Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-58058 (GCVE-0-2025-58058)
Vulnerability from cvelistv5 – Published: 2025-08-28 21:54 – Updated: 2025-08-29 13:23
VLAI
EPSS
Title
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
Summary
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ulikunitz/xz/security/advisori… | x_refsource_CONFIRM |
| https://github.com/ulikunitz/xz/commit/88ddf1d0d9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58058",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T13:22:52.507752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T13:23:07.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xz",
"vendor": "ulikunitz",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T21:54:05.561Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
},
{
"name": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
}
],
"source": {
"advisory": "GHSA-jc7w-c686-c4v9",
"discovery": "UNKNOWN"
},
"title": "github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58058",
"datePublished": "2025-08-28T21:54:05.561Z",
"dateReserved": "2025-08-22T14:30:32.221Z",
"dateUpdated": "2025-08-29T13:23:07.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-58058",
"date": "2026-06-06",
"epss": "0.00028",
"percentile": "0.08576"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-58058\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-28T22:15:32.577\",\"lastModified\":\"2025-08-29T16:24:29.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
OPENSUSE-SU-2025:20160-1
Vulnerability from csaf_opensuse - Published: 2025-12-12 13:20 - Updated: 2025-12-12 13:20Summary
Security update for hauler
Severity
Important
Notes
Title of the patch: Security update for hauler
Description of the patch: This update for hauler fixes the following issues:
- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
bsc#1248937, CVE-2025-58058):
* bump github.com/containerd/containerd (#474)
* another fix to tests for new tests (#472)
* fixed typo in testdata (#471)
* fixed/cleaned new tests (#470)
* trying a new way for hauler testing (#467)
* update for cosign v3 verify (#469)
* added digests view to info (#465)
* bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
* update oras-go to v1.2.7 for security patches (#464)
* update cosign to v3.0.2+hauler.1 (#463)
* fixed homebrew directory deprecation (#462)
* add registry logout command (#460)
- Update to version 1.3.0:
* bump the go_modules group across 1 directory with 2 updates (#455)
* upgraded versions/dependencies/deprecations (#454)
* allow loading of docker tarballs (#452)
* bump the go_modules group across 1 directory with 2 updates (#449)
- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
* Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
the go_modules group across 1 directory (CVE-2025-46569)
* deprecate auth from hauler store copy
* Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
go_modules group across 1 directory
* Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
in the go_modules group across 1 directory
* upgraded go and dependencies versions
- Update to version 1.2.5:
* upgraded go and dependencies versions (#444)
* Bump github.com/go-viper/mapstructure/v2 (#442)
* bump github.com/cloudflare/circl (#441)
* deprecate auth from hauler store copy (#440)
* Bump github.com/open-policy-agent/opa (#438)
- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
* Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
group across 1 directory
* minor tests updates
- Update to version 1.2.3:
* formatting and flag text updates
* add keyless signature verification (#434)
* bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
* add --only flag to hauler store copy (for images) (#429)
* fix tlog verification error/warning output (#428)
- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
* cleanup new tlog flag typos and add shorthand (#426)
* default public transparency log verification to false to be airgap friendly but allow override (#425)
* bump github.com/golang-jwt/jwt/v4 (#423)
* bump the go_modules group across 1 directory with 2 updates (#422)
* bump github.com/go-jose/go-jose/v3 (#417)
* bump github.com/go-jose/go-jose/v4 (#415)
* clear default manifest name if product flag used with sync (#412)
* updates for v1.2.0 (#408)
* fixed remote code (#407)
* added remote file fetch to load (#406)
* added remote and multiple file fetch to sync (#405)
* updated save flag and related logs (#404)
* updated load flag and related logs [breaking change] (#403)
* updated sync flag and related logs [breaking change] (#402)
* upgraded api update to v1/updated dependencies (#400)
* fixed consts for oci declarations (#398)
* fix for correctly grabbing platform post cosign 2.4 updates (#393)
* use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
* Bump the go_modules group across 1 directory with 2 updates (#385)
* replace mholt/archiver with mholt/archives (#384)
* forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
* cleaned up registry and improved logging (#378)
* Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
- Update to version 1.1.1:
* fixed cli desc for store env var (#374)
* updated versions for go/k8s/helm (#373)
* updated version flag to internal/flags (#369)
* renamed incorrectly named consts (#371)
* added store env var (#370)
* adding ignore errors and retries for continue on error/fail on error (#368)
* updated/fixed hauler directory (#354)
* standardize consts (#353)
* removed cachedir code (#355)
* removed k3s code (#352)
* updated dependencies for go, helm, and k8s (#351)
* [feature] build with boring crypto where available (#344)
* updated workflow to goreleaser builds (#341)
* added timeout to goreleaser workflow (#340)
* trying new workflow build processes (#337)
* improved workflow performance (#336)
* have extract use proper ref (#335)
* yet another workflow goreleaser fix (#334)
* even more workflow fixes (#333)
* added more fixes to github workflow (#332)
* fixed typo in hauler store save (#331)
* updates to fix build processes (#330)
* added integration tests for non hauler tarballs (#325)
* bump: golang >= 1.23.1 (#328)
* add platform flag to store save (#329)
* Update feature_request.md
* updated/standardize command descriptions (#313)
* use new annotation for 'store save' manifest.json (#324)
* enable docker load for hauler tarballs (#320)
* bump to cosign v2.2.3-carbide.3 for new annotation (#322)
* continue on error when adding images to store (#317)
* Update README.md (#318)
* fixed completion commands (#312)
* github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
* pages: enable go install hauler.dev/go/hauler (#310)
* Create CNAME
* pages: initial workflow (#309)
* testing and linting updates (#305)
* feat-273: TLS Flags (#303)
* added list-repos flag (#298)
* fixed hauler login typo (#299)
* updated cobra function for shell completion (#304)
* updated install.sh to remove github api (#293)
* fix image ref keys getting squashed when containing sigs/atts (#291)
* fix missing versin info in release build (#283)
* bump github.com/docker/docker in the go_modules group across 1 directory (#281)
* updated install script (`install.sh`) (#280)
* fix digest images being lost on load of hauls (Signed). (#259)
* feat: add readonly flag (#277)
* fixed makefile for goreleaser v2 changes (#278)
* updated goreleaser versioning defaults (#279)
* update feature_request.md (#274)
* updated old references
* updated actions workflow user
* added dockerhub to github actions workflow
* removed helm chart
* added debug container and workflow
* updated products flag description
* updated chart for release
* fixed workflow errors/warnings
* fixed permissions on testdata
* updated chart versions (will need to update again)
* last bit of fixes to workflow
* updated unit test workflow
* updated goreleaser deprecations
* added helm chart release job
* updated github template names
* updated imports (and go fmt)
* formatted gitignore to match dockerignore
* formatted all code (go fmt)
* updated chart tests for new features
* Adding the timeout flag for fileserver command
* Configure chart commands to use helm clients for OCI and private registry support
* Added some documentation text to sync command
* Bump golang.org/x/net from 0.17.0 to 0.23.0
* fix for dup digest smashing in cosign
* removed vagrant scripts
* last bit of updates and formatting of chart
* updated hauler testdata
* adding functionality and cleaning up
* added initial helm chart
* removed tag in release workflow
* updated/fixed image ref in release workflow
* updated/fixed platforms in release workflow
* updated/cleaned github actions (#222)
* Make Product Registry configurable (#194)
* updated fileserver directory name (#219)
