SUSE-SU-2026:22320-1
Vulnerability from csaf_suse - Published: 2026-06-22 14:35 - Updated: 2026-06-22 14:35Summary
Security update for amazon-ecs-init
Severity
Important
Notes
Title of the patch: Security update for amazon-ecs-init
Description of the patch: This update for amazon-ecs-init fixes the following issues
Update to version 1.103.2:
- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
(bsc#1265843).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
bypass and privilege escalation (bsc#1266652).
Changes:
* Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/fsx from
1.53.1 to 1.65.10 in /agent (#4966)
* Enhancement - Add semgrep security scan for command injection (#4959)
* Enhancement - Bump golang.org/x/tools from 0.39.0 to 0.45.0 in
/ecs-agent (#4965), also updates x/net to 0.54.0 (bsc#1266652, CVE-2026-39821)
* Enhancement - Add integration test for credential refresher (#4961)
* Enhancement - Bump golang.org/x/tools from 0.42.0 to 0.45.0 in /agent (#4873)
* Enhancement - Update Go version to 1.25.10 (#4960)
* Enhancement - Bump go.etcd.io/bbolt from 1.3.9 to 1.4.3 in /ecs-agent (#4872)
* Enhancement - update credentials-fetcher retry comments/tests (#4954)
* Enhancement - Enhancement - Add retry mechanism to credentialsfetcher (#4948)
* Enhancement - Add IMDS credential refresher (#4953)
* Bugfix - fix flaky tests depending on timers (#4955)
* Feature - Implement IMDS scanner for task credential retrieval,
in the shared library (#4945)
* Feature - Add config/capability for IMDS-based task credential retrieval
(disabled for now) (#4938)
* Feature - Add IMDS credential scanner interface and capability constant
for IMDS-based task credential retrieval (#4937)
* Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs
from 1.47.3 to 1.65.0 in /agent (#4921)
* Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/s3
from 1.63.1 to 1.97.3 in /ecs-init (#4923)
from 1.79.2 to 1.97.3 in /agent (#4924)
* Enhancement - Bump go.opentelemetry.io/otel/exporters/otlp/
otlptrace/ otlptracehttp from 1.32.0 to 1.43.0 in /agent (#4926)
* Enhancement - Truncate log values to make agent logs less verbose (#4940)
* Enhancement - Golang bump: 1.25.9 (#4935)
* Enhancement - Use env variable to read user input when
mounting FSx volumes (#4934)
* Enhancement - Enhancement - Replace SSM Dualstack endpoint
resolution logic with UseDualStackEndpoint (#4931)
* Enhancement - Emit duration metrics for TACS connect/disconnect (#4928)
* Enhancement - Bump github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
from 1.6.10 to 1.7.8 in /agent (#4922)
from 1.6.5 to 1.7.8 in /ecs-init (#4925)
* Enhancement - Track and emit metric for disconnect time from ACS (#4920)
* Enhancement - engine: skip execution role checks when task desired status
is stopped (#4918)
* Enhancement - Add NeuronDevices type and sysfs-based device discovery (#4919)
* Bugfix - Fix release workflow branch handling and add GitHub App token (#4929)
* Bugfix - fix(netlib): Conditionally add IPv6 subnet to IPAM config when IPv6 (#4916)
* Enhancement - Update SSM exec agent version to 3.3.4108.0 (#4912)
* Enhancement - Update Go version to 1.25.8 (#4894)
* Enhancement - Apply skip-gpg-check to both ecs-init and ssm agent (#4901)
* Enhancement - Bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#4906)
Patchnames: SUSE-SLES-16.0-1025
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for amazon-ecs-init",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for amazon-ecs-init fixes the following issues\n\nUpdate to version 1.103.2:\n\n- CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE\n (bsc#1265843).\n- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation\n bypass and privilege escalation (bsc#1266652).\n\nChanges:\n\n * Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/fsx from\n 1.53.1 to 1.65.10 in /agent (#4966)\n * Enhancement - Add semgrep security scan for command injection (#4959)\n * Enhancement - Bump golang.org/x/tools from 0.39.0 to 0.45.0 in\n /ecs-agent (#4965), also updates x/net to 0.54.0 (bsc#1266652, CVE-2026-39821)\n * Enhancement - Add integration test for credential refresher (#4961)\n * Enhancement - Bump golang.org/x/tools from 0.42.0 to 0.45.0 in /agent (#4873)\n * Enhancement - Update Go version to 1.25.10 (#4960)\n * Enhancement - Bump go.etcd.io/bbolt from 1.3.9 to 1.4.3 in /ecs-agent (#4872)\n * Enhancement - update credentials-fetcher retry comments/tests (#4954)\n * Enhancement - Enhancement - Add retry mechanism to credentialsfetcher (#4948)\n * Enhancement - Add IMDS credential refresher (#4953)\n * Bugfix - fix flaky tests depending on timers (#4955)\n * Feature - Implement IMDS scanner for task credential retrieval,\n in the shared library (#4945)\n * Feature - Add config/capability for IMDS-based task credential