- openSUSE Security Announce

openSUSE-SU-2025:0018-1: important: Security update for chromium
by opensuse-security＠opensuse.org 20 Jan '25

20 Jan '25

openSUSE Security Update: Security update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0018-1 Rating: important References: #1235892 Cross-References: CVE-2025-0434 CVE-2025-0435 CVE-2025-0436 CVE-2025-0437 CVE-2025-0438 CVE-2025-0439 CVE-2025-0440 CVE-2025-0441 CVE-2025-0442 CVE-2025-0443 CVE-2025-0446 CVE-2025-0447 CVE-2025-0448 Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for chromium fixes the following issues: - Chromium 132.0.6834.83 (stable released 2024-01-14) (boo#1235892) * CVE-2025-0434: Out of bounds memory access in V8 * CVE-2025-0435: Inappropriate implementation in Navigation * CVE-2025-0436: Integer overflow in Skia * CVE-2025-0437: Out of bounds read in Metrics * CVE-2025-0438: Stack buffer overflow in Tracing * CVE-2025-0439: Race in Frames * CVE-2025-0440: Inappropriate implementation in Fullscreen * CVE-2025-0441: Inappropriate implementation in Fenced Frames * CVE-2025-0442: Inappropriate implementation in Payments * CVE-2025-0443: Insufficient data validation in Extensions * CVE-2025-0446: Inappropriate implementation in Extensions * CVE-2025-0447: Inappropriate implementation in Navigation * CVE-2025-0448: Inappropriate implementation in Compositing - update esbuild to 0.24.0 - drop old tarball - use upstream release tarball for 0.24.0 - add vendor tarball for golang.org/x/sys - add to keeplibs: third_party/libtess2 third_party/devtools-frontend/src/node_modules/fast-glob Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-18=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 x86_64): chromedriver-132.0.6834.83-bp156.2.69.1 chromium-132.0.6834.83-bp156.2.69.1 References: https://www.suse.com/security/cve/CVE-2025-0434.html https://www.suse.com/security/cve/CVE-2025-0435.html https://www.suse.com/security/cve/CVE-2025-0436.html https://www.suse.com/security/cve/CVE-2025-0437.html https://www.suse.com/security/cve/CVE-2025-0438.html https://www.suse.com/security/cve/CVE-2025-0439.html https://www.suse.com/security/cve/CVE-2025-0440.html https://www.suse.com/security/cve/CVE-2025-0441.html https://www.suse.com/security/cve/CVE-2025-0442.html https://www.suse.com/security/cve/CVE-2025-0443.html https://www.suse.com/security/cve/CVE-2025-0446.html https://www.suse.com/security/cve/CVE-2025-0447.html https://www.suse.com/security/cve/CVE-2025-0448.html https://bugzilla.suse.com/1235892

1 0

SUSE-SU-2025:0180-1: important: Security update for the Linux Kernel (Live Patch 49 for SLE 15 SP3)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 49 for SLE 15 SP3) Announcement ID: SUSE-SU-2025:0180-1 Release Date: 2025-01-17T21:13:45Z Rating: important References: * bsc#1232637 * bsc#1233712 Cross-References: * CVE-2022-48956 * CVE-2024-50264 CVSS scores: * CVE-2022-48956 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2022-48956 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.3 * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise Live Patching 12-SP5 * SUSE Linux Enterprise Live Patching 15-SP3 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 An update that solves two vulnerabilities can now be installed. ## Description: This update for the Linux Kernel 5.3.18-150300_59_179 fixes several issues. The following security issues were fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). * CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1232637). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Live Patching 12-SP5 zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2025-180=1 * openSUSE Leap 15.3 zypper in -t patch SUSE-2025-182=1 SUSE-2025-183=1 * SUSE Linux Enterprise Live Patching 15-SP3 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2025-182=1 SUSE-SLE- Module-Live-Patching-15-SP3-2025-183=1 ## Package List: * SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64) * kgraft-patch-4_12_14-122_231-default-2-8.6.1 * openSUSE Leap 15.3 (ppc64le s390x x86_64) * kernel-livepatch-SLE15-SP3_Update_49-debugsource-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_174-default-debuginfo-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-default-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_174-default-2-150300.7.6.1 * kernel-livepatch-SLE15-SP3_Update_48-debugsource-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-default-debuginfo-2-150300.7.6.1 * openSUSE Leap 15.3 (x86_64) * kernel-livepatch-5_3_18-150300_59_174-preempt-debuginfo-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-preempt-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_174-preempt-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-preempt-debuginfo-2-150300.7.6.1 * SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64) * kernel-livepatch-5_3_18-150300_59_174-default-2-150300.7.6.1 * kernel-livepatch-SLE15-SP3_Update_49-debugsource-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-default-debuginfo-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_179-default-2-150300.7.6.1 ## References: * https://www.suse.com/security/cve/CVE-2022-48956.html * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1232637 * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