* fix logging for files
* add extra info for the tempdir override flag
* tempdir override flag for load
* deprecate the cache flag instead of remove
* switch to using bci-golang as builder image
* fix: ensure /tmp for hauler store load
* added the copy back for now
* remove copy at the image sync not needed with cosign update
* removed misleading cache flag
* better logging when adding to store
* update to v2.2.3 of our cosign fork
* add: dockerignore
* add: Dockerfile
* Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
* Bump github.com/docker/docker
* updated and added new logos
* updated github files
Patchnames: openSUSE-Leap-16.0-packagehub-54
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.3 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for hauler",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for hauler fixes the following issues:\n\n- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,\n bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,\n bsc#1248937, CVE-2025-58058):\n * bump github.com/containerd/containerd (#474)\n * another fix to tests for new tests (#472)\n * fixed typo in testdata (#471)\n * fixed/cleaned new tests (#470)\n * trying a new way for hauler testing (#467)\n * update for cosign v3 verify (#469)\n * added digests view to info (#465)\n * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)\n * update oras-go to v1.2.7 for security patches (#464)\n * update cosign to v3.0.2+hauler.1 (#463)\n * fixed homebrew directory deprecation (#462)\n * add registry logout command (#460)\n\n- Update to version 1.3.0:\n * bump the go_modules group across 1 directory with 2 updates (#455)\n * upgraded versions/dependencies/deprecations (#454)\n * allow loading of docker tarballs (#452)\n * bump the go_modules group across 1 directory with 2 updates (#449)\n\n- update to 1.2.5 (bsc#1246722, CVE-2025-46569):\n * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in\n the go_modules group across 1 directory (CVE-2025-46569)\n * deprecate auth from hauler store copy\n * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the\n go_modules group across 1 directory\n * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0\n in the go_modules group across 1 directory\n * upgraded go and dependencies versions\n\n- Update to version 1.2.5:\n * upgraded go and dependencies versions (#444)\n * Bump github.com/go-viper/mapstructure/v2 (#442)\n * bump github.com/cloudflare/circl (#441)\n * deprecate auth from hauler store copy (#440)\n * Bump github.com/open-policy-agent/opa (#438)\n\n- update to 1.2.4 (CVE-2025-22872, bsc#1241804):\n * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules\n group across 1 directory\n * minor tests updates\n\n- Update to version 1.2.3:\n * formatting and flag text updates\n * add keyless signature verification (#434)\n * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)\n * add --only flag to hauler store copy (for images) (#429)\n * fix tlog verification error/warning output (#428)\n\n- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):\n * cleanup new tlog flag typos and add shorthand (#426)\n * default public transparency log verification to false to be airgap friendly but allow override (#425)\n * bump github.com/golang-jwt/jwt/v4 (#423)\n * bump the go_modules group across 1 directory with 2 updates (#422)\n * bump github.com/go-jose/go-jose/v3 (#417)\n * bump github.com/go-jose/go-jose/v4 (#415)\n * clear default manifest name if product flag used with sync (#412)\n * updates for v1.2.0 (#408)\n * fixed remote code (#407)\n * added remote file fetch to load (#406)\n * added remote and multiple file fetch to sync (#405)\n * updated save flag and related logs (#404)\n * updated load flag and related logs [breaking change] (#403)\n * updated sync flag and related logs [breaking change] (#402)\n * upgraded api update to v1/updated dependencies (#400)\n * fixed consts for oci declarations (#398)\n * fix for correctly grabbing platform post cosign 2.4 updates (#393)\n * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)\n * Bump the go_modules group across 1 directory with 2 updates (#385)\n * replace mholt/archiver with mholt/archives (#384)\n * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)\n * cleaned up registry and improved logging (#378)\n * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)\n- bump net/html dependencies (bsc#1235332, CVE-2024-45338)\n\n- Update to version 1.1.1:\n * fixed cli desc for store env var (#374)\n * updated versions for go/k8s/helm (#373)\n * updated version flag to internal/flags (#369)\n * renamed incorrectly named consts (#371)\n * added store env var (#370)\n * adding ignore errors and retries for continue on error/fail on error (#368)\n * updated/fixed hauler directory (#354)\n * standardize consts (#353)\n * removed cachedir code (#355)\n * removed k3s code (#352)\n * updated dependencies for go, helm, and k8s (#351)\n * [feature] build with boring crypto where available (#344)\n * updated workflow to goreleaser builds (#341)\n * added timeout to goreleaser workflow (#340)\n * trying new workflow build processes (#337)\n * improved workflow performance (#336)\n * have extract use proper ref (#335)\n * yet another workflow goreleaser fix (#334)\n * even more workflow fixes (#333)\n * added more fixes to github workflow (#332)\n * fixed typo in hauler store save (#331)\n * updates to fix build processes (#330)\n * added integration tests for non hauler tarballs (#325)\n * bump: golang \u003e= 1.23.1 (#328)\n * add platform flag to store save (#329)\n * Update feature_request.md\n * updated/standardize command descriptions (#313)\n * use new annotation for \u0027store save\u0027 manifest.json (#324)\n * enable docker load for hauler tarballs (#320)\n * bump to cosign v2.2.3-carbide.3 for new annotation (#322)\n * continue on error when adding images to store (#317)\n * Update README.md (#318)\n * fixed completion commands (#312)\n * github.com/rancherfederal/hauler =\u003e hauler.dev/go/hauler (#311)\n * pages: enable go install hauler.dev/go/hauler (#310)\n * Create CNAME\n * pages: initial workflow (#309)\n * testing and linting updates (#305)\n * feat-273: TLS Flags (#303)\n * added list-repos flag (#298)\n * fixed hauler login typo (#299)\n * updated cobra function for shell completion (#304)\n * updated install.sh to remove github api (#293)\n * fix image ref keys getting squashed when containing sigs/atts (#291)\n * fix missing versin info in release build (#283)\n * bump github.com/docker/docker in the go_modules group across 1 directory (#281)\n * updated install script (`install.sh`) (#280)\n * fix digest images being lost on load of hauls (Signed). (#259)\n * feat: add readonly flag (#277)\n * fixed makefile for goreleaser v2 changes (#278)\n * updated goreleaser versioning defaults (#279)\n * update feature_request.md (#274)\n * updated old references\n * updated actions workflow user\n * added dockerhub to github actions workflow\n * removed helm chart\n * added debug container and workflow\n * updated products flag description\n * updated chart for release\n * fixed workflow errors/warnings\n * fixed permissions on testdata\n * updated chart versions (will need to update again)\n * last bit of fixes to workflow\n * updated unit test workflow\n * updated goreleaser deprecations\n * added helm chart release job\n * updated github template names\n * updated imports (and go fmt)\n * formatted gitignore to match dockerignore\n * formatted all code (go fmt)\n * updated chart tests for new features\n * Adding the timeout flag for fileserver command\n * Configure chart commands to use helm clients for OCI and private registry support\n * Added some documentation text to sync command\n * Bump golang.org/x/net from 0.17.0 to 0.23.0\n * fix for dup digest smashing in cosign\n * removed vagrant scripts\n * last bit of updates and formatting of chart\n * updated hauler testdata\n * adding functionality and cleaning up\n * added initial helm chart\n * removed tag in release workflow\n * updated/fixed image ref in release workflow\n * updated/fixed platforms in release workflow\n * updated/cleaned github actions (#222)\n * Make Product Registry configurable (#194)\n * updated fileserver directory name (#219)\n * fix logging for files\n * add extra info for the tempdir override flag\n * tempdir override flag for load\n * deprecate the cache flag instead of remove\n * switch to using bci-golang as builder image\n * fix: ensure /tmp for hauler store load\n * added the copy back for now\n * remove copy at the image sync not needed with cosign update\n * removed misleading cache flag\n * better logging when adding to store\n * update to v2.2.3 of our cosign fork\n * add: dockerignore\n * add: Dockerfile\n * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0\n * Bump github.com/docker/docker\n * updated and added new logos\n * updated github files\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-54",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20160-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1235332",
