Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-58190 (GCVE-0-2025-58190)
Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22
VLAI
EPSS
Title
Infinite parsing loop in golang.org/x/net
Summary
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Exit Condition
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.45.0
(semver)
|
Credits
Guido Vranken
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:22:10.801204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T15:22:37.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "inRowIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Exit Condition",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.693Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
},
{
"url": "https://github.com/golang/vulndb/issues/4441"
},
{
"url": "https://go.dev/cl/709875"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4441"
}
],
"title": "Infinite parsing loop in golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-58190",
"datePublished": "2026-02-05T17:48:44.693Z",
"dateReserved": "2025-08-27T14:50:58.692Z",
"dateUpdated": "2026-02-12T15:22:37.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-58190",
"date": "2026-07-03",
"epss": "0.00482",
"percentile": "0.3811"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-58190\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-02-05T18:16:10.027\",\"lastModified\":\"2026-06-17T09:44:02.557\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n html.Parse en golang.org/x/net/html tiene un bucle de an\u00e1lisis infinito al procesar ciertas entradas, lo que puede llevar a una denegaci\u00f3n de servicio (DoS) si un atacante proporciona contenido HTML especialmente dise\u00f1ado.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"golang.org/x/net\",\"product\":\"golang.org/x/net/html\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"golang.org/x/net/html\",\"programRoutines\":[{\"name\":\"inRowIM\"},{\"name\":\"Parse\"},{\"name\":\"ParseFragment\"},{\"name\":\"ParseFragmentWithOptions\"},{\"name\":\"ParseWithOptions\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"0.45.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-12T15:22:10.801204Z\",\"id\":\"CVE-2025-58190\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go:html:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.45.0\",\"matchCriteriaId\":\"376264FC-D0BB-4AAD-B6DE-127D83F3070A\"}]}]}],\"references\":[{\"url\":\"https://github.com/golang/vulndb/issues/4441\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://go.dev/cl/709875\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4441\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58190\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-12T15:22:10.801204Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T15:22:27.673Z\"}}], \"cna\": {\"title\": \"Infinite parsing loop in golang.org/x/net\", \"credits\": [{\"lang\": \"en\", \"value\": \"Guido Vranken\"}], \"affected\": [{\"vendor\": \"golang.org/x/net\", \"product\": \"golang.org/x/net/html\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.45.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/net/html\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"inRowIM\"}, {\"name\": \"Parse\"}, {\"name\": \"ParseFragment\"}, {\"name\": \"ParseFragmentWithOptions\"}, {\"name\": \"ParseWithOptions\"}]}], \"references\": [{\"url\": \"https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c\"}, {\"url\": \"https://github.com/golang/vulndb/issues/4441\"}, {\"url\": \"https://go.dev/cl/709875\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4441\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-835: Loop with Unreachable Exit Condition\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-02-05T17:48:44.693Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-58190\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-12T15:22:37.685Z\", \"dateReserved\": \"2025-08-27T14:50:58.692Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-02-05T17:48:44.693Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
OPENSUSE-SU-2025:20160-1
Vulnerability from csaf_opensuse - Published: 2025-12-12 13:20 - Updated: 2025-12-12 13:20Summary
Security update for hauler
Severity
Important
Notes
Title of the patch: Security update for hauler
Description of the patch: This update for hauler fixes the following issues:
- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
bsc#1248937, CVE-2025-58058):
* bump github.com/containerd/containerd (#474)
* another fix to tests for new tests (#472)
* fixed typo in testdata (#471)
* fixed/cleaned new tests (#470)
* trying a new way for hauler testing (#467)
* update for cosign v3 verify (#469)
* added digests view to info (#465)
* bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
* update oras-go to v1.2.7 for security patches (#464)
* update cosign to v3.0.2+hauler.1 (#463)
* fixed homebrew directory deprecation (#462)
* add registry logout command (#460)
- Update to version 1.3.0:
* bump the go_modules group across 1 directory with 2 updates (#455)
* upgraded versions/dependencies/deprecations (#454)
* allow loading of docker tarballs (#452)
* bump the go_modules group across 1 directory with 2 updates (#449)
- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
* Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
the go_modules group across 1 directory (CVE-2025-46569)
* deprecate auth from hauler store copy
* Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
go_modules group across 1 directory
* Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
in the go_modules group across 1 directory
* upgraded go and dependencies versions
- Update to version 1.2.5:
* upgraded go and dependencies versions (#444)
* Bump github.com/go-viper/mapstructure/v2 (#442)
* bump github.com/cloudflare/circl (#441)
* deprecate auth from hauler store copy (#440)
* Bump github.com/open-policy-agent/opa (#438)
- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
* Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
group across 1 directory
* minor tests updates
- Update to version 1.2.3:
* formatting and flag text updates
* add keyless signature verification (#434)
* bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
* add --only flag to hauler store copy (for images) (#429)
* fix tlog verification error/warning output (#428)
- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
* cleanup new tlog flag typos and add shorthand (#426)
* default public transparency log verification to false to be airgap friendly but allow override (#425)
* bump github.com/golang-jwt/jwt/v4 (#423)
* bump the go_modules group across 1 directory with 2 updates (#422)
* bump github.com/go-jose/go-jose/v3 (#417)
* bump github.com/go-jose/go-jose/v4 (#415)
* clear default manifest name if product flag used with sync (#412)
* updates for v1.2.0 (#408)
* fixed remote code (#407)
* added remote file fetch to load (#406)
* added remote and multiple file fetch to sync (#405)
* updated save flag and related logs (#404)
* updated load flag and related logs [breaking change] (#403)
* updated sync flag and related logs [breaking change] (#402)
* upgraded api update to v1/updated dependencies (#400)
* fixed consts for oci declarations (#398)
* fix for correctly grabbing platform post cosign 2.4 updates (#393)
* use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
* Bump the go_modules group across 1 directory with 2 updates (#385)
* replace mholt/archiver with mholt/archives (#384)
* forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
* cleaned up registry and improved logging (#378)
* Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
- Update to version 1.1.1:
* fixed cli desc for store env var (#374)
* updated versions for go/k8s/helm (#373)
* updated version flag to internal/flags (#369)
* renamed incorrectly named consts (#371)
* added store env var (#370)
* adding ignore errors and retries for continue on error/fail on error (#368)
* updated/fixed hauler directory (#354)
* standardize consts (#353)
* removed cachedir code (#355)
* removed k3s code (#352)
* updated dependencies for go, helm, and k8s (#351)
* [feature] build with boring crypto where available (#344)
* updated workflow to goreleaser builds (#341)
* added timeout to goreleaser workflow (#340)
* trying new workflow build processes (#337)
* improved workflow performance (#336)
* have extract use proper ref (#335)
* yet another workflow goreleaser fix (#334)
* even more workflow fixes (#333)
* added more fixes to github workflow (#332)
* fixed typo in hauler store save (#331)
* updates to fix build processes (#330)
* added integration tests for non hauler tarballs (#325)
* bump: golang >= 1.23.1 (#328)
* add platform flag to store save (#329)
* Update feature_request.md
* updated/standardize command descriptions (#313)
* use new annotation for 'store save' manifest.json (#324)
* enable docker load for hauler tarballs (#320)
* bump to cosign v2.2.3-carbide.3 for new annotation (#322)
* continue on error when adding images to store (#317)
* Update README.md (#318)
* fixed completion commands (#312)
* github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
* pages: enable go install hauler.dev/go/hauler (#310)
* Create CNAME
* pages: initial workflow (#309)
* testing and linting updates (#305)
* feat-273: TLS Flags (#303)
* added list-repos flag (#298)
* fixed hauler login typo (#299)
* updated cobra function for shell completion (#304)
* updated install.sh to remove github api (#293)
* fix image ref keys getting squashed when containing sigs/atts (#291)
* fix missing versin info in release build (#283)
* bump github.com/docker/docker in the go_modules group across 1 directory (#281)
* updated install script (`install.sh`) (#280)
* fix digest images being lost on load of hauls (Signed). (#259)
* feat: add readonly flag (#277)
* fixed makefile for goreleaser v2 changes (#278)
* updated goreleaser versioning defaults (#279)
* update feature_request.md (#274)
* updated old references
* updated actions workflow user
* added dockerhub to github actions workflow
* removed helm chart
* added debug container and workflow
* updated products flag description
* updated chart for release
* fixed workflow errors/warnings
* fixed permissions on testdata
* updated chart versions (will need to update again)
* last bit of fixes to workflow
* updated unit test workflow
* updated goreleaser deprecations
* added helm chart release job
* updated github template names
* updated imports (and go fmt)
* formatted gitignore to match dockerignore
* formatted all code (go fmt)
* updated chart tests for new features
* Adding the timeout flag for fileserver command
* Configure chart commands to use helm clients for OCI and private registry support
* Added some documentation text to sync command
* Bump golang.org/x/net from 0.17.0 to 0.23.0
* fix for dup digest smashing in cosign
* removed vagrant scripts
* last bit of updates and formatting of chart
* updated hauler testdata
* adding functionality and cleaning up
* added initial helm chart
* removed tag in release workflow
* updated/fixed image ref in release workflow
* updated/fixed platforms in release workflow
* updated/cleaned github actions (#222)
* Make Product Registry configurable (#194)
* updated fileserver directory name (#219)
* fix logging for files
* add extra info for the tempdir override flag
* tempdir override flag for load
* deprecate the cache flag instead of remove
* switch to using bci-golang as builder image
* fix: ensure /tmp for hauler store load
* added the copy back for now
* remove copy at the image sync not needed with cosign update
* removed misleading cache flag
* better logging when adding to store
* update to v2.2.3 of our cosign fork
* add: dockerignore
* add: Dockerfile
* Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
* Bump github.com/docker/docker
* updated and added new logos
* updated github files
Patchnames: openSUSE-Leap-16.0-packagehub-54
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.3 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for hauler",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for hauler fixes the following issues:\n\n- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,\n bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,\n bsc#1248937, CVE-2025-58058):\n * bump github.com/containerd/containerd (#474)\n * another fix to tests for new tests (#472)\n * fixed typo in testdata (#471)\n * fixed/cleaned new tests (#470)\n * trying a new way for hauler testing (#467)\n * update for cosign v3 verify (#469)\n * added digests view to info (#465)\n * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)\n * update oras-go to v1.2.7 for security patches (#464)\n * update cosign to v3.0.2+hauler.1 (#463)\n * fixed homebrew directory deprecation (#462)\n * add registry logout command (#460)\n\n- Update to version 1.3.0:\n * bump the go_modules group across 1 directory with 2 updates (#455)\n * upgraded versions/dependencies/deprecations (#454)\n * allow loading of docker tarballs (#452)\n * bump the go_modules group across 1 directory with 2 updates (#449)\n\n- update to 1.2.5 (bsc#1246722, CVE-2025-46569):\n * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in\n the go_modules group across 1 directory (CVE-2025-46569)\n * deprecate auth from hauler store copy\n * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the\n go_modules group across 1 directory\n * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0\n in the go_modules group across 1 directory\n * upgraded go and dependencies versions\n\n- Update to version 1.2.5:\n * upgraded go and dependencies versions (#444)\n * Bump github.com/go-viper/mapstructure/v2 (#442)\n * bump github.com/cloudflare/circl (#441)\n * deprecate auth from hauler store copy (#440)\n * Bump github.com/open-policy-agent/opa (#438)\n\n- update to 1.2.4 (CVE-2025-22872, bsc#1241804):\n * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules\n group across 1 directory\n * minor tests updates\n\n- Update to version 1.2.3:\n * formatting and flag text updates\n * add keyless signature verification (#434)\n * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)\n * add --only flag to hauler store copy (for images) (#429)\n * fix tlog verification error/warning output (#428)\n\n- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):\n * cleanup new tlog flag typos and add shorthand (#426)\n * default public transparency log verification to false to be airgap friendly but allow override (#425)\n * bump github.com/golang-jwt/jwt/v4 (#423)\n * bump the go_modules group across 1 directory with 2 updates (#422)\n * bump github.com/go-jose/go-jose/v3 (#417)\n * bump github.com/go-jose/go-jose/v4 (#415)\n * clear default manifest name if product flag used with sync (#412)\n * updates for v1.2.0 (#408)\n * fixed remote code (#407)\n * added remote file fetch to load (#406)\n * added remote and multiple file fetch to sync (#405)\n * updated save flag and related logs (#404)\n * updated load flag and related logs [breaking change] (#403)\n * updated sync flag and related logs [breaking change] (#402)\n * upgraded api update to v1/updated dependencies (#400)\n * fixed consts for oci declarations (#398)\n * fix for correctly grabbing platform post cosign 2.4 updates (#393)\n * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)\n * Bump the go_modules group across 1 directory with 2 updates (#385)\n * replace mholt/archiver with mholt/archives (#384)\n * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)\n * cleaned up registry and improved logging (#378)\n * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)\n- bump net/html dependencies (bsc#1235332, CVE-2024-45338)\n\n- Update to version 1.1.1:\n * fixed cli desc for store env var (#374)\n * updated versions for go/k8s/helm (#373)\n * updated version flag to internal/flags (#369)\n * renamed incorrectly named consts (#371)\n * added store env var (#370)\n * adding ignore errors and retries for continue on error/fail on error (#368)\n * updated/fixed hauler directory (#354)\n * standardize consts (#353)\n * removed cachedir code (#355)\n * removed k3s code (#352)\n * updated dependencies for go, helm, and k8s (#351)\n * [feature] build with boring crypto where available (#344)\n * updated workflow to goreleaser builds (#341)\n * added timeout to goreleaser workflow (#340)\n * trying new workflow build processes (#337)\n * improved workflow performance (#336)\n * have extract use proper ref (#335)\n * yet another workflow goreleaser fix (#334)\n * even more workflow fixes (#333)\n * added more fixes to github workflow (#332)\n * fixed typo in hauler store save (#331)\n * updates to fix build processes (#330)\n * added integration tests for non hauler tarballs (#325)\n * bump: golang \u003e= 1.23.1 (#328)\n * add platform flag to store save (#329)\n * Update feature_request.md\n * updated/standardize command descriptions (#313)\n * use new annotation for \u0027store save\u0027 manifest.json (#324)\n * enable docker load for hauler tarballs (#320)\n * bump to cosign v2.2.3-carbide.3 for new annotation (#322)\n * continue on error when adding images to store (#317)\n * Update README.md (#318)\n * fixed completion commands (#312)\n * github.com/rancherfederal/hauler =\u003e hauler.dev/go/hauler (#311)\n * pages: enable go install hauler.dev/go/hauler (#310)\n * Create CNAME\n * pages: initial workflow (#309)\n * testing and linting updates (#305)\n * feat-273: TLS Flags (#303)\n * added list-repos flag (#298)\n * fixed hauler login typo (#299)\n * updated cobra function for shell completion (#304)\n * updated install.sh to remove github api (#293)\n * fix image ref keys getting squashed when containing sigs/atts (#291)\n * fix missing versin info in release build (#283)\n * bump github.com/docker/docker in the go_modules group across 1 directory (#281)\n * updated install script (`install.sh`) (#280)\n * fix digest images being lost on load of hauls (Signed). (#259)\n * feat: add readonly flag (#277)\n * fixed makefile for goreleaser v2 changes (#278)\n * updated goreleaser versioning defaults (#279)\n * update feature_request.md (#274)\n * updated old references\n * updated actions workflow user\n * added dockerhub to github actions workflow\n * removed helm chart\n * added debug container and workflow\n * updated products flag description\n * updated chart for release\n * fixed workflow errors/warnings\n * fixed permissions on testdata\n * updated chart versions (will need to update again)\n * last bit of fixes to workflow\n * updated unit test workflow\n * updated goreleaser deprecations\n * added helm chart release job\n * updated github template names\n * updated imports (and go fmt)\n * formatted gitignore to match dockerignore\n * formatted all code (go fmt)\n * updated chart tests for new features\n * Adding the timeout flag for fileserver command\n * Configure chart commands to use helm clients for OCI and private registry support\n * Added some documentation text to sync command\n * Bump golang.org/x/net from 0.17.0 to 0.23.0\n * fix for dup digest smashing in cosign\n * removed vagrant scripts\n * last bit of updates and formatting of chart\n * updated hauler testdata\n * adding functionality and cleaning up\n * added initial helm chart\n * removed tag in release workflow\n * updated/fixed image ref in release workflow\n * updated/fixed platforms in release workflow\n * updated/cleaned github actions (#222)\n * Make Product Registry configurable (#194)\n * updated fileserver directory name (#219)\n * fix logging for files\n * add extra info for the tempdir override flag\n * tempdir override flag for load\n * deprecate the cache flag instead of remove\n * switch to using bci-golang as builder image\n * fix: ensure /tmp for hauler store load\n * added the copy back for now\n * remove copy at the image sync not needed with cosign update\n * removed misleading cache flag\n * better logging when adding to store\n * update to v2.2.3 of our cosign fork\n * add: dockerignore\n * add: Dockerfile\n * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0\n * Bump github.com/docker/docker\n * updated and added new logos\n * updated github files\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-54",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20160-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1235332",
"url": "https://bugzilla.suse.com/1235332"
},
{
"category": "self",
"summary": "SUSE Bug 1241184",
"url": "https://bugzilla.suse.com/1241184"
},
{
"category": "self",
"summary": "SUSE Bug 1241804",
"url": "https://bugzilla.suse.com/1241804"
},
{
"category": "self",
"summary": "SUSE Bug 1246722",
"url": "https://bugzilla.suse.com/1246722"
},
{
"category": "self",
"summary": "SUSE Bug 1248937",
"url": "https://bugzilla.suse.com/1248937"
},
{
"category": "self",
"summary": "SUSE Bug 1251516",
"url": "https://bugzilla.suse.com/1251516"
},
{
"category": "self",
"summary": "SUSE Bug 1251651",
"url": "https://bugzilla.suse.com/1251651"
},
{
"category": "self",
"summary": "SUSE Bug 1251891",
"url": "https://bugzilla.suse.com/1251891"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-0406 page",
"url": "https://www.suse.com/security/cve/CVE-2024-0406/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11579 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46569 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46569/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for hauler",
"tracking": {
"current_release_date": "2025-12-12T13:20:11Z",
"generator": {
"date": "2025-12-12T13:20:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20160-1",
"initial_release_date": "2025-12-12T13:20:11Z",
"revision_history": [
{
"date": "2025-12-12T13:20:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product_id": "hauler-1.3.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product_id": "hauler-1.3.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-0406",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-0406"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user\u0027s or application\u0027s privileges using the library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-0406",
"url": "https://www.suse.com/security/cve/CVE-2024-0406"
},
{
"category": "external",
"summary": "SUSE Bug 1241181 for CVE-2024-0406",
"url": "https://bugzilla.suse.com/1241181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2024-0406"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-11579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11579"
}
],
"notes": [
{
"category": "general",
"text": "github.com/nwaples/rardecode versions \u003c=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11579",
"url": "https://www.suse.com/security/cve/CVE-2025-11579"
},
{
"category": "external",
"summary": "SUSE Bug 1251871 for CVE-2025-11579",
"url": "https://bugzilla.suse.com/1251871"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-11579"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-46569",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46569"
}
],
"notes": [
{
"category": "general",
"text": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u0027s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46569",
"url": "https://www.suse.com/security/cve/CVE-2025-46569"
},
{
"category": "external",
"summary": "SUSE Bug 1246710 for CVE-2025-46569",
"url": "https://bugzilla.suse.com/1246710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2025-46569"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:10173-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
apptainer-1.4.5-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: apptainer-1.4.5-2.1 on GA media
Description of the patch: These are all security issues fixed in the apptainer-1.4.5-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10173
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apptainer-1.4.5-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apptainer-1.4.5-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10173",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10173-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "apptainer-1.4.5-2.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10173-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.4.5-2.1.aarch64",
"product": {
"name": "apptainer-1.4.5-2.1.aarch64",
"product_id": "apptainer-1.4.5-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.4.5-2.1.aarch64",
"product": {
"name": "apptainer-leap-1.4.5-2.1.aarch64",
"product_id": "apptainer-leap-1.4.5-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.4.5-2.1.aarch64",
"product": {
"name": "apptainer-sle15_7-1.4.5-2.1.aarch64",
"product_id": "apptainer-sle15_7-1.4.5-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-sle16-1.4.5-2.1.aarch64",
"product": {
"name": "apptainer-sle16-1.4.5-2.1.aarch64",
"product_id": "apptainer-sle16-1.4.5-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.4.5-2.1.ppc64le",
"product": {
"name": "apptainer-1.4.5-2.1.ppc64le",
"product_id": "apptainer-1.4.5-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.4.5-2.1.ppc64le",
"product": {
"name": "apptainer-leap-1.4.5-2.1.ppc64le",
"product_id": "apptainer-leap-1.4.5-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.4.5-2.1.ppc64le",
"product": {
"name": "apptainer-sle15_7-1.4.5-2.1.ppc64le",
"product_id": "apptainer-sle15_7-1.4.5-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-sle16-1.4.5-2.1.ppc64le",
"product": {
"name": "apptainer-sle16-1.4.5-2.1.ppc64le",
"product_id": "apptainer-sle16-1.4.5-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.4.5-2.1.s390x",
"product": {
"name": "apptainer-1.4.5-2.1.s390x",
"product_id": "apptainer-1.4.5-2.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.4.5-2.1.s390x",
"product": {
"name": "apptainer-leap-1.4.5-2.1.s390x",
"product_id": "apptainer-leap-1.4.5-2.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.4.5-2.1.s390x",
"product": {
"name": "apptainer-sle15_7-1.4.5-2.1.s390x",
"product_id": "apptainer-sle15_7-1.4.5-2.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-sle16-1.4.5-2.1.s390x",
"product": {
"name": "apptainer-sle16-1.4.5-2.1.s390x",
"product_id": "apptainer-sle16-1.4.5-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.4.5-2.1.x86_64",
"product": {
"name": "apptainer-1.4.5-2.1.x86_64",
"product_id": "apptainer-1.4.5-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.4.5-2.1.x86_64",
"product": {
"name": "apptainer-leap-1.4.5-2.1.x86_64",
"product_id": "apptainer-leap-1.4.5-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.4.5-2.1.x86_64",
"product": {
"name": "apptainer-sle15_7-1.4.5-2.1.x86_64",
"product_id": "apptainer-sle15_7-1.4.5-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-sle16-1.4.5-2.1.x86_64",
"product": {
"name": "apptainer-sle16-1.4.5-2.1.x86_64",
"product_id": "apptainer-sle16-1.4.5-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.4.5-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64"
},
"product_reference": "apptainer-1.4.5-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.4.5-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le"
},
"product_reference": "apptainer-1.4.5-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.4.5-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x"
},
"product_reference": "apptainer-1.4.5-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.4.5-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64"
},
"product_reference": "apptainer-1.4.5-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.4.5-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64"
},
"product_reference": "apptainer-leap-1.4.5-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.4.5-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le"
},
"product_reference": "apptainer-leap-1.4.5-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.4.5-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x"
},
"product_reference": "apptainer-leap-1.4.5-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.4.5-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64"
},
"product_reference": "apptainer-leap-1.4.5-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.4.5-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64"
},
"product_reference": "apptainer-sle15_7-1.4.5-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.4.5-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le"
},
"product_reference": "apptainer-sle15_7-1.4.5-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.4.5-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x"
},
"product_reference": "apptainer-sle15_7-1.4.5-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.4.5-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64"
},
"product_reference": "apptainer-sle15_7-1.4.5-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle16-1.4.5-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64"
},
"product_reference": "apptainer-sle16-1.4.5-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle16-1.4.5-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le"
},
"product_reference": "apptainer-sle16-1.4.5-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle16-1.4.5-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x"
},
"product_reference": "apptainer-sle16-1.4.5-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle16-1.4.5-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
},
"product_reference": "apptainer-sle16-1.4.5-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.4.5-2.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.s390x",
"openSUSE Tumbleweed:apptainer-sle16-1.4.5-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:11126-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00Summary
velociraptor-0.7.0.4.git185.a5708584-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: velociraptor-0.7.0.4.git185.a5708584-2.1 on GA media
Description of the patch: These are all security issues fixed in the velociraptor-0.7.0.4.git185.a5708584-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-11126
