fix role ARN comparison for user ID strict check (#669) (#671) o Bump minimum Go version to 1.22 in BuildRequires o Update to version 0.6.14 o Check ARN for user ID strict check (#660) (#664) o Update go to 1.21.5 (#663) o Update go to 1.21.4 (#648) (#659) o Update to version 0.6.13 o Cherry-pick: Fix federated user ID parsing #644 (#654) o Fix issue 606: use latest version of aws-sdk-go (#650) o Change s3 bucket for e2e tests, current default exists somewhere (#653) o from version 0.6.12 o Avoid parsing single quote empty inputs o Avoid parsing known empty inputs o Update to version 0.6.11 o Optimize only rebuild mapper when the actual backend modes change o Add int test for dynamic backend mode o Add DynamicBackendMode o Allow running create release from Github UI o Update to version 0.6.10 o Update go.sum o Only replace x/net o Add build-all-images make target o Enable cross-compilation in Dockerfile o from version 0.6.9 o Add DynamicFileError Metric o from version 0.6.8 o Add comments explicitly on what we need to do later o Shutdown gracefully and avoid the extra thread leak checks that EtcdMain barfs on o Switch to newer ginkgo v2 o Bump dependencies and go version (in go.mod) (bsc#1200528, CVE-2022-1996) o from version 0.6.7 o (no changes) o from version 0.6.6 o Add Username Prefix Enforce for DynamicFile mode o from version 0.6.5 o Update the aws sdk go version to latest o Update base image in Docker file o from version 0.6.4 o Loop up RoleMapping with UserId in dynamocfile mode o Install kind if it doesn't exist to _output o Update server_test for expose principal ID in audit log o Expose Principal Id to audit log o Migrate away from google.com gcp project k8s-testimages o Build s390x/ppc64le binaries o Add default instance region in sts hostname o from version 0.6.3 o Bump aws sdk go to v1.44.145 o Update Dockerfile to pull from https://gallery.ecr.aws/ \ eks-distro-build-tooling/golang to avoid reaching pull rate limit from docker.io o Add go mod for E2E o Add install kind into e2e script o Move e2e test from start dev script + minor fix for run.sh o Add end to end test for mountfile mode in kind Update Makefile to support run e2e from either kind or kops. o Add end to end test for dynamicfile backend o Update to version 0.6.2 o Add automatic release creation o Add tag workflow to release-0.6 branch o Remove dependency from PR #416 o Revert "Add SSO Role suffix support (#416) o from version 0.6.1 o Test release tagging o Fix file permissions o Tag release on update to version.txt o Update Dockerfile to pull from https://gallery.ecr.aws/ eks-distro-build-tooling/golang to avoid reaching pull rate limit from docker.io o Added Issue and PR templates (#517) o Update Dockerfile to use Golang as builder o from version 0.6.0 o Print CommitID too on startup o Print version on startup o Add new backend mode DYNAMICFILE o Update go.mod and go.sum for tests/integrations o Replace tabs with spaces in go.mod o Bump aws sdk go to v1.44.107 o Minor fix on the script to solve permission denied issue when run make start-dev o Working E2E tests in prow o Non-blocking E2E tests o Add e2e recipe to Makefile o Basic E2E testing for authenticator o Initialize metrics in NewVerifier() if needed o Added ConfiguredInitDirectories featuregate for init command o rm more v1alpha1 version o Bump 0.6 (#471) o Bump version in Makefile o Add query parameter validation for multiple parameters o Replace deprecated seccomp annotation with seccompProfile. o Replace deprecated critical pod annotation with priorityClassName. o Whitespace consistency fixes. o Use rbac.authorization.k8s.io/v1 instead of v1beta1 in example manifest. o Lowercase the ARN keys o Remove vendor directory o linux/amd64 only for image target o Don't push on image target o from version 0.5.16 o Shutdown gracefully and avoid the extra thread leak checks that EtcdMain barfs on o Bump