"url": "https://bugzilla.suse.com/1235332"
},
{
"category": "self",
"summary": "SUSE Bug 1241184",
"url": "https://bugzilla.suse.com/1241184"
},
{
"category": "self",
"summary": "SUSE Bug 1241804",
"url": "https://bugzilla.suse.com/1241804"
},
{
"category": "self",
"summary": "SUSE Bug 1246722",
"url": "https://bugzilla.suse.com/1246722"
},
{
"category": "self",
"summary": "SUSE Bug 1248937",
"url": "https://bugzilla.suse.com/1248937"
},
{
"category": "self",
"summary": "SUSE Bug 1251516",
"url": "https://bugzilla.suse.com/1251516"
},
{
"category": "self",
"summary": "SUSE Bug 1251651",
"url": "https://bugzilla.suse.com/1251651"
},
{
"category": "self",
"summary": "SUSE Bug 1251891",
"url": "https://bugzilla.suse.com/1251891"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-0406 page",
"url": "https://www.suse.com/security/cve/CVE-2024-0406/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11579 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46569 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46569/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for hauler",
"tracking": {
"current_release_date": "2025-12-12T13:20:11Z",
"generator": {
"date": "2025-12-12T13:20:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20160-1",
"initial_release_date": "2025-12-12T13:20:11Z",
"revision_history": [
{
"date": "2025-12-12T13:20:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product_id": "hauler-1.3.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product_id": "hauler-1.3.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-0406",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-0406"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user\u0027s or application\u0027s privileges using the library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-0406",
"url": "https://www.suse.com/security/cve/CVE-2024-0406"
},
{
"category": "external",
"summary": "SUSE Bug 1241181 for CVE-2024-0406",
"url": "https://bugzilla.suse.com/1241181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2024-0406"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-11579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11579"
}
],
"notes": [
{
"category": "general",
"text": "github.com/nwaples/rardecode versions \u003c=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11579",
"url": "https://www.suse.com/security/cve/CVE-2025-11579"
},
{
"category": "external",
"summary": "SUSE Bug 1251871 for CVE-2025-11579",
"url": "https://bugzilla.suse.com/1251871"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-11579"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-46569",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46569"
}
],
"notes": [
{
"category": "general",
"text": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u0027s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46569",
"url": "https://www.suse.com/security/cve/CVE-2025-46569"
},
{
"category": "external",
"summary": "SUSE Bug 1246710 for CVE-2025-46569",
"url": "https://bugzilla.suse.com/1246710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2025-46569"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20105-1
Vulnerability from csaf_opensuse - Published: 2026-01-23 10:02 - Updated: 2026-01-23 10:02Summary
Security update for sbctl
Severity
Moderate
Notes
Title of the patch: Security update for sbctl
Description of the patch: This update for sbctl fixes the following issues:
Changes in sbctl:
- Upgrade the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input
- Update to version 0.18:
* logging: fixup new go vet warning
* workflows: add cc for cross compile
* workflow: add sudo to apt
* workflow: add pcsclite to ci
* workflow: try enable cgo
* go.mod: update golang.org/x/ dependencies
* fix: avoid adding bogus Country attribute to subject DNs
* sbctl: only store file if we did actually sign the file
* installkernel: add post install hook for Debian's traditional installkernel
* CI: missing libpcsclite pkg
* workflows: add missing depends and new pattern keyword
* Add yubikey example for create keys to the README
* Initial yubikey backend keytype support
* verify: ensure we pass args in correct order
- bsc#1248949 (CVE-2025-58058):
Bump xz to 0.5.14
- Update to version 0.17:
* Ensure we don't wrongly compare input/output files when signing
* Added --json supprt to sbctl verify
* Ensure sbctl setup with no arguments returns a helpful output
* Import latest Microsoft keys for KEK and db databases
* Ensure we print the path of the file when encountering an invalid PE file
* Misc fixups in tests
* Misc typo fixes in prints
- Update to version 0.16:
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
present
* Fixed a bug where sbctl would abort if the TPM eventlog
contains the same byte multiple times
* Fixed a landlock bug where enroll-keys --export did not work
* Fixed a bug where an ESP mounted to multiple paths would not be
detected
* Exporting keys without efivars present work again
* sbctl sign will now use the saved output path if the signed
file is enrolled
* enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
* Fixed an issue where sign-all did not report a non-zero exit
code when something failed
* Fixed and issue where we couldn't write to a file with landlock
* Fixed an issue where --json would print the human readable
output and the json
* Fixes landlock for UKI/bundles by disabling the sandbox feature
* Some doc fixups that mentioned /usr/share/
Patchnames: openSUSE-Leap-16.0-packagehub-93
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for sbctl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for sbctl fixes the following issues:\n\nChanges in sbctl:\n\n- Upgrade the embedded golang.org/x/net to 0.46.0\n * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with\n quadratic complexity when parsing HTML documents\n * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption\n by \u0027html.ParseFragment\u0027 when processing specially crafted input\n\n- Update to version 0.18:\n * logging: fixup new go vet warning\n * workflows: add cc for cross compile\n * workflow: add sudo to apt\n * workflow: add pcsclite to ci\n * workflow: try enable cgo\n * go.mod: update golang.org/x/ dependencies\n * fix: avoid adding bogus Country attribute to subject DNs\n * sbctl: only store file if we did actually sign the file\n * installkernel: add post install hook for Debian\u0027s traditional installkernel\n * CI: missing libpcsclite pkg\n * workflows: add missing depends and new pattern keyword\n * Add yubikey example for create keys to the README\n * Initial yubikey backend keytype support\n * verify: ensure we pass args in correct order\n\n- bsc#1248949 (CVE-2025-58058):\n Bump xz to 0.5.14\n\n- Update to version 0.17:\n * Ensure we don\u0027t wrongly compare input/output files when signing\n * Added --json supprt to sbctl verify\n * Ensure sbctl setup with no arguments returns a helpful output\n * Import latest Microsoft keys for KEK and db databases\n * Ensure we print the path of the file when encountering an invalid PE file\n * Misc fixups in tests\n * Misc typo fixes in prints\n\n- Update to version 0.16:\n * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is\n present\n * Fixed a bug where sbctl would abort if the TPM eventlog\n contains the same byte multiple times\n * Fixed a landlock bug where enroll-keys --export did not work\n * Fixed a bug where an ESP mounted to multiple paths would not be\n detected\n * Exporting keys without efivars present work again\n * sbctl sign will now use the saved output path if the signed\n file is enrolled\n * enroll-keys --append will now work without --force.\n- Updates from version 0.15.4:\n * Fixed an issue where sign-all did not report a non-zero exit\n code when something failed\n * Fixed and issue where we couldn\u0027t write to a file with landlock\n * Fixed an issue where --json would print the human readable\n output and the json\n * Fixes landlock for UKI/bundles by disabling the sandbox feature\n * Some doc fixups that mentioned /usr/share/\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-93",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20105-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1248949",
"url": "https://bugzilla.suse.com/1248949"
},
{
"category": "self",
"summary": "SUSE Bug 1251399",
"url": "https://bugzilla.suse.com/1251399"