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.7 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
155 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "velociraptor-0.7.0.4.git185.a5708584-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the velociraptor-0.7.0.4.git185.a5708584-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11126",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11126-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45288 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45288/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45339 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45339/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13465 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13465/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24358 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24358/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-5889 page",
"url": "https://www.suse.com/security/cve/CVE-2025-5889/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64718 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64718/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-6545 page",
"url": "https://www.suse.com/security/cve/CVE-2025-6545/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-6547 page",
"url": "https://www.suse.com/security/cve/CVE-2025-6547/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-7783 page",
"url": "https://www.suse.com/security/cve/CVE-2025-7783/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1229 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1229/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25128 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25128/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25680 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25680/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25681 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25681/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26278 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26278/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26996 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26996/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27136 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27136/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-2739 page",
"url": "https://www.suse.com/security/cve/CVE-2026-2739/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27606 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27606/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27904 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27904/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33036 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33036/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33487 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33487/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33814 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33814/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39821 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39821/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39827 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39827/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39828 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39828/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39829 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39829/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39830 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39830/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39831 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39831/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39832 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39832/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39833 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39833/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39834 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39834/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-39835 page",
"url": "https://www.suse.com/security/cve/CVE-2026-39835/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42039 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42039/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42502 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42502/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42506 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42506/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42508 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42508/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46595 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46595/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46597/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46598 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46598/"
}
],
"title": "velociraptor-0.7.0.4.git185.a5708584-2.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11126-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"product": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"product_id": "velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"product": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"product_id": "velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"product": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"product_id": "velociraptor-0.7.0.4.git185.a5708584-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64",
"product": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64",
"product_id": "velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64"
},
"product_reference": "velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le"
},
"product_reference": "velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x"
},
"product_reference": "velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
},
"product_reference": "velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45288",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45288"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45288",
"url": "https://www.suse.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "SUSE Bug 1221400 for CVE-2023-45288",
"url": "https://bugzilla.suse.com/1221400"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2024-45339",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45339"
}
],
"notes": [
{
"category": "general",
"text": "When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process\u0027s log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45339",
"url": "https://www.suse.com/security/cve/CVE-2024-45339"
},
{
"category": "external",
"summary": "SUSE Bug 1236541 for CVE-2024-45339",
"url": "https://bugzilla.suse.com/1236541"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45339"
},
{
"cve": "CVE-2025-13465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13465"
}
],
"notes": [
{
"category": "general",
"text": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13465",
"url": "https://www.suse.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "SUSE Bug 1257321 for CVE-2025-13465",
"url": "https://bugzilla.suse.com/1257321"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-13465"
},
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
},
{
"category": "external",
"summary": "SUSE Bug 1265255 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1265255"
},
{
"category": "external",
"summary": "SUSE Bug 1265256 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1265256"
},
{
"category": "external",
"summary": "SUSE Bug 1265259 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1265259"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-24358",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24358"
}
],
"notes": [
{
"category": "general",
"text": "gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications \u0026 services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for \"server\" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24358",
"url": "https://www.suse.com/security/cve/CVE-2025-24358"
},
{
"category": "external",
"summary": "SUSE Bug 1241233 for CVE-2025-24358",
"url": "https://bugzilla.suse.com/1241233"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-24358"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
},
{
"cve": "CVE-2025-5889",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-5889"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-5889",
"url": "https://www.suse.com/security/cve/CVE-2025-5889"
},
{
"category": "external",
"summary": "SUSE Bug 1244340 for CVE-2025-5889",
"url": "https://bugzilla.suse.com/1244340"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-5889"
},
{
"cve": "CVE-2025-64718",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64718"
}
],
"notes": [
{
"category": "general",
"text": "js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64718",
"url": "https://www.suse.com/security/cve/CVE-2025-64718"
},
{
"category": "external",
"summary": "SUSE Bug 1255407 for CVE-2025-64718",
"url": "https://bugzilla.suse.com/1255407"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-64718"
},
{
"cve": "CVE-2025-6545",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-6545"
}
],
"notes": [
{
"category": "general",
"text": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\n\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-6545",
"url": "https://www.suse.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "SUSE Bug 1245273 for CVE-2025-6545",
"url": "https://bugzilla.suse.com/1245273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-6545"
},
{
"cve": "CVE-2025-6547",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-6547"
}
],
"notes": [
{
"category": "general",
"text": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: \u003c=3.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-6547",
"url": "https://www.suse.com/security/cve/CVE-2025-6547"
},
{
"category": "external",
"summary": "SUSE Bug 1245271 for CVE-2025-6547",
"url": "https://bugzilla.suse.com/1245271"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-6547"
},
{
"cve": "CVE-2025-7783",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-7783"
}
],
"notes": [
{
"category": "general",
"text": "Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.\n\nThis issue affects form-data: \u003c 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-7783",
"url": "https://www.suse.com/security/cve/CVE-2025-7783"
},
{
"category": "external",
"summary": "SUSE Bug 1246810 for CVE-2025-7783",
"url": "https://bugzilla.suse.com/1246810"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-7783"
},
{
"cve": "CVE-2026-1229",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1229"
}
],
"notes": [
{
"category": "general",
"text": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1229",
"url": "https://www.suse.com/security/cve/CVE-2026-1229"
},
{
"category": "external",
"summary": "SUSE Bug 1265416 for CVE-2026-1229",
"url": "https://bugzilla.suse.com/1265416"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1229"
},
{
"cve": "CVE-2026-25128",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25128"
}
],
"notes": [
{
"category": "general",
"text": "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `\u0026#9999999;` or `\u0026#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25128",
"url": "https://www.suse.com/security/cve/CVE-2026-25128"
},
{
"category": "external",
"summary": "SUSE Bug 1257518 for CVE-2026-25128",
"url": "https://bugzilla.suse.com/1257518"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25128"
},
{
"cve": "CVE-2026-25680",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25680"
}
],
"notes": [
{
"category": "general",
"text": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25680",
"url": "https://www.suse.com/security/cve/CVE-2026-25680"
},
{
"category": "external",
"summary": "SUSE Bug 1267044 for CVE-2026-25680",
"url": "https://bugzilla.suse.com/1267044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25680"
},
{
"cve": "CVE-2026-25681",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25681"
}
],
"notes": [
{
"category": "general",
"text": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25681",
"url": "https://www.suse.com/security/cve/CVE-2026-25681"
},
{
"category": "external",
"summary": "SUSE Bug 1267044 for CVE-2026-25681",
"url": "https://bugzilla.suse.com/1267044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25681"
},
{
"cve": "CVE-2026-26278",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26278"
}
],
"notes": [
{
"category": "general",
"text": "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u0027s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26278",
"url": "https://www.suse.com/security/cve/CVE-2026-26278"
},
{
"category": "external",
"summary": "SUSE Bug 1258547 for CVE-2026-26278",
"url": "https://bugzilla.suse.com/1258547"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-26278"
},
{
"cve": "CVE-2026-26996",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26996"
}
],
"notes": [
{
"category": "general",
"text": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn\u0027t appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8\u0027s regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26996",
"url": "https://www.suse.com/security/cve/CVE-2026-26996"
},
{
"category": "external",
"summary": "SUSE Bug 1258621 for CVE-2026-26996",
"url": "https://bugzilla.suse.com/1258621"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-26996"
},
{
"cve": "CVE-2026-27136",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27136"
}
],
"notes": [
{
"category": "general",
"text": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27136",
"url": "https://www.suse.com/security/cve/CVE-2026-27136"
},
{
"category": "external",
"summary": "SUSE Bug 1267044 for CVE-2026-27136",
"url": "https://bugzilla.suse.com/1267044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27136"
},
{
"cve": "CVE-2026-2739",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-2739"
}
],
"notes": [
{
"category": "general",
"text": "This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-2739",
"url": "https://www.suse.com/security/cve/CVE-2026-2739"
},
{
"category": "external",
"summary": "SUSE Bug 1258647 for CVE-2026-2739",
"url": "https://bugzilla.suse.com/1258647"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-2739"
},
{
"cve": "CVE-2026-27606",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27606"
}
],
"notes": [
{
"category": "general",
"text": "Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27606",
"url": "https://www.suse.com/security/cve/CVE-2026-27606"
},
{
"category": "external",
"summary": "SUSE Bug 1258846 for CVE-2026-27606",
"url": "https://bugzilla.suse.com/1258846"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27606"
},
{
"cve": "CVE-2026-27904",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27904"
}
],
"notes": [
{
"category": "general",
"text": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27904",
