SUSE Package Hub - openSUSE-2025-231

Update Info

openSUSE-2025-231

Security update for sslh

Type: security

Severity: important

Issued: 2025-07-01

Description:

This update for sslh fixes the following issues:

sslh was updated to 2.2.4:

  * Fix CVE-2025-46806 (boo#1243120) for "Misaligned Memory Accesses
    in `is_openvpn_protocol()`"
  * Fix CVE-2025-46807 (boo#1243122) for "File Descriptor Exhaustion
    in sslh-select and sslh-ev"
  * Fix potential parsing of undefined data in syslog probe (no CVE assigned)

Update to 2.2.3:

  * Reverse older commit: version.h cannot be included without breaking
    the build (everything recompiles every time) and the release archive
    creation (which relies on git tags).

Update to 2.2.2:

  * Fix potential vulnerability similar to CVE-2020-28935

Update to 2.2.1:

  * Fix compilation when libproxyprotocol is not present

Update to 2.2.0:

  * Add a boolean setting "is_unix" for listen and
   protocol entries. This will use the 'host' setting
   as a path name to a socket file, and connections
   (listening or connecting) will be performed on Unix
   socket instead of Internet sockets.
  * Support HAProxy's proxyprotocol on the backend
    server side.
  * Lots of documentation about a new, simpler way to
    perform transparent proxying.
  * New "verbose" option that overrides all other
    verbose settings.

Update to 2.1.3:

  * Landlock access fix

Update to 2.1.2:

  * Fix inetd

Update to 2.1.1:

  * Fix MacOS build error

Update to 2.1.0:

  * Support for the Landlock LSM. After initial setup,
    sslh gives up all local file access rights.
  * Reintroduced --ssl as an alias to --tls.
  * Introduce autoconf to adapt to landlock presence.
  * Close connexion without error message if remote
    client forcefully closes connexion, for Windows.

Update to 2.0.1:

  * New semver-compatible version number
  * New sslh-ev: this is functionaly equivalent to sslh-select
    (mono-process, only forks for specified protocols), but based
    on libev, which should make it scalable to large numbers
    of connections.
  * New log system: instead of –verbose with arbitrary levels,
    there are now several message classes. Each message class
    can be set to go to stderr, syslog, or both. Classes are
    documented in example.cfg.
  * UDP connections are now managed in a hash to avoid linear
    searches. The downside is that the number of UDP connections
    is a hard limit, configurable with the ‘udp_max_connections’,
    which defaults to 1024. Timeouts are managed with lists.
  * inetd merges stderr output to what is sent to the client,
    which is a security issue as it might give information to an
    attacker. When inetd is activated, stderr is forcibly closed.
  * New protocol-level option resolve_on_forward, requests that
    target names are resolved at each connection instead of at
    startup. Useful for dynamic DNS situations.

References

CVE: CVE-2025-46807
CVE: CVE-2025-46806
CVE: CVE-2020-28935
Bugzilla: 1243122 VUL-0: CVE-2025-46807: sslh: File Descriptor Exhaustion in sslh-select and sslh-ev triggers SEGFAULT
Bugzilla: 1243120 VUL-0: CVE-2025-46806: sslh: Misaligned Memory Accesses in `is_openvpn_protocol()`

Packages

sslh-2.2.4-bp157.2.3.1