},
{
"category": "self",
"summary": "SUSE Bug 1251609",
"url": "https://bugzilla.suse.com/1251609"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for sbctl",
"tracking": {
"current_release_date": "2026-01-23T10:02:42Z",
"generator": {
"date": "2026-01-23T10:02:42Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20105-1",
"initial_release_date": "2026-01-23T10:02:42Z",
"revision_history": [
{
"date": "2026-01-23T10:02:42Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "sbctl-0.18-bp160.1.1.aarch64",
"product": {
"name": "sbctl-0.18-bp160.1.1.aarch64",
"product_id": "sbctl-0.18-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "sbctl-0.18-bp160.1.1.x86_64",
"product": {
"name": "sbctl-0.18-bp160.1.1.x86_64",
"product_id": "sbctl-0.18-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "sbctl-0.18-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64"
},
"product_reference": "sbctl-0.18-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sbctl-0.18-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
},
"product_reference": "sbctl-0.18-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20192-1
Vulnerability from csaf_opensuse - Published: 2026-02-10 21:45 - Updated: 2026-02-10 21:45Summary
Security update for tailscale
Severity
Important
Notes
Title of the patch: Security update for tailscale
Description of the patch: This update for tailscale fixes the following issues:
Changes in tailscale:
- Update to version 1.94.0:
* IS SET and NOT SET have been added as device posture operators
* India DERP Region City Name updated
* Custom DERP servers support GCP Certificate Manager
* Tailscale SSH authentication, when successful, results in LOGIN audit
messages being sent to the kernel audit subsystem
* Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket
option is supported on multi-core systems
* Tailscale Peer Relay server handshake transmission is guarded against
routing loops over Tailscale
* MagicDNS always resolves when using resolv.conf without a DNS manager
* tailscaled_peer_relay_forwarded_packets_total and
tailscaled_peer_relay_forwarded_bytes_total client metrics are available for
Tailscale Peer Relays
* Identity tokens are automatically generated for workload identities
* --audience flag added to tailscale up command to support auto generation of
ID tokens for workload identity
* tsnet nodes can host Tailscale Services
* The tailscale lock status -json command returns tailnet key authority (TKA)
data in a stable format
* Tailscale Peer Relays deliver improved throughput through monotonic time
comparison optimizations and reduced lock contention
* Tailscale Services virtual IPs are now automatically accepted by clients
across all platforms regardless of the status of the --accept-routes
feature
- Update to version 1.94.0:
* derp/derpserver: add a unique sender cardinality estimate
* syncs: add means of declare locking assumptions for debug mode
* cmd/k8s-operator: add support for taiscale.com/http-redirect
* cmd/k8s-operator fix populateTLSSecret on tests
* feature/posture: log method and full URL for posture identity requests
* k8s-operator: Fix typos in egress-pod-readiness.go
* cmd/tailscale,ipn: add Unix socket support for serve
* client/systray: change systray to start after graphical.target
* cmd/k8s-operator: warn if users attempt to expose a headless Service
* cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles
* tsnet: ensure funnel listener cleans up after itself when closed
* ipn/store/kubestore: don't load write replica certs in memory
* tsnet: allow for automatic ID token generation
- Update to version 1.92.5:
* types/persist: omit Persist.AttestationKey based on IsZero
* disable hardware attestation for kubernetes
* allow opting out of ACME order replace extension
- Update to version 1.92.4:
* nothing of importance
- Update to version 1.92.3:
* WireGuard configuration that occurs automatically in the client, no longer
results in a panic
- Update to version 1.92.2:
* cmd/derper: add GCP Certificate Manager support
- Update to version 1.92.1:
* fix LocalBackend deadlock when packet arrives during profile switch
* wgengine: fix TSMP/ICMP callback leak
- Update to version 1.92.0:
* no changelog provided
- Update to version 1.90.9:
* tailscaled no longer deadlocks during event bursts
* The client no longer hangs after wake up
- Update to version 1.90.8:
* tka: move RemoveAll() to CompactableChonk
- Update to version 1.90.7:
* wgengine/magicsock: validate endpoint.derpAddr
* wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock
* net/udprelay: replace VNI pool with selection algorithm
* feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap
* feature/relayserver: fix Shutdown() deadlock
* net/netmon: do not abandon a subscriber when exiting early
* tka: don't try to read AUMs which are partway through being written
* tka: rename a mutex to mu instead of single-letter l
* ipn/ipnlocal: use an in-memory TKA store if FS is unavailable
- Update to version 1.90.6:
* Routes no longer stall and fail to apply when updated repeatedly in a short
period of time
* Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This
affected tailnets that use Tailscale SSH recording
- Update to version 1.90.4:
* deadlock issue no longer occurs in the client when checking
for the network to be available
* tailscaled no longer sporadically panics when a
Trusted Platform Module (TPM) device is present
- Update to version 1.90.3:
* tailscaled shuts down as expected and without panic
* tailscaled starts up as expected in a no router configuration environment
- Update to version 1.90.2:
* util/linuxfw: fix 32-bit arm regression with iptables
* health: compare warnable codes to avoid errors on release branch
* feature/tpm: check TPM family data for compatibility
- Upate to version 1.90.1:
* Clients can use configured DNS resolvers for all domains
* Node keys will be renewed seamlessly
* Unnecessary path discovery packets over DERP servers are suppressed
* Node key sealing is GA (generally available) and enabled by default
- update to version 1.88.3:
* cmd/tailscale/cli: add ts2021 debug flag to set a dial plan
* control/controlhttp: simplify, fix race dialing, remove priority concept
- update to version 1.88.2:
* k8s-operator: reset service status before append
- require the minimum go version directly, in comparison to using the golang(API)
symbol
- update to version 1.88.1:
* Tailscale CLI prompts users to confirm impactful actions
* Tailscale SSH works as expected when using an IP address instead of a
hostname and MagicDNS is disabled
* fixed: Taildrive sharing when su not present
* Taildrive files remain consistently accessible
* new: Tailscale tray GUI
* DERP IPs changed for Singapore and Tokyo
- Fixing CVE-2025-58058, bsc#1248920
- update to version 1.86.5:
* cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode
- update to version 1.86.4:
* nothing of relevance
- update to version 1.86.3:
* nothing of relevance
- update to version 1.86.2:
* A deadlock issue that may have occurred in the client
* An occasional crash when establishing a new port mapping with a gateway or
firewall
- update to version 1.86.0:
* tsStateEncrypted device posture attribute for checking whether the
Tailscale client state is encrypted at rest
* Cross-site request forgery (CSRF) issue that may have resulted in a log in
error when accessing the web interface
* Recommended exit node when the previously recommended exit node is offline
* tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any
CLI commands track the recommended exit node and automatically switches to
it when available exit nodes or network conditions change
* tailscaled CLI command flag --encrypt-state encrypts the node state file on
the disk using trusted platform module (TPM)
- update to 1.84.3:
* ipn/ipnlocal: Update hostinfo to control on service config change
- update to 1.84.2:
* Re-enable setting —accept-dns by using TS_EXTRA_ARGS. This issue resulted
from stricter CLI arguments parsing introduced in Tailscale v1.84.0
- update to 1.84.1:
* net/dns: cache dns.Config for reuse when compileConfig fails
- update to 1.84.0:
* The --reason flag is added to the tailscale down command
* ReconnectAfter policy setting, which configures the maximum period of time
between a user disconnecting Tailscale and the client automatically
reconnecting
* Tailscale CLI commands throw an error if multiple of the same flag are detected
* Network connectivity issues when creating a new profile or switching
profiles while using an exit node
* DNS-over-TCP fallback works correctly with upstream servers reachable only
via the tailnet
- update to 1.82.5:
* A panic issue related to CUBIC congestion control in userspace mode is resolved.
