An update has been released for openSUSE to address a moderate security vulnerability in the go-sendxmpp application, which impacts various products, including openSUSE Backports SLE-15-SP6. The update specifically addresses CVE-2025-22872, a vulnerability related to the incorrect interpretation of tags by golang.org/x/net/html during DOM construction, which could lead to content being placed in the wrong scope.
Security Update Details:
- Announcement ID: openSUSE-SU-2025:0314-1
- Security Rating: Moderate
- Affected Products: openSUSE Backports SLE-15-SP6
- CVSS Score for CVE-2025-22872: 6.3, indicating a moderate severity level.
Key Features of the Update:
The go-sendxmpp package has been updated to version 0.15.0, introducing several new features and enhancements:
- A `--verbose` flag to display debug information.
- A `--recipients` flag to specify recipient addresses from a file.
- Retry options for connection failures, including `--retry-connect` and `--retry-connect-max`.
- Support for legacy PGP encryption with `--legacy-pgp`.
- Improved handling of punycode domains.
- Updates to the gopenpgp library and enhancements in error detection for Multi-User Chat (MUC) joins.
- Increased default TLS version to 1.3 for enhanced security.
- Other minor improvements and fixes.
Patch Instructions:
Users are encouraged to install the security update using recommended methods such as YaST online_update or by executing the command:
Packages Affected:
The updated package available for openSUSE Backports SLE-15-SP6 includes:
- `go-sendxmpp-0.15.0-bp156.2.6.1` for architectures aarch64, i586, ppc64le, s390x, and x86_64.
For further details on the vulnerabilities and fixes, users can refer to the provided links to SUSE's security site and the relevant bug report.
Extension:
This update not only addresses a critical security concern but also enhances the functionality and usability of go-sendxmpp. As messaging platforms increasingly integrate encrypted communication and robust error handling, the updates introduced in this release reflect a commitment to improving user experience and security standards. Users are encouraged to stay informed about such updates and regularly apply patches to maintain the integrity of their systems. Additionally, it may be beneficial for organizations to review their current use of go-sendxmpp and consider implementing security best practices, including regular audits and vulnerability assessments
Security Update Details:
- Announcement ID: openSUSE-SU-2025:0314-1
- Security Rating: Moderate
- Affected Products: openSUSE Backports SLE-15-SP6
- CVSS Score for CVE-2025-22872: 6.3, indicating a moderate severity level.
Key Features of the Update:
The go-sendxmpp package has been updated to version 0.15.0, introducing several new features and enhancements:
- A `--verbose` flag to display debug information.
- A `--recipients` flag to specify recipient addresses from a file.
- Retry options for connection failures, including `--retry-connect` and `--retry-connect-max`.
- Support for legacy PGP encryption with `--legacy-pgp`.
- Improved handling of punycode domains.
- Updates to the gopenpgp library and enhancements in error detection for Multi-User Chat (MUC) joins.
- Increased default TLS version to 1.3 for enhanced security.
- Other minor improvements and fixes.
Patch Instructions:
Users are encouraged to install the security update using recommended methods such as YaST online_update or by executing the command:
zypper in -t patch openSUSE-2025-314=1
Packages Affected:
The updated package available for openSUSE Backports SLE-15-SP6 includes:
- `go-sendxmpp-0.15.0-bp156.2.6.1` for architectures aarch64, i586, ppc64le, s390x, and x86_64.
For further details on the vulnerabilities and fixes, users can refer to the provided links to SUSE's security site and the relevant bug report.
Extension:
This update not only addresses a critical security concern but also enhances the functionality and usability of go-sendxmpp. As messaging platforms increasingly integrate encrypted communication and robust error handling, the updates introduced in this release reflect a commitment to improving user experience and security standards. Users are encouraged to stay informed about such updates and regularly apply patches to maintain the integrity of their systems. Additionally, it may be beneficial for organizations to review their current use of go-sendxmpp and consider implementing security best practices, including regular audits and vulnerability assessments
Go-Sendxmpp update for SUSE
An update has been released for openSUSE to address a moderate-level security vulnerability in go-sendxmpp, which affects several products including openSUSE Backports SLE-15-SP6. The update fixes one issue, CVE-2025-22872, where golang.org/x/net/html incorrectly interpreted tags and potentially placed content in the wrong scope during DOM construction.
openSUSE-SU-2025:0314-1: moderate: Security update for go-sendxmpp