Two security updates have been released for openSUSE: one for tailscale-1.86.5-1.1 and another for go-sendxmpp. The first update fixes one moderate vulnerability (CVE-2025-58058) in tailscale, while the second update addresses a moderate vulnerability (CVE-2025-22872) in go-sendxmpp.

openSUSE-SU-2025:15503-1: moderate: tailscale-1.86.5-1.1 on GA media
openSUSE-SU-2025:0332-1: moderate: Security update for go-sendxmpp

openSUSE-SU-2025:15503-1: moderate: tailscale-1.86.5-1.1 on GA media

# tailscale-1.86.5-1.1 on GA media

Announcement ID: openSUSE-SU-2025:15503-1
Rating: moderate

Cross-References:

* CVE-2025-58058

CVSS scores:

* CVE-2025-58058 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58058 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the tailscale-1.86.5-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* tailscale 1.86.5-1.1
* tailscale-bash-completion 1.86.5-1.1
* tailscale-fish-completion 1.86.5-1.1
* tailscale-zsh-completion 1.86.5-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-58058.html

openSUSE-SU-2025:0332-1: moderate: Security update for go-sendxmpp

openSUSE Security Update: Security update for go-sendxmpp
_______________________________

Announcement ID: openSUSE-SU-2025:0332-1
Rating: moderate
References: #1241814
Cross-References: CVE-2025-22872
CVSS scores:
CVE-2025-22872 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for go-sendxmpp fixes the following issues:

- Update to 0.15.0: Added:
* Add flag --verbose to show debug information.
* Add flag --recipients to specify recipients by file.
* Add flag --retry-connect to try after a waiting time if the connection
fails.
* Add flag --retry-connect-max to specify the amount of retry attempts.
* Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
* Add support for punycode domains. Changed:
* Update gopenpgp library to v3.
* Improve error detection for MUC joins.
* Don't try to connect to other SRV record targets if error contains
'auth-failure'.
* Remove support for old SSDP version (via go-xmpp v0.2.15).
* Http-upload: Stop checking other disco items after finding upload
component.
* Increase default TLS version to 1.3.
- CVE-2025-22872: Fixed golang.org/x/net/html: incorrectly interpreted
tags can cause content to be placed wrong scope during DOM construction
(boo#1241814)

- Update to 0.14.1:
* Use prettier date format for error messages.
* Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2025-332=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

go-sendxmpp-0.15.0-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2025-22872.html
https://bugzilla.suse.com/1241814