- update to 1.82.0:
* DERP functionality within the client supports certificate pinning for
self-signed IP address certificates for those unable to use Let's Encrypt
or WebPKI certificates.
* Go is updated to version 1.24.1
* NAT traversal code uses the DERP connection that a packet arrived on as an
ultimate fallback route if no other information is available
* Captive portal detection reliability is improved on some in-flight Wi-Fi networks
* Port mapping success rate is improved
* Helsinki is added as a DERP region.
Patchnames: openSUSE-Leap-16.0-packagehub-119
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for tailscale",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for tailscale fixes the following issues:\n\nChanges in tailscale:\n\n- Update to version 1.94.0:\n * IS SET and NOT SET have been added as device posture operators\n * India DERP Region City Name updated\n * Custom DERP servers support GCP Certificate Manager\n * Tailscale SSH authentication, when successful, results in LOGIN audit\n messages being sent to the kernel audit subsystem\n * Tailscale Peer Relay throughput is improved when the SO_REUSEPORT socket\n option is supported on multi-core systems\n * Tailscale Peer Relay server handshake transmission is guarded against\n routing loops over Tailscale\n * MagicDNS always resolves when using resolv.conf without a DNS manager\n * tailscaled_peer_relay_forwarded_packets_total and\n tailscaled_peer_relay_forwarded_bytes_total client metrics are available for\n Tailscale Peer Relays\n * Identity tokens are automatically generated for workload identities\n * --audience flag added to tailscale up command to support auto generation of\n ID tokens for workload identity\n * tsnet nodes can host Tailscale Services\n * The tailscale lock status -json command returns tailnet key authority (TKA)\n data in a stable format\n * Tailscale Peer Relays deliver improved throughput through monotonic time\n comparison optimizations and reduced lock contention\n * Tailscale Services virtual IPs are now automatically accepted by clients\n across all platforms regardless of the status of the --accept-routes\n feature\n\n- Update to version 1.94.0:\n * derp/derpserver: add a unique sender cardinality estimate\n * syncs: add means of declare locking assumptions for debug mode\n * cmd/k8s-operator: add support for taiscale.com/http-redirect\n * cmd/k8s-operator fix populateTLSSecret on tests\n * feature/posture: log method and full URL for posture identity requests\n * k8s-operator: Fix typos in egress-pod-readiness.go\n * cmd/tailscale,ipn: add Unix socket support for serve\n * client/systray: change systray to start after graphical.target\n * cmd/k8s-operator: warn if users attempt to expose a headless Service\n * cmd/tailscale/cli, util/qrcodes: format QR codes on Linux consoles\n * tsnet: ensure funnel listener cleans up after itself when closed\n * ipn/store/kubestore: don\u0027t load write replica certs in memory\n * tsnet: allow for automatic ID token generation\n\n- Update to version 1.92.5:\n * types/persist: omit Persist.AttestationKey based on IsZero\n * disable hardware attestation for kubernetes\n * allow opting out of ACME order replace extension\n- Update to version 1.92.4:\n * nothing of importance\n\n- Update to version 1.92.3:\n * WireGuard configuration that occurs automatically in the client, no longer\n results in a panic\n\n- Update to version 1.92.2:\n * cmd/derper: add GCP Certificate Manager support\n\n- Update to version 1.92.1:\n * fix LocalBackend deadlock when packet arrives during profile switch\n * wgengine: fix TSMP/ICMP callback leak\n- Update to version 1.92.0:\n * no changelog provided\n- Update to version 1.90.9:\n * tailscaled no longer deadlocks during event bursts\n * The client no longer hangs after wake up\n\n- Update to version 1.90.8:\n * tka: move RemoveAll() to CompactableChonk\n- Update to version 1.90.7:\n * wgengine/magicsock: validate endpoint.derpAddr\n * wgengine/magicsock: fix UDPRelayAllocReq/Resp deadlock\n * net/udprelay: replace VNI pool with selection algorithm\n * feature/relayserver,ipn/ipnlocal,net/udprelay: plumb DERPMap\n * feature/relayserver: fix Shutdown() deadlock\n * net/netmon: do not abandon a subscriber when exiting early\n * tka: don\u0027t try to read AUMs which are partway through being written\n * tka: rename a mutex to mu instead of single-letter l\n * ipn/ipnlocal: use an in-memory TKA store if FS is unavailable\n\n- Update to version 1.90.6:\n * Routes no longer stall and fail to apply when updated repeatedly in a short\n period of time\n * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This\n affected tailnets that use Tailscale SSH recording\n\n- Update to version 1.90.4:\n * deadlock issue no longer occurs in the client when checking\n for the network to be available\n * tailscaled no longer sporadically panics when a\n Trusted Platform Module (TPM) device is present\n\n- Update to version 1.90.3:\n * tailscaled shuts down as expected and without panic\n * tailscaled starts up as expected in a no router configuration environment\n\n- Update to version 1.90.2:\n * util/linuxfw: fix 32-bit arm regression with iptables\n * health: compare warnable codes to avoid errors on release branch\n * feature/tpm: check TPM family data for compatibility\n\n- Upate to version 1.90.1:\n * Clients can use configured DNS resolvers for all domains\n * Node keys will be renewed seamlessly\n * Unnecessary path discovery packets over DERP servers are suppressed\n * Node key sealing is GA (generally available) and enabled by default\n\n- update to version 1.88.3:\n * cmd/tailscale/cli: add ts2021 debug flag to set a dial plan\n * control/controlhttp: simplify, fix race dialing, remove priority concept\n- update to version 1.88.2:\n * k8s-operator: reset service status before append\n- require the minimum go version directly, in comparison to using the golang(API)\n symbol\n\n- update to version 1.88.1:\n * Tailscale CLI prompts users to confirm impactful actions\n * Tailscale SSH works as expected when using an IP address instead of a\n hostname and MagicDNS is disabled\n * fixed: Taildrive sharing when su not present\n * Taildrive files remain consistently accessible\n * new: Tailscale tray GUI\n * DERP IPs changed for Singapore and Tokyo\n- Fixing CVE-2025-58058, bsc#1248920\n\n- update to version 1.86.5:\n * cmd/k8s-proxy,k8s-operator: fix serve config for userspace mode\n- update to version 1.86.4:\n * nothing of relevance\n- update to version 1.86.3:\n * nothing of relevance\n\n- update to version 1.86.2:\n * A deadlock issue that may have occurred in the client\n * An occasional crash when establishing a new port mapping with a gateway or\n firewall\n\n- update to version 1.86.0:\n * tsStateEncrypted device posture attribute for checking whether the\n Tailscale client state is encrypted at rest\n * Cross-site request forgery (CSRF) issue that may have resulted in a log in\n error when accessing the web interface\n * Recommended exit node when the previously recommended exit node is offline\n * tailscale up --exit-node=auto:any and tailscale set --exit-node=auto:any\n CLI commands track the recommended exit node and automatically switches to\n it when available exit nodes or network conditions change\n * tailscaled CLI command flag --encrypt-state encrypts the node state file on\n the disk using trusted platform module (TPM)\n\n- update to 1.84.3:\n * ipn/ipnlocal: Update hostinfo to control on service config change\n\n- update to 1.84.2:\n * Re-enable setting \u2014accept-dns by using TS_EXTRA_ARGS. This issue resulted\n from stricter CLI arguments parsing introduced in Tailscale v1.84.0\n\n- update to 1.84.1:\n * net/dns: cache dns.Config for reuse when compileConfig fails\n\n- update to 1.84.0:\n * The --reason flag is added to the tailscale down command\n * ReconnectAfter policy setting, which configures the maximum period of time\n between a user disconnecting Tailscale and the client automatically\n reconnecting\n * Tailscale CLI commands throw an error if multiple of the same flag are detected\n * Network connectivity issues when creating a new profile or switching\n profiles while using an exit node\n * DNS-over-TCP fallback works correctly with upstream servers reachable only\n via the tailnet\n\n- update to 1.82.5:\n * A panic issue related to CUBIC congestion control in userspace mode is resolved.