retrieval\n (disabled for now) (#4938)\n * Feature - Add IMDS credential scanner interface and capability constant\n for IMDS-based task credential retrieval (#4937)\n * Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs\n from 1.47.3 to 1.65.0 in /agent (#4921)\n * Enhancement - Bump github.com/aws/aws-sdk-go-v2/service/s3\n from 1.63.1 to 1.97.3 in /ecs-init (#4923)\n from 1.79.2 to 1.97.3 in /agent (#4924)\n * Enhancement - Bump go.opentelemetry.io/otel/exporters/otlp/\n otlptrace/ otlptracehttp from 1.32.0 to 1.43.0 in /agent (#4926)\n * Enhancement - Truncate log values to make agent logs less verbose (#4940)\n * Enhancement - Golang bump: 1.25.9 (#4935)\n * Enhancement - Use env variable to read user input when\n mounting FSx volumes (#4934)\n * Enhancement - Enhancement - Replace SSM Dualstack endpoint\n resolution logic with UseDualStackEndpoint (#4931)\n * Enhancement - Emit duration metrics for TACS connect/disconnect (#4928)\n * Enhancement - Bump github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream\n from 1.6.10 to 1.7.8 in /agent (#4922)\n from 1.6.5 to 1.7.8 in /ecs-init (#4925)\n * Enhancement - Track and emit metric for disconnect time from ACS (#4920)\n * Enhancement - engine: skip execution role checks when task desired status\n is stopped (#4918)\n * Enhancement - Add NeuronDevices type and sysfs-based device discovery (#4919)\n * Bugfix - Fix release workflow branch handling and add GitHub App token (#4929)\n * Bugfix - fix(netlib): Conditionally add IPv6 subnet to IPAM config when IPv6 (#4916)\n * Enhancement - Update SSM exec agent version to 3.3.4108.0 (#4912)\n * Enhancement - Update Go version to 1.25.8 (#4894)\n * Enhancement - Apply skip-gpg-check to both ecs-init and ssm agent (#4901)\n * Enhancement - Bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#4906)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-1025",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22320-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22320-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622320-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22320-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-July/027149.html"
},
{
"category": "self",
"summary": "SUSE Bug 1265843",
"url": "https://bugzilla.suse.com/1265843"
},
{
"category": "self",
"summary": "SUSE Bug 1266652",
"url": "https://bugzilla.suse.com/1266652"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33814 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39821 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39821/"
}
],
"title": "Security update for amazon-ecs-init",
"tracking": {
"current_release_date": "2026-06-22T14:35:18Z",
"generator": {
"date": "2026-06-22T14:35:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22320-1",
"initial_release_date": "2026-06-22T14:35:18Z",
"revision_history": [
{
"date": "2026-06-22T14:35:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"product": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"product_id": "amazon-ecs-init-1.103.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"product": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"product_id": "amazon-ecs-init-1.103.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64"
},
"product_reference": "amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
},
"product_reference": "amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64"
},
"product_reference": "amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "amazon-ecs-init-1.103.2-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
},
"product_reference": "amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33814"
}
],
"notes": [
{
"category": "general",
"text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33814",
"url": "https://www.suse.com/security/cve/CVE-2026-33814"
},
{
"category": "external",
"summary": "SUSE Bug 1264506 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1264506"
},
{
"category": "external",
"summary": "SUSE Bug 1268758 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1268758"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T14:35:18Z",
"details": "important"
}
],
"title": "CVE-2026-33814"
},
{
"cve": "CVE-2026-39821",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39821"
}
],
"notes": [
{
"category": "general",
"text": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39821",
"url": "https://www.suse.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "SUSE Bug 1266474 for CVE-2026-39821",
"url": "https://bugzilla.suse.com/1266474"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:amazon-ecs-init-1.103.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T14:35:18Z",
"details": "important"
}
],
"title": "CVE-2026-39821"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…