dependencies and go version (in go.mod) o from version 0.5.15 o from version 0.5.14 o from version 0.5.13 o from version 0.5.12 o Fix Makefile on branch release-0.5 (#520) o rm more v1alpha1 version (#516) o from version 0.5.11 o Add end to end test for mountfile mode in kind Update Makefile to support run e2e from either kind or kops. o Update to version 0.5.10 o Automated cherry pick of #491: Bump aws sdk go to v1.44.107 (#493) o Remove vendor from release-0.5 (#498) o Update to version 0.5.9 o Add query parameter validation for multiple parameters (#469) (bsc#1201395, CVE-2022-2385) o from version 0.5.8 o Revert use of upstream yaml parsing (#455) o from version 0.5.7 o Remove duplicate InitMetrics by @jngo2 in (#448) o Fixes a crash when executing authenticator in server mode o from version 0.5.6 o Bump AWS SDK to v1.43.28 (#445) o Use the apiversion from KUBERNETES_EXEC_INFO (#439) o Bump promptui module to v0.9.0 (#437) o from version 0.5.5 o Use full package name for goreleaser version (#433) o Add sts error metric (#430) o Emit metric for EC2 describeInstance calls (#428) o Rename configmap_watch_failures to configmap_watch_failures_total (#432) o Simplify goreleaser Dockerfiles (#431) o Don't pass metrics around (#423) o from version 0.5.4 o Embed go-runner into the image (#426) o Bump Go to 1.17 in Travis (#414) o Build multi-arch images (#417) o Add kind-based development environment (#422 o Add jaypipes to approvers/reviewers (#407 o Fix deps (#396 o Fix panic when cache file can't be Stat-ed (#410 o Fix missing status definition in v1 CRD (#411) o Use ./hack/install-etcd.sh (#405 o Run integration tests with per-test role (#402 o Add a counter for API server watch failures (#400) o Upgrade CRD manifest to v1 (#397 o Move inactives to emeritus_approvers and add active users (#399) o Fix tests add vendor (#398) o Integration test framework (#395) o Add cloudbuild & improvements (#394) o Fix typo (#390) o Add user/role subcommands (#381) o goreleaser: bump release to 0.164.0 and fix config deprecations (#371) o Run go mod vendor (#388) o doc: fix typo in RELEASE.md (#376) o [pkg/token]: Update credential API version (#386) o Enrich Audit Logs with additional AWS Identity details (via audit logs' "extra" map) (#372) o Enable vendoring for Go module dependencies Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o Public Cloud Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP7-2026-2643=1 o Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2026-2643=1 o Public Cloud Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP6-2026-2643=1 o Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2026-2643=1 Package List: o Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64) aws-iam-authenticator-0.7.18-150000.1.17.1 o Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64) aws-iam-authenticator-0.7.18-150000.1.17.1 o Public Cloud Module 15-SP6 (aarch64 ppc64le s390x x86_64) aws-iam-authenticator-0.7.18-150000.1.17.1 o Public Cloud Module 15-SP7 (aarch64 ppc64le s390x x86_64) aws-iam-authenticator-0.7.18-150000.1.17.1 References: o https://www.suse.com/security/cve/CVE-2022-1996.html o https://www.suse.com/security/cve/CVE-2022-2385.html o https://www.suse.com/security/cve/CVE-2024-39689.html o https://www.suse.com/security/cve/CVE-2025-47910.html o https://www.suse.com/security/cve/CVE-2026-33814.html o https://www.suse.com/security/cve/CVE-2026-39821.html o https://bugzilla.suse.com/show_bug.cgi?id=1200528 o https://bugzilla.suse.com/show_bug.cgi?id=1201395 o https://bugzilla.suse.com/show_bug.cgi?id=1227519 o https://bugzilla.suse.com/show_bug.cgi?id=1239947 o https://bugzilla.suse.com/show_bug.cgi?id=1249141 o https://bugzilla.suse.com/show_bug.cgi?id=1265842 o https://bugzilla.suse.com/show_bug.cgi?id=1266651 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SUSE | aws-iam-authenticator |
Timeline
- Jun 28, 2026 CVE Published