\n\n- update to 1.82.0:\n * DERP functionality within the client supports certificate pinning for\n self-signed IP address certificates for those unable to use Let\u0027s Encrypt\n or WebPKI certificates.\n * Go is updated to version 1.24.1\n * NAT traversal code uses the DERP connection that a packet arrived on as an\n ultimate fallback route if no other information is available\n * Captive portal detection reliability is improved on some in-flight Wi-Fi networks\n * Port mapping success rate is improved\n * Helsinki is added as a DERP region.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-119",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20192-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1248920",
"url": "https://bugzilla.suse.com/1248920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for tailscale",
"tracking": {
"current_release_date": "2026-02-10T21:45:05Z",
"generator": {
"date": "2026-02-10T21:45:05Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20192-1",
"initial_release_date": "2026-02-10T21:45:05Z",
"revision_history": [
{
"date": "2026-02-10T21:45:05Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "tailscale-1.94.1-bp160.1.1.aarch64",
"product": {
"name": "tailscale-1.94.1-bp160.1.1.aarch64",
"product_id": "tailscale-1.94.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"product": {
"name": "tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"product_id": "tailscale-bash-completion-1.94.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"product": {
"name": "tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"product_id": "tailscale-fish-completion-1.94.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "tailscale-zsh-completion-1.94.1-bp160.1.1.noarch",
"product": {
"name": "tailscale-zsh-completion-1.94.1-bp160.1.1.noarch",
"product_id": "tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tailscale-1.94.1-bp160.1.1.ppc64le",
"product": {
"name": "tailscale-1.94.1-bp160.1.1.ppc64le",
"product_id": "tailscale-1.94.1-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "tailscale-1.94.1-bp160.1.1.s390x",
"product": {
"name": "tailscale-1.94.1-bp160.1.1.s390x",
"product_id": "tailscale-1.94.1-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "tailscale-1.94.1-bp160.1.1.x86_64",
"product": {
"name": "tailscale-1.94.1-bp160.1.1.x86_64",
"product_id": "tailscale-1.94.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-1.94.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64"
},
"product_reference": "tailscale-1.94.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-1.94.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le"
},
"product_reference": "tailscale-1.94.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-1.94.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x"
},
"product_reference": "tailscale-1.94.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-1.94.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64"
},
"product_reference": "tailscale-1.94.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-bash-completion-1.94.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch"
},
"product_reference": "tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-fish-completion-1.94.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch"
},
"product_reference": "tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tailscale-zsh-completion-1.94.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
},
"product_reference": "tailscale-zsh-completion-1.94.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-10T21:45:05Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:tailscale-1.94.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:tailscale-bash-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-fish-completion-1.94.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:tailscale-zsh-completion-1.94.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-10T21:45:05Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
SUSE-SU-2025:03448-1
Vulnerability from csaf_suse - Published: 2025-10-02 07:14 - Updated: 2025-10-02 07:14Summary
Security update for warewulf4
Severity
Moderate
Notes
Title of the patch: Security update for warewulf4
Description of the patch: This update for warewulf4 fixes the following issues:
Update to version 4.6.4.
Security issues fixed:
- CVE-2025-58058: xz: excessive memory consuption when unpacking a large number of corrupted LZMA archives
(bsc#1248906).
Other issues fixed:
- Convert disk booleans from `wwbool` to `*bool` which allows bools in disk to be set to false via command
line (bsc#1248768).
- Fix `wwctl` upgrade nodes to handle kernel argument lists (bsc#1227686, bsc#1227465).
- Mark `slurm` as recommeneded in the `warewulf4-overlay-slurm` package (bsc#1246082).
- Switch to `dnsmasq` as default DHCP and TFTP provider.
- v4.6.4 release updates:
* Update NetworkManager Overlay
* Disable IPv4 in NetworkManager if no address or route is specified
* Fix(`wwctl`): create overlay edit `tempfile` in `tmpdir`
* Add default for systemd name for warewulf in `warewulf.conf`
* Atomic overlay file application in `wwclient`
* Simpler names for overlay methods
* Fix `warewulfd` API behavior when deleting distribution overlay
- v4.6.3 release updates:
* IPv6 iPXE support
* Fix a race condition in `wwctl` overlay edit
* Fixed handling of comma-separated mount options in `fstab` and `ignition` overlays
* Move `reexec.Init()` to beginning of `wwctl`
* Added `warewuld` configure option
* Address copilot review from #1945
* Bugfix: cloning a site overlay when parent dir does not exist
* Clone to a site overlay when adding files in `wwapi`
* Consolidated `createOverlayFile` and `updateOverlayFile` to `addOverlayFile`
* Support for creating and updating overlay file in `wwapi`
* Only return overlay files that refer to a path within the overlay
* Add overlay file deletion support
* `DELETE /api/overlays/{id}?force=true` can delete overlays in use
* Restore idempotency of `PUT /api/nodes/{id}`
* Simplify overlay mtime API and add tests
* Add node overlay buildtime
* Improved `netplan` support
* Rebuild overlays for discovered nodes
- v4.6.2 release updates:
* (preview) support for provisioning to local disk
- incoperated from v4.6.1:
* REST API, which is disabled in the default configuration
Patchnames: SUSE-2025-3448,SUSE-SLE-Module-HPC-15-SP6-2025-3448,SUSE-SLE-Module-HPC-15-SP7-2025-3448,openSUSE-SLE-15.6-2025-3448