SUSE-SU-2025:0181-1: important: Security update for the Linux Kernel (Live Patch 17 for SLE 15 SP5)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 17 for SLE 15 SP5) Announcement ID: SUSE-SU-2025:0181-1 Release Date: 2025-01-17T20:03:47Z Rating: important References: * bsc#1225429 * bsc#1229553 * bsc#1232637 * bsc#1233712 Cross-References: * CVE-2021-47517 * CVE-2022-48956 * CVE-2024-43861 * CVE-2024-50264 CVSS scores: * CVE-2021-47517 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H * CVE-2022-48956 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2022-48956 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-43861 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43861 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Live Patching 15-SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves four vulnerabilities can now be installed. ## Description: This update for the Linux Kernel 5.14.21-150500_55_73 fixes several issues. The following security issues were fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). * CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1232637). * CVE-2021-47517: Fix panic when interrupt coaleceing is set via ethtool (bsc#1225429). * CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229553). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2025-181=1 * SUSE Linux Enterprise Live Patching 15-SP5 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP5-2025-181=1 ## Package List: * openSUSE Leap 15.5 (ppc64le s390x x86_64) * kernel-livepatch-SLE15-SP5_Update_17-debugsource-3-150500.11.6.1 * kernel-livepatch-5_14_21-150500_55_73-default-debuginfo-3-150500.11.6.1 * kernel-livepatch-5_14_21-150500_55_73-default-3-150500.11.6.1 * SUSE Linux Enterprise Live Patching 15-SP5 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150500_55_73-default-debuginfo-3-150500.11.6.1 * kernel-livepatch-5_14_21-150500_55_73-default-3-150500.11.6.1 * SUSE Linux Enterprise Live Patching 15-SP5 (ppc64le x86_64) * kernel-livepatch-SLE15-SP5_Update_17-debugsource-3-150500.11.6.1 ## References: * https://www.suse.com/security/cve/CVE-2021-47517.html * https://www.suse.com/security/cve/CVE-2022-48956.html * https://www.suse.com/security/cve/CVE-2024-43861.html * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1225429 * https://bugzilla.suse.com/show_bug.cgi?id=1229553 * https://bugzilla.suse.com/show_bug.cgi?id=1232637 * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

SUSE-SU-2025:0184-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP6)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP6) Announcement ID: SUSE-SU-2025:0184-1 Release Date: 2025-01-18T13:04:03Z Rating: important References: * bsc#1233712 Cross-References: * CVE-2024-50264 CVSS scores: * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.6 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Live Patching 15-SP3 * SUSE Linux Enterprise Live Patching 15-SP4 * SUSE Linux Enterprise Live Patching 15-SP6 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability can now be installed. ## Description: This update for the Linux Kernel 6.4.0-150600_23_25 fixes one issue. The following security issue was fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.3 zypper in -t patch SUSE-2025-184=1 * SUSE Linux Enterprise Live Patching 15-SP3 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2025-184=1 * openSUSE Leap 15.4 zypper in -t patch SUSE-2025-190=1 * SUSE Linux Enterprise Live Patching 15-SP4 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2025-190=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2025-189=1 * SUSE Linux Enterprise Live Patching 15-SP6 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP6-2025-189=1 ## Package List: * openSUSE Leap 15.3 (ppc64le s390x x86_64) * kernel-livepatch-5_3_18-150300_59_182-default-2-150300.7.6.1 * kernel-livepatch-SLE15-SP3_Update_50-debugsource-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_182-default-debuginfo-2-150300.7.6.1 * openSUSE Leap 15.3 (x86_64) * kernel-livepatch-5_3_18-150300_59_182-preempt-2-150300.7.6.1 * kernel-livepatch-5_3_18-150300_59_182-preempt-debuginfo-2-150300.7.6.1 * SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64) * kernel-livepatch-5_3_18-150300_59_182-default-2-150300.7.6.1 * openSUSE Leap 15.4 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150400_24_141-default-debuginfo-2-150400.9.8.1 * kernel-livepatch-SLE15-SP4_Update_33-debugsource-2-150400.9.8.1 * kernel-livepatch-5_14_21-150400_24_141-default-2-150400.9.8.1 * SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150400_24_141-default-debuginfo-2-150400.9.8.1 * kernel-livepatch-SLE15-SP4_Update_33-debugsource-2-150400.9.8.1 * kernel-livepatch-5_14_21-150400_24_141-default-2-150400.9.8.1 * openSUSE Leap 15.6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_25-default-debuginfo-2-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_25-default-2-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_5-debugsource-2-150600.13.6.1 * SUSE Linux Enterprise Live Patching 15-SP6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_25-default-debuginfo-2-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_25-default-2-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_5-debugsource-2-150600.13.6.1 ## References: * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