"url": "https://www.suse.com/security/cve/CVE-2026-27904"
},
{
"category": "external",
"summary": "SUSE Bug 1258994 for CVE-2026-27904",
"url": "https://bugzilla.suse.com/1258994"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27904"
},
{
"cve": "CVE-2026-33036",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33036"
}
],
"notes": [
{
"category": "general",
"text": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process-even when developers have configured strict limits. This issue has been fixed in version 5.5.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33036",
"url": "https://www.suse.com/security/cve/CVE-2026-33036"
},
{
"category": "external",
"summary": "SUSE Bug 1259974 for CVE-2026-33036",
"url": "https://bugzilla.suse.com/1259974"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33036"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
},
{
"category": "external",
"summary": "SUSE Bug 1268676 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1268676"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33487",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33487"
}
],
"notes": [
{
"category": "general",
"text": "goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element\u0027s ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33487",
"url": "https://www.suse.com/security/cve/CVE-2026-33487"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33487"
},
{
"cve": "CVE-2026-33814",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33814"
}
],
"notes": [
{
"category": "general",
"text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33814",
"url": "https://www.suse.com/security/cve/CVE-2026-33814"
},
{
"category": "external",
"summary": "SUSE Bug 1264506 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1264506"
},
{
"category": "external",
"summary": "SUSE Bug 1268758 for CVE-2026-33814",
"url": "https://bugzilla.suse.com/1268758"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33814"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-39821",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39821"
}
],
"notes": [
{
"category": "general",
"text": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39821",
"url": "https://www.suse.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "SUSE Bug 1266474 for CVE-2026-39821",
"url": "https://bugzilla.suse.com/1266474"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39821"
},
{
"cve": "CVE-2026-39827",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39827"
}
],
"notes": [
{
"category": "general",
"text": "An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection\u0027s internal state and released for garbage collection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39827",
"url": "https://www.suse.com/security/cve/CVE-2026-39827"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39827",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39827"
},
{
"cve": "CVE-2026-39828",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39828"
}
],
"notes": [
{
"category": "general",
"text": "When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39828",
"url": "https://www.suse.com/security/cve/CVE-2026-39828"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39828",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39828"
},
{
"cve": "CVE-2026-39829",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39829"
}
],
"notes": [
{
"category": "general",
"text": "The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39829",
"url": "https://www.suse.com/security/cve/CVE-2026-39829"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39829",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39829"
},
{
"cve": "CVE-2026-39830",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39830"
}
],
"notes": [
{
"category": "general",
"text": "A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection\u0027s read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39830",
"url": "https://www.suse.com/security/cve/CVE-2026-39830"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39830",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39830"
},
{
"cve": "CVE-2026-39831",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39831"
}
],
"notes": [
{
"category": "general",
"text": "The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a \"no-touch-required\" extension in Permissions.Extensions from PublicKeyCallback.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39831",
"url": "https://www.suse.com/security/cve/CVE-2026-39831"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39831",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39831"
},
{
"cve": "CVE-2026-39832",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39832"
}
],
"notes": [
{
"category": "general",
"text": "When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39832",
"url": "https://www.suse.com/security/cve/CVE-2026-39832"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39832",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39832"
},
{
"cve": "CVE-2026-39833",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39833"
}
],
"notes": [
{
"category": "general",
"text": "The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39833",
"url": "https://www.suse.com/security/cve/CVE-2026-39833"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39833",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39833"
},
{
"cve": "CVE-2026-39834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39834"
}
],
"notes": [
{
"category": "general",
"text": "When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39834",
"url": "https://www.suse.com/security/cve/CVE-2026-39834"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39834",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39834"
},
{
"cve": "CVE-2026-39835",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-39835"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-39835",
"url": "https://www.suse.com/security/cve/CVE-2026-39835"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-39835",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-39835"
},
{
"cve": "CVE-2026-42039",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42039"
}
],
"notes": [
{
"category": "general",
"text": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42039",
"url": "https://www.suse.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "SUSE Bug 1267406 for CVE-2026-42039",
"url": "https://bugzilla.suse.com/1267406"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42039"
},
{
"cve": "CVE-2026-42502",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42502"
}
],
"notes": [
{
"category": "general",
"text": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42502",
"url": "https://www.suse.com/security/cve/CVE-2026-42502"
},
{
"category": "external",
"summary": "SUSE Bug 1267044 for CVE-2026-42502",
"url": "https://bugzilla.suse.com/1267044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42502"
},
{
"cve": "CVE-2026-42506",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42506"
}
],
"notes": [
{
"category": "general",
"text": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42506",
"url": "https://www.suse.com/security/cve/CVE-2026-42506"
},
{
"category": "external",
"summary": "SUSE Bug 1267044 for CVE-2026-42506",
"url": "https://bugzilla.suse.com/1267044"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42506"
},
{
"cve": "CVE-2026-42508",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42508"
}
],
"notes": [
{
"category": "general",
"text": "Previously, a revoked \u0027SignatureKey\u0027 belonging to a CA was not correctly checked for revocation. Now, both the \u0027key\u0027 and \u0027key.SignatureKey\u0027 are checked for @revoked.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42508",
"url": "https://www.suse.com/security/cve/CVE-2026-42508"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-42508",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42508"
},
{
"cve": "CVE-2026-46595",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46595"
}
],
"notes": [
{
"category": "general",
"text": "Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46595",
"url": "https://www.suse.com/security/cve/CVE-2026-46595"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-46595",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46595"
},
{
"cve": "CVE-2026-46597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46597"
}
],
"notes": [
{
"category": "general",
"text": "An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46597",
"url": "https://www.suse.com/security/cve/CVE-2026-46597"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-46597",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46597"
},
{
"cve": "CVE-2026-46598",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46598"
}
],
"notes": [
{
"category": "general",
"text": "For certain crafted inputs, a \u0027ed25519.PrivateKey\u0027 was created by casting malformed wire bytes, leading to a panic when used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46598",
"url": "https://www.suse.com/security/cve/CVE-2026-46598"
},
{
"category": "external",
"summary": "SUSE Bug 1266049 for CVE-2026-46598",
"url": "https://bugzilla.suse.com/1266049"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git185.a5708584-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46598"
}
]
}
OPENSUSE-SU-2026:20044-1
Vulnerability from csaf_opensuse - Published: 2026-01-15 17:56 - Updated: 2026-01-15 17:56Summary
Security update for alloy
Severity
Important
Notes
Title of the patch: Security update for alloy
Description of the patch: This update for alloy fixes the following issues:
Upgrade to version 1.12.1.
Security issues fixed:
- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251509).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251716).
- CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253609).
Other updates and bugfixes:
- Version 1.12.1:
* Bugfixes
- update to Beyla 2.7.10.
- Version 1.12.0:
* Breaking changes
- `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component
ID instead of the hostname as their instance label in their exported metrics.
* Features
- (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare's LogPush
jobs.
- (Experimental) Additions to experimental `database_observability.mysql` component:
- `explain_plans`
- collector now changes schema before returning the connection to the pool.
- collector now passes queries more permissively.
- enable `explain_plans` collector by default
- (Experimental) Additions to experimental `database_observability.postgres` component:
- `explain_plans`
- added the explain plan collector.
- collector now passes queries more permissively.
- `query_samples`
- add user field to wait events within `query_samples` collector.
- rework the query samples collector to buffer per-query execution state across scrapes and emit finalized
entries.
- process turned idle rows to calculate finalization times precisely and emit first seen idle rows.
- `query_details`
- escape queries coming from `pg_stat_statements` with quotes.
- enable `explain_plans` collector by default.
- safely generate `server_id` when UDP socket used for database connection.
- add table registry and include "validated" in parsed table name logs.
- Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud
Pub/Sub topic.
- Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata.
- Send remote config status to the remote server for the `remotecfg` service.
- Send effective config to the remote server for the `remotecfg` service.
- Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting
both the query ID and the full SQL statement. The new block includes one option to enable statement selection,
and another to configure the maximum length of the statement text.
- Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values.
- Add `u_probe_links` & `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of
the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing.
- Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode.
- Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns.
- Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular
expression.
- OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.
- See the upstream
[core](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md)
and
[contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md)
changelogs for more details.
- A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them
into a Mimir instance.
- Mark `stage.windowsevent` block in the `loki.process` component as GA.
* Enhancements
- Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one
application from consuming the rate limit quota of others.
- Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and
`pyroscope.receive_http`.
- Remove `SendSIGKILL=no` from unit files and recommendations.
- Reduce memory overhead of `prometheus.remote_write`'s WAL by lowering the size of the allocated series storage.
- Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from
`prometheus.relabel`.
- `prometheus.exporter.postgres` dependency has been updated to v0.18.1.
- Update Beyla component to 2.7.8.
- Support delimiters in `stage.luhn`.
- `pyroscope.java`: update `async-profiler` to 4.2.
- `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector.
- `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2.
- `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata
labels for use by downstream components.
- Rework underlying framework of Alloy UI to use Vite instead of Create React App.
- Use POST requests for remote config requests to avoid hitting http2 header limits.
- `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after
`graceful_shutdown_timeout` has expired.
- `kubernetes.discovery`: Add support for attaching namespace metadata.
- Add `meta_cache_address` to `beyla.ebpf` component.
* Bugfixes
- Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps.
- Fix direction of arrows for pyroscope components in UI graph.
- Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn.
- Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument.
- Fix issues with "unknown series ref when trying to add exemplar" from `prometheus.remote_write` by allowing
series ref links to be updated if they change.
- Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node
filtering is enabled, preventing "Index with name `field:spec.nodeName` does not exist" errors.
- Fix issue in `loki.source.file` where scheduling files could take too long.
- Fix `loki.write` no longer includes internal labels __.
- Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`.
- `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to
true.
- `loki.source.file` has better support for non-UTF-8 encoded files.
- Fix the `loki.write` endpoint block's `enable_http2` attribute to actually affect the client.
- Optionally remove trailing newlines before appending entries in `stage.multiline`.
- `loki.source.api` no longer drops request when relabel rules drops a specific stream.