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-dracut-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-man-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-man-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for warewulf4",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for warewulf4 fixes the following issues:\n\nUpdate to version 4.6.4.\n\nSecurity issues fixed:\n\n- CVE-2025-58058: xz: excessive memory consuption when unpacking a large number of corrupted LZMA archives\n (bsc#1248906).\n\nOther issues fixed:\n\n- Convert disk booleans from `wwbool` to `*bool` which allows bools in disk to be set to false via command\n line (bsc#1248768).\n- Fix `wwctl` upgrade nodes to handle kernel argument lists (bsc#1227686, bsc#1227465).\n- Mark `slurm` as recommeneded in the `warewulf4-overlay-slurm` package (bsc#1246082).\n- Switch to `dnsmasq` as default DHCP and TFTP provider.\n\n- v4.6.4 release updates:\n * Update NetworkManager Overlay\n * Disable IPv4 in NetworkManager if no address or route is specified\n * Fix(`wwctl`): create overlay edit `tempfile` in `tmpdir`\n * Add default for systemd name for warewulf in `warewulf.conf`\n * Atomic overlay file application in `wwclient`\n * Simpler names for overlay methods\n * Fix `warewulfd` API behavior when deleting distribution overlay\n\n- v4.6.3 release updates:\n * IPv6 iPXE support\n * Fix a race condition in `wwctl` overlay edit\n * Fixed handling of comma-separated mount options in `fstab` and `ignition` overlays\n * Move `reexec.Init()` to beginning of `wwctl`\n * Added `warewuld` configure option\n * Address copilot review from #1945\n * Bugfix: cloning a site overlay when parent dir does not exist\n * Clone to a site overlay when adding files in `wwapi`\n * Consolidated `createOverlayFile` and `updateOverlayFile` to `addOverlayFile`\n * Support for creating and updating overlay file in `wwapi`\n * Only return overlay files that refer to a path within the overlay\n * Add overlay file deletion support\n * `DELETE /api/overlays/{id}?force=true` can delete overlays in use\n * Restore idempotency of `PUT /api/nodes/{id}`\n * Simplify overlay mtime API and add tests\n * Add node overlay buildtime\n * Improved `netplan` support\n * Rebuild overlays for discovered nodes\n\n- v4.6.2 release updates:\n * (preview) support for provisioning to local disk\n \n- incoperated from v4.6.1:\n * REST API, which is disabled in the default configuration\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3448,SUSE-SLE-Module-HPC-15-SP6-2025-3448,SUSE-SLE-Module-HPC-15-SP7-2025-3448,openSUSE-SLE-15.6-2025-3448",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03448-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03448-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503448-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03448-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/041996.html"
},
{
"category": "self",
"summary": "SUSE Bug 1227465",
"url": "https://bugzilla.suse.com/1227465"
},
{
"category": "self",
"summary": "SUSE Bug 1227686",
"url": "https://bugzilla.suse.com/1227686"
},
{
"category": "self",
"summary": "SUSE Bug 1246082",
"url": "https://bugzilla.suse.com/1246082"
},
{
"category": "self",
"summary": "SUSE Bug 1248768",
"url": "https://bugzilla.suse.com/1248768"
},
{
"category": "self",
"summary": "SUSE Bug 1248906",
"url": "https://bugzilla.suse.com/1248906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for warewulf4",
"tracking": {
"current_release_date": "2025-10-02T07:14:58Z",
"generator": {
"date": "2025-10-02T07:14:58Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03448-1",
"initial_release_date": "2025-10-02T07:14:58Z",
"revision_history": [
{
"date": "2025-10-02T07:14:58Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "warewulf4-4.6.4-150500.6.37.1.aarch64",
"product": {
"name": "warewulf4-4.6.4-150500.6.37.1.aarch64",
"product_id": "warewulf4-4.6.4-150500.6.37.1.aarch64"
}
},
{
"category": "product_version",
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"product": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"product_id": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"product": {
"name": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"product_id": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch"
}
},
{
"category": "product_version",
"name": "warewulf4-man-4.6.4-150500.6.37.1.noarch",
"product": {
"name": "warewulf4-man-4.6.4-150500.6.37.1.noarch",
"product_id": "warewulf4-man-4.6.4-150500.6.37.1.noarch"
}
},
{
"category": "product_version",
"name": "warewulf4-overlay-rke2-4.6.4-150500.6.37.1.noarch",
"product": {
"name": "warewulf4-overlay-rke2-4.6.4-150500.6.37.1.noarch",
"product_id": "warewulf4-overlay-rke2-4.6.4-150500.6.37.1.noarch"
}
},
{
"category": "product_version",
"name": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"product": {
"name": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"product_id": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch"
}
},
{
"category": "product_version",
"name": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"product": {
"name": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"product_id": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "warewulf4-4.6.4-150500.6.37.1.x86_64",
"product": {
"name": "warewulf4-4.6.4-150500.6.37.1.x86_64",
"product_id": "warewulf4-4.6.4-150500.6.37.1.x86_64"
}
},
{
"category": "product_version",
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"product": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"product_id": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for HPC 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-hpc:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for HPC 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-hpc:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.aarch64 as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.x86_64 as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-man-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-man-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP6",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.aarch64 as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.x86_64 as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-dracut-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-man-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-man-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-man-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch as component of SUSE Linux Enterprise Module for HPC 15 SP7",
"product_id": "SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for HPC 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-4.6.4-150500.6.37.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-man-4.6.4-150500.6.37.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-man-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-man-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64"
},
"product_reference": "warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
},
"product_reference": "warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"SUSE Linux Enterprise Module for HPC 15 SP7:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-dracut-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-man-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.aarch64",
"openSUSE Leap 15.6:warewulf4-overlay-4.6.4-150500.6.37.1.x86_64",
"openSUSE Leap 15.6:warewulf4-overlay-slurm-4.6.4-150500.6.37.1.noarch",
"openSUSE Leap 15.6:warewulf4-reference-doc-4.6.4-150500.6.37.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-02T07:14:58Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
SUSE-SU-2025:21137-1
Vulnerability from csaf_suse - Published: 2025-11-20 17:15 - Updated: 2025-11-20 17:15Summary
Security update for alloy
Severity
Moderate
Notes
Title of the patch: Security update for alloy
Description of the patch: This update for alloy fixes the following issues:
- CVE-2025-58058: Removed dependency on vulnerable github.com/ulikunitz/xz (bsc#1248960).
- CVE-2025-11065: Fixed sensitive information leak in logs (bsc#1250621).
