Terraform Providers: Security Update to Prevent Data Corruption and Authorization Bypass

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Terraform Providers: Security Update to Prevent Data Corruption and Authorization Bypass

SUSE-SU-2026:1411-1

Summary

This update fixes two security issues in Terraform's providers for local storage, randomness, and TLS. If not patched, these issues could allow attackers to consume corrupted files or bypass authorization checks. We recommend updating to the latest version of the affected providers to ensure the integrity and security of your Terraform configurations.

What to do

Update terraform-provider-local to version 2.0.0-150200.6.8.1.
Update terraform-provider-null to version 3.0.0-150200.6.12.1.
Update terraform-provider-random to version 3.0.0-150200.6.6.2.
Update terraform-provider-tls to version 3.0.0-150200.5.6.2.

Affected software

Ecosystem	Vendor	Product	Affected versions
SUSE:Linux Enterprise Module for Public Cloud 15 SP4	–	terraform-provider-local	< 2.0.0-150200.6.8.1 Fix: upgrade to 2.0.0-150200.6.8.1
SUSE:Linux Enterprise Module for Public Cloud 15 SP4	–	terraform-provider-null	< 3.0.0-150200.6.12.1 Fix: upgrade to 3.0.0-150200.6.12.1
SUSE:Linux Enterprise Module for Public Cloud 15 SP4	–	terraform-provider-random	< 3.0.0-150200.6.6.2 Fix: upgrade to 3.0.0-150200.6.6.2
SUSE:Linux Enterprise Module for Public Cloud 15 SP4	–	terraform-provider-tls	< 3.0.0-150200.5.6.2 Fix: upgrade to 3.0.0-150200.5.6.2
SUSE:Linux Enterprise Module for Public Cloud 15 SP5	–	terraform-provider-local	< 2.0.0-150200.6.8.1 Fix: upgrade to 2.0.0-150200.6.8.1
SUSE:Linux Enterprise Module for Public Cloud 15 SP5	–	terraform-provider-null	< 3.0.0-150200.6.12.1 Fix: upgrade to 3.0.0-150200.6.12.1
SUSE:Linux Enterprise Module for Public Cloud 15 SP5	–	terraform-provider-random	< 3.0.0-150200.6.6.2 Fix: upgrade to 3.0.0-150200.6.6.2
SUSE:Linux Enterprise Module for Public Cloud 15 SP5	–	terraform-provider-tls	< 3.0.0-150200.5.6.2 Fix: upgrade to 3.0.0-150200.5.6.2
openSUSE:Leap 15.6	–	terraform-provider-local	< 2.0.0-150200.6.8.1 Fix: upgrade to 2.0.0-150200.6.8.1
openSUSE:Leap 15.6	–	terraform-provider-null	< 3.0.0-150200.6.12.1 Fix: upgrade to 3.0.0-150200.6.12.1
openSUSE:Leap 15.6	–	terraform-provider-random	< 3.0.0-150200.6.6.2 Fix: upgrade to 3.0.0-150200.6.6.2
openSUSE:Leap 15.6	–	terraform-provider-tls	< 3.0.0-150200.5.6.2 Fix: upgrade to 3.0.0-150200.5.6.2

Original title

Security update for terraform-provider-local, terraform-provider-random, terraform-provider-tls

Original description

This update for terraform-provider-local, terraform-provider-random, terraform-provider-tls fixes the following issue:

- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files that can lead to the consumption of corrupted files (bsc#1258097).
- CVE-2026-33186: fix authorization bypass in grpc-go due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260218)

https://www.suse.com/support/update/announcement/2026/suse-su-20261411-1/ Vendor Advisory
https://bugzilla.suse.com/1258097 Third Party Advisory
https://bugzilla.suse.com/1260218 Third Party Advisory
https://www.suse.com/security/cve/CVE-2026-25934 URL
https://www.suse.com/security/cve/CVE-2026-33186 URL

Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026