Patchnames: openSUSE-Leap-16.0-149
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alloy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alloy fixes the following issues:\n\nUpgrade to version 1.12.1.\n\n\nSecurity issues fixed:\n\n- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents\n (bsc#1251509).\n- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially\n crafted input (bsc#1251716).\n- CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in\n response to a key listing or signing request (bsc#1253609).\n\nOther updates and bugfixes:\n\n- Version 1.12.1:\n * Bugfixes\n - update to Beyla 2.7.10.\n\n- Version 1.12.0:\n * Breaking changes\n - `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component\n ID instead of the hostname as their instance label in their exported metrics.\n * Features\n - (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare\u0027s LogPush\n jobs.\n - (Experimental) Additions to experimental `database_observability.mysql` component:\n - `explain_plans`\n - collector now changes schema before returning the connection to the pool.\n - collector now passes queries more permissively.\n - enable `explain_plans` collector by default\n - (Experimental) Additions to experimental `database_observability.postgres` component:\n - `explain_plans`\n - added the explain plan collector.\n - collector now passes queries more permissively.\n - `query_samples`\n - add user field to wait events within `query_samples` collector.\n - rework the query samples collector to buffer per-query execution state across scrapes and emit finalized\n entries.\n - process turned idle rows to calculate finalization times precisely and emit first seen idle rows.\n - `query_details`\n - escape queries coming from `pg_stat_statements` with quotes.\n - enable `explain_plans` collector by default.\n - safely generate `server_id` when UDP socket used for database connection.\n - add table registry and include \"validated\" in parsed table name logs.\n - Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud\n Pub/Sub topic.\n - Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata.\n - Send remote config status to the remote server for the `remotecfg` service.\n - Send effective config to the remote server for the `remotecfg` service.\n - Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting\n both the query ID and the full SQL statement. The new block includes one option to enable statement selection,\n and another to configure the maximum length of the statement text.\n - Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values.\n - Add `u_probe_links` \u0026 `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of\n the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing.\n - Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode.\n - Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns.\n - Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular\n expression.\n - OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.\n - See the upstream\n [core](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md)\n and\n [contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md)\n changelogs for more details.\n - A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them\n into a Mimir instance.\n - Mark `stage.windowsevent` block in the `loki.process` component as GA.\n * Enhancements\n - Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one\n application from consuming the rate limit quota of others.\n - Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and\n `pyroscope.receive_http`.\n - Remove `SendSIGKILL=no` from unit files and recommendations.\n - Reduce memory overhead of `prometheus.remote_write`\u0027s WAL by lowering the size of the allocated series storage.\n - Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from\n `prometheus.relabel`.\n - `prometheus.exporter.postgres` dependency has been updated to v0.18.1.\n - Update Beyla component to 2.7.8.\n - Support delimiters in `stage.luhn`.\n - `pyroscope.java`: update `async-profiler` to 4.2.\n - `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector.\n - `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2.\n - `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata\n labels for use by downstream components.\n - Rework underlying framework of Alloy UI to use Vite instead of Create React App.\n - Use POST requests for remote config requests to avoid hitting http2 header limits.\n - `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after\n `graceful_shutdown_timeout` has expired.\n - `kubernetes.discovery`: Add support for attaching namespace metadata.\n - Add `meta_cache_address` to `beyla.ebpf` component.\n * Bugfixes\n - Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps.\n - Fix direction of arrows for pyroscope components in UI graph.\n - Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn.\n - Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument.\n - Fix issues with \"unknown series ref when trying to add exemplar\" from `prometheus.remote_write` by allowing\n series ref links to be updated if they change.\n - Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node\n filtering is enabled, preventing \"Index with name `field:spec.nodeName` does not exist\" errors.\n - Fix issue in `loki.source.file` where scheduling files could take too long.\n - Fix `loki.write` no longer includes internal labels __.\n - Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`.\n - `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to\n true.\n - `loki.source.file` has better support for non-UTF-8 encoded files.\n - Fix the `loki.write` endpoint block\u0027s `enable_http2` attribute to actually affect the client.\n - Optionally remove trailing newlines before appending entries in `stage.multiline`.\n - `loki.source.api` no longer drops request when relabel rules drops a specific stream.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-149",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20044-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1251509",
"url": "https://bugzilla.suse.com/1251509"
},
{
"category": "self",
"summary": "SUSE Bug 1251716",
"url": "https://bugzilla.suse.com/1251716"
},
{
"category": "self",
"summary": "SUSE Bug 1253609",
"url": "https://bugzilla.suse.com/1253609"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for alloy",
"tracking": {
"current_release_date": "2026-01-15T17:56:17Z",
"generator": {
"date": "2026-01-15T17:56:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20044-1",
"initial_release_date": "2026-01-15T17:56:17Z",
"revision_history": [
{
"date": "2026-01-15T17:56:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.12.1-160000.1.1.aarch64",
"product": {
"name": "alloy-1.12.1-160000.1.1.aarch64",
"product_id": "alloy-1.12.1-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.12.1-160000.1.1.ppc64le",
"product": {
"name": "alloy-1.12.1-160000.1.1.ppc64le",
"product_id": "alloy-1.12.1-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.12.1-160000.1.1.s390x",
"product": {
"name": "alloy-1.12.1-160000.1.1.s390x",
"product_id": "alloy-1.12.1-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.12.1-160000.1.1.x86_64",
"product": {
"name": "alloy-1.12.1-160000.1.1.x86_64",
"product_id": "alloy-1.12.1-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.12.1-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64"
},
"product_reference": "alloy-1.12.1-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.12.1-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.12.1-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.12.1-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x"
},
"product_reference": "alloy-1.12.1-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.12.1-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
},
"product_reference": "alloy-1.12.1-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-15T17:56:17Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-15T17:56:17Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.s390x",
"openSUSE Leap 16.0:alloy-1.12.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-15T17:56:17Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20058-1
Vulnerability from csaf_opensuse - Published: 2026-01-17 09:30 - Updated: 2026-01-17 09:30Summary
Security update for go-sendxmpp
Severity
Moderate
Notes
Title of the patch: Security update for go-sendxmpp
Description of the patch: This update for go-sendxmpp fixes the following issues:
Changes in go-sendxmpp:
- Update to 0.15.1:
Added
* Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
Changed
* HTTP upload: Ignore timeouts on disco IQs as some components do
not reply.
- Upgrades the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251461, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input
- Update to 0.15.0:
Added:
* Add flag --verbose to show debug information.
* Add flag --recipients to specify recipients by file.
* Add flag --retry-connect to try after a waiting time if the connection fails.
* Add flag --retry-connect-max to specify the amount of retry attempts.
* Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.
* Add support for punycode domains.
Changed:
* Update gopenpgp library to v3.
* Improve error detection for MUC joins.
* Don't try to connect to other SRV record targets if error contains 'auth-failure'.
* Remove support for old SSDP version (via go-xmpp v0.2.15).
* Http-upload: Stop checking other disco items after finding upload component.
* Increase default TLS version to 1.3.
- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0
- Update to 0.14.1:
* Use prettier date format for error messages.
* Update XEP-0474 to version 0.4.0 (requires go-xmpp >= 0.2.10).
- Update to 0.14.0:
Added:
* Add --fast-invalidate to allow invalidating the FAST token.
Changed:
* Don't create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.
* Delete legacy Ox private key directory if it's empty.
* Show proper error if saved FAST mechanism isn't usable with current TLS version (requires go-xmpp >= 0.2.9).
* Print debug output to stdout, not stderr (requires go-xmpp >= 0.2.9).
* Show RECV: and SEND: prefix for debug output (requires go-xmpp >= 0.2.9).
* Delete stored fast token if --fast-invalidate and --fast-off are set.
* Show error when FAST creds are stored but non-FAST mechanism is requested.
- Update to 0.13.0:
Added:
* Add --anonymous to support anonymous authentication (requires go-xmpp >= 0.2.8).
* Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp >= 0.2.8).
* Add support for see-other-host stream error (requires go-xmpp >= 0.2.8).
Changed:
* Don't automatically try other auth mechanisms if FAST authentication fails.
- Update to 0.12.1:
Changed:
* Print error instead of quitting if a message of type error is received.
* Allow upload of multiple files.
Added:
* Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.
- Update to 0.12.0:
Added:
* Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv >= 0.3.3).
* Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp >= 0.2.5).
Changed:
* Disable PLAIN authentication per default.
* Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires
go-xmpp >= 0.2.5).
- Update to 0.11.4:
* Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp >= 0.2.4).
- Update to 0.11.3:
* Add go-xmpp library version to --version output (requires go-xmpp >= 0.2.2).
* Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp >= v0.2.3).
* [gocritic]: Improve code quality.
Patchnames: openSUSE-Leap-16.0-packagehub-82
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for go-sendxmpp",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for go-sendxmpp fixes the following issues:\n\nChanges in go-sendxmpp:\n\n- Update to 0.15.1:\n Added\n * Add XEP-0359 Origin-ID to messages (requires go-xmpp \u003e= v0.2.18).\n Changed\n * HTTP upload: Ignore timeouts on disco IQs as some components do\n not reply.\n- Upgrades the embedded golang.org/x/net to 0.46.0\n * Fixes: bsc#1251461, CVE-2025-47911: various algorithms with\n quadratic complexity when parsing HTML documents\n * Fixes: bsc#1251677, CVE-2025-58190: excessive memory consumption\n by \u0027html.ParseFragment\u0027 when processing specially crafted input\n\n- Update to 0.15.0:\n Added:\n * Add flag --verbose to show debug information.\n * Add flag --recipients to specify recipients by file.\n * Add flag --retry-connect to try after a waiting time if the connection fails.\n * Add flag --retry-connect-max to specify the amount of retry attempts.\n * Add flag --legacy-pgp for using XEP-0027 PGP encryption with Ox keys.\n * Add support for punycode domains.\n Changed:\n * Update gopenpgp library to v3.\n * Improve error detection for MUC joins.\n * Don\u0027t try to connect to other SRV record targets if error contains \u0027auth-failure\u0027.\n * Remove support for old SSDP version (via go-xmpp v0.2.15).\n * Http-upload: Stop checking other disco items after finding upload component.\n * Increase default TLS version to 1.3.\n- bsc#1241814 (CVE-2025-22872): This update includes golang.org/x/net/html 0.43.0\n\n- Update to 0.14.1:\n * Use prettier date format for error messages.\n * Update XEP-0474 to version 0.4.0 (requires go-xmpp \u003e= 0.2.10).\n\n- Update to 0.14.0:\n Added:\n * Add --fast-invalidate to allow invalidating the FAST token.\n Changed:\n * Don\u0027t create legacy Ox private key directory in ~/.local/share/go-sendxmpp/oxprivkeys.\n * Delete legacy Ox private key directory if it\u0027s empty.\n * Show proper error if saved FAST mechanism isn\u0027t usable with current TLS version (requires go-xmpp \u003e= 0.2.9).\n * Print debug output to stdout, not stderr (requires go-xmpp \u003e= 0.2.9).\n * Show RECV: and SEND: prefix for debug output (requires go-xmpp \u003e= 0.2.9).\n * Delete stored fast token if --fast-invalidate and --fast-off are set.\n * Show error when FAST creds are stored but non-FAST mechanism is requested.\n\n- Update to 0.13.0:\n Added:\n * Add --anonymous to support anonymous authentication (requires go-xmpp \u003e= 0.2.8).\n * Add XEP-0480: SASL Upgrade Tasks support (requires go-xmpp \u003e= 0.2.8).\n * Add support for see-other-host stream error (requires go-xmpp \u003e= 0.2.8).\n Changed:\n * Don\u0027t automatically try other auth mechanisms if FAST authentication fails.\n\n- Update to 0.12.1:\n Changed:\n * Print error instead of quitting if a message of type error is received.\n * Allow upload of multiple files.\n Added:\n * Add flag --suppress-root-warning to suppress the warning when go-sendxmpp is used by the root user.\n\n- Update to 0.12.0:\n Added:\n * Add possibility to look up direct TLS connection endpoint via hostmeta2 (requires xmppsrv \u003e= 0.3.3).\n * Add flag --allow-plain to allow PLAIN authentication (requires go-xmpp \u003e= 0.2.5).\n Changed:\n * Disable PLAIN authentication per default.\n * Disable PLAIN authentication after first use of a SCRAM auth mechanism (overrides --allow-plain) (requires\n go-xmpp \u003e= 0.2.5).\n\n- Update to 0.11.4:\n * Fix bug in SCRAM-SHA-256-PLUS (via go-xmpp \u003e= 0.2.4).\n\n- Update to 0.11.3:\n * Add go-xmpp library version to --version output (requires go-xmpp \u003e= 0.2.2).\n * Fix XEP-0474: SASL SCRAM Downgrade Protection hash calculation bug (via go-xmpp \u003e= v0.2.3).\n * [gocritic]: Improve code quality.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-82",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20058-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1241814",
"url": "https://bugzilla.suse.com/1241814"
},
{
"category": "self",
"summary": "SUSE Bug 1251461",
"url": "https://bugzilla.suse.com/1251461"