Patchnames: SUSE-SLES-16.0-47
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alloy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alloy fixes the following issues:\n\n- CVE-2025-58058: Removed dependency on vulnerable github.com/ulikunitz/xz (bsc#1248960).\n- CVE-2025-11065: Fixed sensitive information leak in logs (bsc#1250621).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-47",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21137-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:21137-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521137-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:21137-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023517.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248960",
"url": "https://bugzilla.suse.com/1248960"
},
{
"category": "self",
"summary": "SUSE Bug 1250621",
"url": "https://bugzilla.suse.com/1250621"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11065 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11065/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for alloy",
"tracking": {
"current_release_date": "2025-11-20T17:15:36Z",
"generator": {
"date": "2025-11-20T17:15:36Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:21137-1",
"initial_release_date": "2025-11-20T17:15:36Z",
"revision_history": [
{
"date": "2025-11-20T17:15:36Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-160000.1.1.aarch64",
"product": {
"name": "alloy-1.11.3-160000.1.1.aarch64",
"product_id": "alloy-1.11.3-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-160000.1.1.ppc64le",
"product": {
"name": "alloy-1.11.3-160000.1.1.ppc64le",
"product_id": "alloy-1.11.3-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-160000.1.1.s390x",
"product": {
"name": "alloy-1.11.3-160000.1.1.s390x",
"product_id": "alloy-1.11.3-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-160000.1.1.x86_64",
"product": {
"name": "alloy-1.11.3-160000.1.1.x86_64",
"product_id": "alloy-1.11.3-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64"
},
"product_reference": "alloy-1.11.3-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.11.3-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x"
},
"product_reference": "alloy-1.11.3-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64"
},
"product_reference": "alloy-1.11.3-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64"
},
"product_reference": "alloy-1.11.3-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.11.3-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x"
},
"product_reference": "alloy-1.11.3-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
},
"product_reference": "alloy-1.11.3-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11065",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11065"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11065",
"url": "https://www.suse.com/security/cve/CVE-2025-11065"
},
{
"category": "external",
"summary": "SUSE Bug 1250608 for CVE-2025-11065",
"url": "https://bugzilla.suse.com/1250608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-20T17:15:36Z",
"details": "moderate"
}
],
"title": "CVE-2025-11065"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.11.3-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.11.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-20T17:15:36Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
SUSE-SU-2025:4121-1
Vulnerability from csaf_suse - Published: 2025-11-17 12:10 - Updated: 2025-11-17 12:10Summary
Security update for alloy
Severity
Moderate
Notes
Title of the patch: Security update for alloy
Description of the patch: This update for alloy fixes the following issues:
- update to 1.11.3:
- CVE-2025-58058: Fixed memory leaks in xz. (bsc#1248960)
- CVE-2025-11065: Fixed sensitive Information leak in logs. (bsc#1250621)
Patchnames: SUSE-2025-4121,SUSE-SLE-Module-Basesystem-15-SP7-2025-4121
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alloy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alloy fixes the following issues:\n\n- update to 1.11.3:\n- CVE-2025-58058: Fixed memory leaks in xz. (bsc#1248960)\n- CVE-2025-11065: Fixed sensitive Information leak in logs. (bsc#1250621)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-4121,SUSE-SLE-Module-Basesystem-15-SP7-2025-4121",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4121-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:4121-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254121-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:4121-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023295.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248960",
"url": "https://bugzilla.suse.com/1248960"
},
{
"category": "self",
"summary": "SUSE Bug 1250621",
"url": "https://bugzilla.suse.com/1250621"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11065 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11065/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for alloy",
"tracking": {
"current_release_date": "2025-11-17T12:10:11Z",
"generator": {
"date": "2025-11-17T12:10:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:4121-1",
"initial_release_date": "2025-11-17T12:10:11Z",
"revision_history": [
{
"date": "2025-11-17T12:10:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-150700.15.9.1.aarch64",
"product": {
"name": "alloy-1.11.3-150700.15.9.1.aarch64",
"product_id": "alloy-1.11.3-150700.15.9.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-150700.15.9.1.ppc64le",
"product": {
"name": "alloy-1.11.3-150700.15.9.1.ppc64le",
"product_id": "alloy-1.11.3-150700.15.9.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-150700.15.9.1.s390x",
"product": {
"name": "alloy-1.11.3-150700.15.9.1.s390x",
"product_id": "alloy-1.11.3-150700.15.9.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.11.3-150700.15.9.1.x86_64",
"product": {
"name": "alloy-1.11.3-150700.15.9.1.x86_64",
"product_id": "alloy-1.11.3-150700.15.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-150700.15.9.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64"
},
"product_reference": "alloy-1.11.3-150700.15.9.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-150700.15.9.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le"
},
"product_reference": "alloy-1.11.3-150700.15.9.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-150700.15.9.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x"
},
"product_reference": "alloy-1.11.3-150700.15.9.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.11.3-150700.15.9.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
},
"product_reference": "alloy-1.11.3-150700.15.9.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11065",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11065"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11065",
"url": "https://www.suse.com/security/cve/CVE-2025-11065"
},
{
"category": "external",
"summary": "SUSE Bug 1250608 for CVE-2025-11065",
"url": "https://bugzilla.suse.com/1250608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-17T12:10:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-11065"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.11.3-150700.15.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-17T12:10:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
SUSE-SU-2026:0383-1
Vulnerability from csaf_suse - Published: 2026-02-04 12:46 - Updated: 2026-02-04 12:46Summary
Security update for rekor
Severity
Moderate
Notes
Title of the patch: Security update for rekor
Description of the patch: This update for rekor fixes the following issues:
Security fixes:
- CVE-2025-58058: Fixed github.com/ulikunitz/xz leaks memory (bsc#1248910)
- CVE-2025-29923: Fixed potential out of order responses when `CLIENT SETINFO`
times out during connection establishment (bsc#1241153)
Other fixes:
- Update to version 1.4.3
- Update to version 1.4.2
- Update to version 1.4.1 (jsc#SLE-23476)
Patchnames: SUSE-2026-383,SUSE-SLE-Module-Basesystem-15-SP7-2026-383,openSUSE-SLE-15.6-2026-383
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rekor",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rekor fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2025-58058: Fixed github.com/ulikunitz/xz leaks memory (bsc#1248910)\n- CVE-2025-29923: Fixed potential out of order responses when `CLIENT SETINFO` \n times out during connection establishment (bsc#1241153)\n\nOther fixes:\n\n- Update to version 1.4.3\n- Update to version 1.4.2\n- Update to version 1.4.1 (jsc#SLE-23476)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-383,SUSE-SLE-Module-Basesystem-15-SP7-2026-383,openSUSE-SLE-15.6-2026-383",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0383-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0383-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260383-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0383-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024058.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241153",
"url": "https://bugzilla.suse.com/1241153"
},
{
"category": "self",
"summary": "SUSE Bug 1248910",
"url": "https://bugzilla.suse.com/1248910"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29923 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for rekor",
"tracking": {
"current_release_date": "2026-02-04T12:46:28Z",
"generator": {
"date": "2026-02-04T12:46:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0383-1",
"initial_release_date": "2026-02-04T12:46:28Z",
"revision_history": [
{
"date": "2026-02-04T12:46:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.3-150400.4.28.1.aarch64",
"product": {
"name": "rekor-1.4.3-150400.4.28.1.aarch64",
"product_id": "rekor-1.4.3-150400.4.28.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.3-150400.4.28.1.i586",
"product": {
"name": "rekor-1.4.3-150400.4.28.1.i586",
"product_id": "rekor-1.4.3-150400.4.28.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.3-150400.4.28.1.ppc64le",
"product": {
"name": "rekor-1.4.3-150400.4.28.1.ppc64le",
"product_id": "rekor-1.4.3-150400.4.28.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.3-150400.4.28.1.s390x",
"product": {
"name": "rekor-1.4.3-150400.4.28.1.s390x",
"product_id": "rekor-1.4.3-150400.4.28.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.3-150400.4.28.1.x86_64",
"product": {
"name": "rekor-1.4.3-150400.4.28.1.x86_64",
"product_id": "rekor-1.4.3-150400.4.28.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.3-150400.4.28.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
},
"product_reference": "rekor-1.4.3-150400.4.28.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-29923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29923"
}
],
"notes": [
{
"category": "general",
"text": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29923",
"url": "https://www.suse.com/security/cve/CVE-2025-29923"
},
{
"category": "external",
"summary": "SUSE Bug 1241152 for CVE-2025-29923",
"url": "https://bugzilla.suse.com/1241152"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T12:46:28Z",
"details": "low"
}
],
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:rekor-1.4.3-150400.4.28.1.x86_64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.aarch64",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.ppc64le",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.s390x",
"openSUSE Leap 15.6:rekor-1.4.3-150400.4.28.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T12:46:28Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…