},
{
"category": "self",
"summary": "SUSE Bug 1251677",
"url": "https://bugzilla.suse.com/1251677"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for go-sendxmpp",
"tracking": {
"current_release_date": "2026-01-17T09:30:33Z",
"generator": {
"date": "2026-01-17T09:30:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20058-1",
"initial_release_date": "2026-01-17T09:30:33Z",
"revision_history": [
{
"date": "2026-01-17T09:30:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"product": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"product_id": "go-sendxmpp-0.15.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"product": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"product_id": "go-sendxmpp-0.15.1-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-sendxmpp-0.15.1-bp160.1.1.s390x",
"product": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.s390x",
"product_id": "go-sendxmpp-0.15.1-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-sendxmpp-0.15.1-bp160.1.1.x86_64",
"product": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.x86_64",
"product_id": "go-sendxmpp-0.15.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64"
},
"product_reference": "go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le"
},
"product_reference": "go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x"
},
"product_reference": "go-sendxmpp-0.15.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-sendxmpp-0.15.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
},
"product_reference": "go-sendxmpp-0.15.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-17T09:30:33Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-17T09:30:33Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:go-sendxmpp-0.15.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-17T09:30:33Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20105-1
Vulnerability from csaf_opensuse - Published: 2026-01-23 10:02 - Updated: 2026-01-23 10:02Summary
Security update for sbctl
Severity
Moderate
Notes
Title of the patch: Security update for sbctl
Description of the patch: This update for sbctl fixes the following issues:
Changes in sbctl:
- Upgrade the embedded golang.org/x/net to 0.46.0
* Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
quadratic complexity when parsing HTML documents
* Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
by 'html.ParseFragment' when processing specially crafted input
- Update to version 0.18:
* logging: fixup new go vet warning
* workflows: add cc for cross compile
* workflow: add sudo to apt
* workflow: add pcsclite to ci
* workflow: try enable cgo
* go.mod: update golang.org/x/ dependencies
* fix: avoid adding bogus Country attribute to subject DNs
* sbctl: only store file if we did actually sign the file
* installkernel: add post install hook for Debian's traditional installkernel
* CI: missing libpcsclite pkg
* workflows: add missing depends and new pattern keyword
* Add yubikey example for create keys to the README
* Initial yubikey backend keytype support
* verify: ensure we pass args in correct order
- bsc#1248949 (CVE-2025-58058):
Bump xz to 0.5.14
- Update to version 0.17:
* Ensure we don't wrongly compare input/output files when signing
* Added --json supprt to sbctl verify
* Ensure sbctl setup with no arguments returns a helpful output
* Import latest Microsoft keys for KEK and db databases
* Ensure we print the path of the file when encountering an invalid PE file
* Misc fixups in tests
* Misc typo fixes in prints
- Update to version 0.16:
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
present
* Fixed a bug where sbctl would abort if the TPM eventlog
contains the same byte multiple times
* Fixed a landlock bug where enroll-keys --export did not work
* Fixed a bug where an ESP mounted to multiple paths would not be
detected
* Exporting keys without efivars present work again
* sbctl sign will now use the saved output path if the signed
file is enrolled
* enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
* Fixed an issue where sign-all did not report a non-zero exit
code when something failed
* Fixed and issue where we couldn't write to a file with landlock
* Fixed an issue where --json would print the human readable
output and the json
* Fixes landlock for UKI/bundles by disabling the sandbox feature
* Some doc fixups that mentioned /usr/share/
Patchnames: openSUSE-Leap-16.0-packagehub-93
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for sbctl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for sbctl fixes the following issues:\n\nChanges in sbctl:\n\n- Upgrade the embedded golang.org/x/net to 0.46.0\n * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with\n quadratic complexity when parsing HTML documents\n * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption\n by \u0027html.ParseFragment\u0027 when processing specially crafted input\n\n- Update to version 0.18:\n * logging: fixup new go vet warning\n * workflows: add cc for cross compile\n * workflow: add sudo to apt\n * workflow: add pcsclite to ci\n * workflow: try enable cgo\n * go.mod: update golang.org/x/ dependencies\n * fix: avoid adding bogus Country attribute to subject DNs\n * sbctl: only store file if we did actually sign the file\n * installkernel: add post install hook for Debian\u0027s traditional installkernel\n * CI: missing libpcsclite pkg\n * workflows: add missing depends and new pattern keyword\n * Add yubikey example for create keys to the README\n * Initial yubikey backend keytype support\n * verify: ensure we pass args in correct order\n\n- bsc#1248949 (CVE-2025-58058):\n Bump xz to 0.5.14\n\n- Update to version 0.17:\n * Ensure we don\u0027t wrongly compare input/output files when signing\n * Added --json supprt to sbctl verify\n * Ensure sbctl setup with no arguments returns a helpful output\n * Import latest Microsoft keys for KEK and db databases\n * Ensure we print the path of the file when encountering an invalid PE file\n * Misc fixups in tests\n * Misc typo fixes in prints\n\n- Update to version 0.16:\n * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is\n present\n * Fixed a bug where sbctl would abort if the TPM eventlog\n contains the same byte multiple times\n * Fixed a landlock bug where enroll-keys --export did not work\n * Fixed a bug where an ESP mounted to multiple paths would not be\n detected\n * Exporting keys without efivars present work again\n * sbctl sign will now use the saved output path if the signed\n file is enrolled\n * enroll-keys --append will now work without --force.\n- Updates from version 0.15.4:\n * Fixed an issue where sign-all did not report a non-zero exit\n code when something failed\n * Fixed and issue where we couldn\u0027t write to a file with landlock\n * Fixed an issue where --json would print the human readable\n output and the json\n * Fixes landlock for UKI/bundles by disabling the sandbox feature\n * Some doc fixups that mentioned /usr/share/\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-93",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20105-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1248949",
"url": "https://bugzilla.suse.com/1248949"
},
{
"category": "self",
"summary": "SUSE Bug 1251399",
"url": "https://bugzilla.suse.com/1251399"
},
{
"category": "self",
"summary": "SUSE Bug 1251609",
"url": "https://bugzilla.suse.com/1251609"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for sbctl",
"tracking": {
"current_release_date": "2026-01-23T10:02:42Z",
"generator": {
"date": "2026-01-23T10:02:42Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20105-1",
"initial_release_date": "2026-01-23T10:02:42Z",
"revision_history": [
{
"date": "2026-01-23T10:02:42Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "sbctl-0.18-bp160.1.1.aarch64",
"product": {
"name": "sbctl-0.18-bp160.1.1.aarch64",
"product_id": "sbctl-0.18-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "sbctl-0.18-bp160.1.1.x86_64",
"product": {
"name": "sbctl-0.18-bp160.1.1.x86_64",
"product_id": "sbctl-0.18-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "sbctl-0.18-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64"
},
"product_reference": "sbctl-0.18-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sbctl-0.18-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
},
"product_reference": "sbctl-0.18-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.aarch64",
"openSUSE Leap 16.0:sbctl-0.18-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-23T10:02:42Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20132-1
Vulnerability from csaf_opensuse - Published: 2026-01-29 15:32 - Updated: 2026-01-29 15:32Summary
Security update for elemental-register, elemental-toolkit
Severity
Important
Notes
Title of the patch: Security update for elemental-register, elemental-toolkit
Description of the patch: This update for elemental-register, elemental-toolkit fixes the following issues:
elemental-register was updated to 1.8.1:
Changes on top of v1.8.1:
* Update headers to 2026
* Update questions to include SL Micro 6.2
Update to v1.8.1:
* Install yip config files in before-install step
* Bump github.com/rancher-sandbox/go-tpm and its dependencies
This includes few CVE fixes:
* bsc#1241826 (CVE-2025-22872)
* bsc#1241857 (CVE-2025-22872)
* bsc#1251511 (CVE-2025-47911)
* bsc#1251679 (CVE-2025-58190)
elemental-toolkit was updated to v2.3.2:
* Bump golang.org/x/crypto library
This includes few CVE fixes:
* bsc#1241826 (CVE-2025-22872)
* bsc#1241857 (CVE-2025-22872)
* bsc#1251511 (CVE-2025-47911)
* bsc#1251679 (CVE-2025-58190)
* bsc#1253581 (CVE-2025-47913)
* bsc#1253901 (CVE-2025-58181)
* bsc#1254079 (CVE-2025-47914)
Patchnames: openSUSE-Leap-16.0-217
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for elemental-register, elemental-toolkit",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for elemental-register, elemental-toolkit fixes the following issues:\n\nelemental-register was updated to 1.8.1:\n\nChanges on top of v1.8.1:\n\n * Update headers to 2026\n * Update questions to include SL Micro 6.2\n\nUpdate to v1.8.1:\n\n * Install yip config files in before-install step\n * Bump github.com/rancher-sandbox/go-tpm and its dependencies\n This includes few CVE fixes:\n * bsc#1241826 (CVE-2025-22872)\n * bsc#1241857 (CVE-2025-22872)\n * bsc#1251511 (CVE-2025-47911)\n * bsc#1251679 (CVE-2025-58190)\n\nelemental-toolkit was updated to v2.3.2:\n\n * Bump golang.org/x/crypto library\n This includes few CVE fixes:\n * bsc#1241826 (CVE-2025-22872)\n * bsc#1241857 (CVE-2025-22872)\n * bsc#1251511 (CVE-2025-47911)\n * bsc#1251679 (CVE-2025-58190)\n * bsc#1253581 (CVE-2025-47913)\n * bsc#1253901 (CVE-2025-58181)\n * bsc#1254079 (CVE-2025-47914)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-217",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20132-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1241826",
"url": "https://bugzilla.suse.com/1241826"
},
{
"category": "self",
"summary": "SUSE Bug 1241857",
"url": "https://bugzilla.suse.com/1241857"
},
{
"category": "self",
"summary": "SUSE Bug 1251511",
"url": "https://bugzilla.suse.com/1251511"
},
{
"category": "self",
"summary": "SUSE Bug 1251679",
"url": "https://bugzilla.suse.com/1251679"
},
{
"category": "self",
"summary": "SUSE Bug 1253581",
"url": "https://bugzilla.suse.com/1253581"
},
{
"category": "self",
"summary": "SUSE Bug 1253901",
"url": "https://bugzilla.suse.com/1253901"
},
{
"category": "self",
"summary": "SUSE Bug 1254079",
"url": "https://bugzilla.suse.com/1254079"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for elemental-register, elemental-toolkit",
"tracking": {
"current_release_date": "2026-01-29T15:32:26Z",
"generator": {
"date": "2026-01-29T15:32:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20132-1",
"initial_release_date": "2026-01-29T15:32:26Z",
"revision_history": [
{
"date": "2026-01-29T15:32:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "elemental-register-1.8.1-160000.1.1.aarch64",
"product": {
"name": "elemental-register-1.8.1-160000.1.1.aarch64",
"product_id": "elemental-register-1.8.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "elemental-support-1.8.1-160000.1.1.aarch64",
"product": {
"name": "elemental-support-1.8.1-160000.1.1.aarch64",
"product_id": "elemental-support-1.8.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "elemental-toolkit-2.3.2-160000.1.1.aarch64",
"product": {
"name": "elemental-toolkit-2.3.2-160000.1.1.aarch64",
"product_id": "elemental-toolkit-2.3.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"product": {
"name": "elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"product_id": "elemental-toolkit-2.3.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "elemental-toolkit-2.3.2-160000.1.1.s390x",
"product": {
"name": "elemental-toolkit-2.3.2-160000.1.1.s390x",
"product_id": "elemental-toolkit-2.3.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "elemental-register-1.8.1-160000.1.1.x86_64",
"product": {
"name": "elemental-register-1.8.1-160000.1.1.x86_64",
"product_id": "elemental-register-1.8.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "elemental-support-1.8.1-160000.1.1.x86_64",
"product": {
"name": "elemental-support-1.8.1-160000.1.1.x86_64",
"product_id": "elemental-support-1.8.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "elemental-toolkit-2.3.2-160000.1.1.x86_64",
"product": {
"name": "elemental-toolkit-2.3.2-160000.1.1.x86_64",
"product_id": "elemental-toolkit-2.3.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-register-1.8.1-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64"
},
"product_reference": "elemental-register-1.8.1-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-register-1.8.1-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64"
},
"product_reference": "elemental-register-1.8.1-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-support-1.8.1-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64"
},
"product_reference": "elemental-support-1.8.1-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-support-1.8.1-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64"
},
"product_reference": "elemental-support-1.8.1-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-toolkit-2.3.2-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64"
},
"product_reference": "elemental-toolkit-2.3.2-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-toolkit-2.3.2-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le"
},
"product_reference": "elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-toolkit-2.3.2-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x"
},
"product_reference": "elemental-toolkit-2.3.2-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "elemental-toolkit-2.3.2-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
},
"product_reference": "elemental-toolkit-2.3.2-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-register-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-support-1.8.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.aarch64",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.ppc64le",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.s390x",
"openSUSE Leap 16.0:elemental-toolkit-2.3.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-29T15:32:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20206-1
Vulnerability from csaf_opensuse - Published: 2026-02-13 08:53 - Updated: 2026-02-13 08:53Summary
Security update for kepler
Severity
Moderate
Notes
Title of the patch: Security update for kepler
Description of the patch: This update for kepler fixes the following issues:
Update to version 0.11.3.
Security issues fixed:
- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251427).
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251632).
Other updates and bugfixes:
- Version 0.11.2:
* Fix: Fix node power metrics for Virtual Machines.
* Fix: Resolve an issue with pod energy metrics when a container has no usage.
- Version 0.11.1:
* Fix: Added missing serviceaccount in the Helm chart.
- Version 0.11.0:
* Feature: Added support for platform power metrics (AC).
* Feature: Introduced experimental support for trained power models.
* Fix: Improved the accuracy of power estimation for Virtual Machines.
* Breaking Change: Metrics related to `kepler_vm_` have been refactored.
- Version 0.10.1:
* Feature: Added support for the ARM64 architecture.
* Fix: Addressed issues when running on Virtual Machines without RAPL.
* Fix: Includes several other bug fixes and stability improvements.
- Version 0.10.0:
* Breaking Change: This is a major rewrite with significant architectural changes.
* Breaking Change: Legacy versions (0.9.0 and earlier) are now frozen, with no new features or bug fixes.
* Breaking Change: The configuration format has been updated.
* Breaking Change: The Kepler Model Server is not compatible with this version and above.
* Feature: New modular architecture for better extensibility.
* Feature: Enhanced performance and accuracy with dynamic detection of RAPL zones.
* Feature: Reduced security requirements, no longer needing CAP_SYS_ADMIN or CAP_BPF capabilities.
* Fix: Significantly reduced resource usage.
- Version 0.9.0:
* Note: This is the final legacy release.
* Feature: Added support for GPU power monitoring.
* Feature: Introduced a model server for training power models.
- Version 0.8.2:
* Fix: Addressed a bug in RAPL power calculation on multi-socket systems.
- Version 0.8.1:
* Fix: This version includes multiple bug fixes and stability improvements.
- Version 0.8.0:
* Feature: Introduced a new estimator framework.
* Breaking Change: The API is backward incompatible with previous versions.
- Version 0.7.12:
* Fix: This version includes multiple bug fixes and stability improvements.
Patchnames: openSUSE-Leap-16.0-261
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kepler",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kepler fixes the following issues:\n\nUpdate to version 0.11.3.\n\nSecurity issues fixed:\n\n- CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents\n (bsc#1251427).\n- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially\n crafted input (bsc#1251632).\n\nOther updates and bugfixes:\n\n- Version 0.11.2:\n * Fix: Fix node power metrics for Virtual Machines.\n * Fix: Resolve an issue with pod energy metrics when a container has no usage.\n\n- Version 0.11.1:\n * Fix: Added missing serviceaccount in the Helm chart.\n\n- Version 0.11.0:\n * Feature: Added support for platform power metrics (AC).\n * Feature: Introduced experimental support for trained power models.\n * Fix: Improved the accuracy of power estimation for Virtual Machines.\n * Breaking Change: Metrics related to `kepler_vm_` have been refactored.\n\n- Version 0.10.1:\n * Feature: Added support for the ARM64 architecture.\n * Fix: Addressed issues when running on Virtual Machines without RAPL.\n * Fix: Includes several other bug fixes and stability improvements.\n\n- Version 0.10.0:\n * Breaking Change: This is a major rewrite with significant architectural changes.\n * Breaking Change: Legacy versions (0.9.0 and earlier) are now frozen, with no new features or bug fixes.\n * Breaking Change: The configuration format has been updated.\n * Breaking Change: The Kepler Model Server is not compatible with this version and above.\n * Feature: New modular architecture for better extensibility.\n * Feature: Enhanced performance and accuracy with dynamic detection of RAPL zones.\n * Feature: Reduced security requirements, no longer needing CAP_SYS_ADMIN or CAP_BPF capabilities.\n * Fix: Significantly reduced resource usage.\n\n- Version 0.9.0:\n * Note: This is the final legacy release.\n * Feature: Added support for GPU power monitoring.\n * Feature: Introduced a model server for training power models.\n\n- Version 0.8.2:\n * Fix: Addressed a bug in RAPL power calculation on multi-socket systems.\n\n- Version 0.8.1:\n * Fix: This version includes multiple bug fixes and stability improvements.\n\n- Version 0.8.0:\n * Feature: Introduced a new estimator framework.\n * Breaking Change: The API is backward incompatible with previous versions.\n\n- Version 0.7.12:\n * Fix: This version includes multiple bug fixes and stability improvements.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-261",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20206-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1251427",
"url": "https://bugzilla.suse.com/1251427"
},
{
"category": "self",
"summary": "SUSE Bug 1251632",
"url": "https://bugzilla.suse.com/1251632"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for kepler",
"tracking": {
"current_release_date": "2026-02-13T08:53:10Z",
"generator": {
"date": "2026-02-13T08:53:10Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20206-1",
"initial_release_date": "2026-02-13T08:53:10Z",
"revision_history": [
{
"date": "2026-02-13T08:53:10Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.11.3-160000.1.1.aarch64",
"product": {
"name": "kepler-0.11.3-160000.1.1.aarch64",
"product_id": "kepler-0.11.3-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.11.3-160000.1.1.ppc64le",
"product": {
"name": "kepler-0.11.3-160000.1.1.ppc64le",
"product_id": "kepler-0.11.3-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.11.3-160000.1.1.s390x",
"product": {
"name": "kepler-0.11.3-160000.1.1.s390x",
"product_id": "kepler-0.11.3-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.11.3-160000.1.1.x86_64",
"product": {
"name": "kepler-0.11.3-160000.1.1.x86_64",
"product_id": "kepler-0.11.3-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.11.3-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64"
},
"product_reference": "kepler-0.11.3-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.11.3-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le"
},
"product_reference": "kepler-0.11.3-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.11.3-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x"
},
"product_reference": "kepler-0.11.3-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.11.3-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
},
"product_reference": "kepler-0.11.3-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T08:53:10Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.aarch64",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.ppc64le",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.s390x",
"openSUSE Leap 16.0:kepler-0.11.3-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T08:53:10Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20318-1
Vulnerability from csaf_opensuse - Published: 2026-03-03 14:44 - Updated: 2026-03-03 14:44Summary
Security update for gitea-tea
Severity
Moderate
Notes
Title of the patch: Security update for gitea-tea
Description of the patch: This update for gitea-tea fixes the following issues:
Changes in gitea-tea:
- update to 0.12.0:
* New Features
- Add tea actions commands for managing workflow runs and
workflows in #880, #796
- Add tea api subcommand for arbitrary API calls not covered by
existing commands in #879
- Add repository webhook management commands in #798
- Add JSON output support for single PR view in #864
- Add JSON output and file redirection for issue detail view in
#841
- Support creating AGit flow pull requests in #867
* Bug Fixes
- Fix authentication via environment variables when specifying
repo argument in #809
- Fix issue detail view ignoring --owner flag in #899
- Fix PR create crash in #823
- Fix TTY prompt handling in #897
- Fix termenv OSC RGBA handling in #907
- Fix labels delete command and --id flag type in #865
- Fix delete repo command description in #858
- Fix pagination flags for secrets list, webhooks list, and
pull requests list in #853, #852,
- #851
- Enable git worktree support and improve PR create error
handling in #850
- Only prompt for SSH passphrase when necessary in #844
- Only prompt for login confirmation when no default login is
set in #839
- Skip token uniqueness check when using SSH authentication in
#898
- Require non-empty token in GetLoginByToken in #895
- Fix config file permissions to remove group read/write in
#856
* Improvements
- Add file locking for safe concurrent access to config file in
#881
- Improve error messages throughout the CLI in #871
- Send consistent HTTP request headers in #888
- Revert requiring HTTP/HTTPS login URLs; restore SSH as a
login method in #891
- Refactor context into dedicated subpackages in #873, #888
- General code cleanup and improvements in #869, #870
- Add test coverage for login matching in #820
* Build & Dependencies
- Build with Go 1.25 in #886
- Build for Windows aarch64
- Update Gitea SDK version in #868
- Update Nix flake in #872
- Update dependencies including lipgloss v2, urfave/cli v3.6.2,
go-git v5.16.5, and various Go modules in #849, #875, #876,
#878, #884, #885, #900, #901, #904, #905
- Update CI actions (checkout v6, setup-go v6) in #882, #883
Patchnames: openSUSE-Leap-16.0-packagehub-146
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for gitea-tea",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for gitea-tea fixes the following issues:\n\nChanges in gitea-tea:\n\n- update to 0.12.0:\n * New Features\n - Add tea actions commands for managing workflow runs and\n workflows in #880, #796\n - Add tea api subcommand for arbitrary API calls not covered by\n existing commands in #879\n - Add repository webhook management commands in #798\n - Add JSON output support for single PR view in #864\n - Add JSON output and file redirection for issue detail view in\n #841\n - Support creating AGit flow pull requests in #867\n * Bug Fixes\n - Fix authentication via environment variables when specifying\n repo argument in #809\n - Fix issue detail view ignoring --owner flag in #899\n - Fix PR create crash in #823\n - Fix TTY prompt handling in #897\n - Fix termenv OSC RGBA handling in #907\n - Fix labels delete command and --id flag type in #865\n - Fix delete repo command description in #858\n - Fix pagination flags for secrets list, webhooks list, and\n pull requests list in #853, #852,\n - #851\n - Enable git worktree support and improve PR create error\n handling in #850\n - Only prompt for SSH passphrase when necessary in #844\n - Only prompt for login confirmation when no default login is\n set in #839\n - Skip token uniqueness check when using SSH authentication in\n #898\n - Require non-empty token in GetLoginByToken in #895\n - Fix config file permissions to remove group read/write in\n #856\n * Improvements\n - Add file locking for safe concurrent access to config file in\n #881\n - Improve error messages throughout the CLI in #871\n - Send consistent HTTP request headers in #888\n - Revert requiring HTTP/HTTPS login URLs; restore SSH as a\n login method in #891\n - Refactor context into dedicated subpackages in #873, #888\n - General code cleanup and improvements in #869, #870\n - Add test coverage for login matching in #820\n * Build \u0026 Dependencies\n - Build with Go 1.25 in #886\n - Build for Windows aarch64\n - Update Gitea SDK version in #868\n - Update Nix flake in #872\n - Update dependencies including lipgloss v2, urfave/cli v3.6.2,\n go-git v5.16.5, and various Go modules in #849, #875, #876,\n #878, #884, #885, #900, #901, #904, #905\n - Update CI actions (checkout v6, setup-go v6) in #882, #883\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-146",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20318-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for gitea-tea",
"tracking": {
"current_release_date": "2026-03-03T14:44:11Z",
"generator": {
"date": "2026-03-03T14:44:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20318-1",
"initial_release_date": "2026-03-03T14:44:11Z",
"revision_history": [
{
"date": "2026-03-03T14:44:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"product_id": "gitea-tea-0.12.0-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"product": {
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"product_id": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"product": {
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"product_id": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"product_id": "gitea-tea-0.12.0-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.s390x",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.s390x",
"product_id": "gitea-tea-0.12.0-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"product": {
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"product_id": "gitea-tea-0.12.0-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.12.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64"
},
"product_reference": "gitea-tea-0.12.0-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch"
},
"product_reference": "gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
},
"product_reference": "gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-03T14:44:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:gitea-tea-0.12.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:gitea-tea-bash-completion-0.12.0-bp160.1.1.noarch",
"openSUSE Leap 16.0:gitea-tea-zsh-completion-0.12.0-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-03T14:44:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20327-1
Vulnerability from csaf_opensuse - Published: 2026-03-05 14:27 - Updated: 2026-03-05 14:27Summary
Security update for helm
Severity
Moderate
Notes
Title of the patch: Security update for helm
Description of the patch: This update for helm fixes the following issues:
- Update to version 3.19.1:
* CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with
quadratic complexity when parsing HTML documents (bsc#1251442)
* CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory
consumption by `html.ParseFragment` when processing specially
crafted input (bsc#1251649)
* jsonschema: warn and ignore unresolved URN $ref to match
v3.18.4
* Avoid "panic: interface conversion: interface {} is nil"
* Fix `helm pull` untar dir check with repo urls
* Fix deprecation warning
* Add timeout flag to repo add and update flags
- Update to version 3.19.0:
* bump version to v3.19.0
* fix: use username and password if provided
* fix(helm-lint): fmt
* fix(helm-lint): Add TLSClientConfig
* fix(helm-lint): Add HTTP/HTTPS URL support for json schema references
* chore(deps): bump the k8s-io group with 7 updates
* fix: go mod tidy for v3
* fix Chart.yaml handling
* Handle messy index files
* json schema fix
* fix: k8s version parsing to match original
* Do not explicitly set SNI in HTTPGetter
* Disabling linter due to unknown issue
* Updating link handling
* fix: user username password for login
* Update pkg/registry/transport.go
* fix: add debug logging to oci transport
* fix: legacy docker support broken for login
* fix: plugin installer test with no Internet
* Handle an empty registry config file.
* Prevent fetching newReference again as we have in calling method
* Prevent failure when resolving version tags in oras memory store
* fix(client): skipnode utilization for PreCopy
* test: Skip instead of returning early. looks more intentional
* test: tests repo stripping functionality
* test: include tests for Login based on different protocol prefixes
* fix(client): layers now returns manifest - remove duplicate from descriptors
* fix(client): return nil on non-allowed media types
* Fix 3.18.0 regression: registry login with scheme
* Update pkg/plugin/plugin.go
* Wait for Helm v4 before raising when platformCommand and Command are set
* Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]"
* build(deps): bump the k8s-io group with 7 updates
* chore: update generalization warning message
* fix: move warning to top of block
* fix: govulncheck workflow
* fix: replace fmt warning with slog
* fix: add warning when ignore repo flag
* feat: add httproute from gateway-api to create chart template
- Update to version 3.18.6:
* fix(helm-lint): fmt
* fix(helm-lint): Add TLSClientConfig
* fix(helm-lint): Add HTTP/HTTPS URL support for json schema
references
- Update to version 3.18.5:
* fix Chart.yaml handling 7799b48 (Matt Farina)
* Handle messy index files dd8502f (Matt Farina)
* json schema fix cb8595b (Robert Sirchia)
- Fix shell completion dependencies
* Add BuildRequires to prevent inclusion of folders owned by shells.
* Add Requires because installing completions without appropriate
shell is questionable.
- Fix zsh completion location
Patchnames: openSUSE-Leap-16.0-360
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\n- Update to version 3.19.1:\n * CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with\n quadratic complexity when parsing HTML documents (bsc#1251442)\n * CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory\n consumption by `html.ParseFragment` when processing specially\n crafted input (bsc#1251649)\n * jsonschema: warn and ignore unresolved URN $ref to match\n v3.18.4\n * Avoid \"panic: interface conversion: interface {} is nil\"\n * Fix `helm pull` untar dir check with repo urls\n * Fix deprecation warning\n * Add timeout flag to repo add and update flags\n\n- Update to version 3.19.0:\n * bump version to v3.19.0\n * fix: use username and password if provided\n * fix(helm-lint): fmt\n * fix(helm-lint): Add TLSClientConfig\n * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references\n * chore(deps): bump the k8s-io group with 7 updates\n * fix: go mod tidy for v3\n * fix Chart.yaml handling\n * Handle messy index files\n * json schema fix\n * fix: k8s version parsing to match original\n * Do not explicitly set SNI in HTTPGetter\n * Disabling linter due to unknown issue\n * Updating link handling\n * fix: user username password for login\n * Update pkg/registry/transport.go\n * fix: add debug logging to oci transport\n * fix: legacy docker support broken for login\n * fix: plugin installer test with no Internet\n * Handle an empty registry config file.\n * Prevent fetching newReference again as we have in calling method\n * Prevent failure when resolving version tags in oras memory store\n * fix(client): skipnode utilization for PreCopy\n * test: Skip instead of returning early. looks more intentional\n * test: tests repo stripping functionality\n * test: include tests for Login based on different protocol prefixes\n * fix(client): layers now returns manifest - remove duplicate from descriptors\n * fix(client): return nil on non-allowed media types\n * Fix 3.18.0 regression: registry login with scheme\n * Update pkg/plugin/plugin.go\n * Wait for Helm v4 before raising when platformCommand and Command are set\n * Revert \"fix (helm) : toToml` renders int as float [ backport to v3 ]\"\n * build(deps): bump the k8s-io group with 7 updates\n * chore: update generalization warning message\n * fix: move warning to top of block\n * fix: govulncheck workflow\n * fix: replace fmt warning with slog\n * fix: add warning when ignore repo flag\n * feat: add httproute from gateway-api to create chart template\n\n- Update to version 3.18.6:\n * fix(helm-lint): fmt\n * fix(helm-lint): Add TLSClientConfig\n * fix(helm-lint): Add HTTP/HTTPS URL support for json schema\n references\n\n- Update to version 3.18.5:\n * fix Chart.yaml handling 7799b48 (Matt Farina)\n * Handle messy index files dd8502f (Matt Farina)\n * json schema fix cb8595b (Robert Sirchia)\n\n- Fix shell completion dependencies\n * Add BuildRequires to prevent inclusion of folders owned by shells.\n * Add Requires because installing completions without appropriate\n shell is questionable.\n\n- Fix zsh completion location\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-360",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20327-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1251442",
"url": "https://bugzilla.suse.com/1251442"
},
{
"category": "self",
"summary": "SUSE Bug 1251649",
"url": "https://bugzilla.suse.com/1251649"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2026-03-05T14:27:21Z",
"generator": {
"date": "2026-03-05T14:27:21Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20327-1",
"initial_release_date": "2026-03-05T14:27:21Z",
"revision_history": [
{
"date": "2026-03-05T14:27:21Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.19.1-160000.1.1.aarch64",
"product": {
"name": "helm-3.19.1-160000.1.1.aarch64",
"product_id": "helm-3.19.1-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.19.1-160000.1.1.noarch",
"product": {
"name": "helm-bash-completion-3.19.1-160000.1.1.noarch",
"product_id": "helm-bash-completion-3.19.1-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.19.1-160000.1.1.noarch",
"product": {
"name": "helm-fish-completion-3.19.1-160000.1.1.noarch",
"product_id": "helm-fish-completion-3.19.1-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.19.1-160000.1.1.noarch",
"product": {
"name": "helm-zsh-completion-3.19.1-160000.1.1.noarch",
"product_id": "helm-zsh-completion-3.19.1-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.19.1-160000.1.1.ppc64le",
"product": {
"name": "helm-3.19.1-160000.1.1.ppc64le",
"product_id": "helm-3.19.1-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.19.1-160000.1.1.s390x",
"product": {
"name": "helm-3.19.1-160000.1.1.s390x",
"product_id": "helm-3.19.1-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.19.1-160000.1.1.x86_64",
"product": {
"name": "helm-3.19.1-160000.1.1.x86_64",
"product_id": "helm-3.19.1-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.19.1-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64"
},
"product_reference": "helm-3.19.1-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.19.1-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le"
},
"product_reference": "helm-3.19.1-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.19.1-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x"
},
"product_reference": "helm-3.19.1-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.19.1-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64"
},
"product_reference": "helm-3.19.1-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.19.1-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch"
},
"product_reference": "helm-bash-completion-3.19.1-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.19.1-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch"
},
"product_reference": "helm-fish-completion-3.19.1-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.19.1-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
},
"product_reference": "helm-zsh-completion-3.19.1-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T14:27:21Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.aarch64",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.ppc64le",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.s390x",
"openSUSE Leap 16.0:helm-3.19.1-160000.1.1.x86_64",
"openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1.noarch",
"openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T14:27:21Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…