SUSE-SU-2025:0185-1: important: Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4) Announcement ID: SUSE-SU-2025:0185-1 Release Date: 2025-01-17T22:13:28Z Rating: important References: * bsc#1231353 * bsc#1232637 * bsc#1233712 Cross-References: * CVE-2022-48956 * CVE-2024-50264 CVSS scores: * CVE-2022-48956 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2022-48956 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Live Patching 15-SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 An update that solves two vulnerabilities and has one security fix can now be installed. ## Description: This update for the Linux Kernel 5.14.21-150400_24_136 fixes several issues. The following security issues were fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). * CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1232637). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Live Patching 15-SP4 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2025-186=1 SUSE-SLE- Module-Live-Patching-15-SP4-2025-185=1 * openSUSE Leap 15.4 zypper in -t patch SUSE-2025-185=1 SUSE-2025-186=1 ## Package List: * SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150400_24_133-default-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_136-default-debuginfo-2-150400.9.6.1 * kernel-livepatch-SLE15-SP4_Update_31-debugsource-2-150400.9.6.1 * kernel-livepatch-SLE15-SP4_Update_32-debugsource-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_133-default-debuginfo-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_136-default-2-150400.9.6.1 * openSUSE Leap 15.4 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150400_24_133-default-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_136-default-debuginfo-2-150400.9.6.1 * kernel-livepatch-SLE15-SP4_Update_31-debugsource-2-150400.9.6.1 * kernel-livepatch-SLE15-SP4_Update_32-debugsource-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_133-default-debuginfo-2-150400.9.6.1 * kernel-livepatch-5_14_21-150400_24_136-default-2-150400.9.6.1 ## References: * https://www.suse.com/security/cve/CVE-2022-48956.html * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1231353 * https://bugzilla.suse.com/show_bug.cgi?id=1232637 * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

SUSE-SU-2025:0187-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP6)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP6) Announcement ID: SUSE-SU-2025:0187-1 Release Date: 2025-01-18T02:03:59Z Rating: important References: * bsc#1225733 * bsc#1225739 * bsc#1225819 * bsc#1228786 * bsc#1229273 * bsc#1229553 * bsc#1231419 * bsc#1233712 Cross-References: * CVE-2023-52752 * CVE-2024-35949 * CVE-2024-36899 * CVE-2024-36904 * CVE-2024-40954 * CVE-2024-42133 * CVE-2024-43861 * CVE-2024-50264 CVSS scores: * CVE-2023-52752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-52752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-35949 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-36899 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-36899 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-36904 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40954 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40954 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-42133 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2024-42133 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-42133 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43861 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43861 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Live Patching 15-SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves eight vulnerabilities can now be installed. ## Description: This update for the Linux Kernel 6.4.0-150600_23_7 fixes several issues. The following security issues were fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). * CVE-2024-36904: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (bsc#1225733). * CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229553). * CVE-2024-42133: Bluetooth: Ignore too large handle values in BIG (bsc#1231419). * CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1229273). * CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225819). * CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1231353). * CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225739). * CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch SUSE-2025-187=1 * SUSE Linux Enterprise Live Patching 15-SP6 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP6-2025-187=1 ## Package List: * openSUSE Leap 15.6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_7-default-debuginfo-6-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_7-default-6-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_1-debugsource-6-150600.13.6.1 * SUSE Linux Enterprise Live Patching 15-SP6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_7-default-debuginfo-6-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_7-default-6-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_1-debugsource-6-150600.13.6.1 ## References: * https://www.suse.com/security/cve/CVE-2023-52752.html * https://www.suse.com/security/cve/CVE-2024-35949.html * https://www.suse.com/security/cve/CVE-2024-36899.html * https://www.suse.com/security/cve/CVE-2024-36904.html * https://www.suse.com/security/cve/CVE-2024-40954.html * https://www.suse.com/security/cve/CVE-2024-42133.html * https://www.suse.com/security/cve/CVE-2024-43861.html * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1225733 * https://bugzilla.suse.com/show_bug.cgi?id=1225739 * https://bugzilla.suse.com/show_bug.cgi?id=1225819 * https://bugzilla.suse.com/show_bug.cgi?id=1228786 * https://bugzilla.suse.com/show_bug.cgi?id=1229273 * https://bugzilla.suse.com/show_bug.cgi?id=1229553 * https://bugzilla.suse.com/show_bug.cgi?id=1231419 * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

SUSE-SU-2025:0188-1: important: Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP6)
by OPENSUSE-SECURITY-UPDATES 20 Jan '25

20 Jan '25

# Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP6) Announcement ID: SUSE-SU-2025:0188-1 Release Date: 2025-01-18T02:04:11Z Rating: important References: * bsc#1225819 * bsc#1228349 * bsc#1228786 * bsc#1229273 * bsc#1229553 * bsc#1231419 * bsc#1233712 Cross-References: * CVE-2023-52752 * CVE-2024-35949 * CVE-2024-40909 * CVE-2024-40954 * CVE-2024-42133 * CVE-2024-43861 * CVE-2024-50264 CVSS scores: * CVE-2023-52752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-52752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-35949 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40909 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40909 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40954 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-40954 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-42133 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2024-42133 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-42133 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43861 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-43861 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-50264 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-50264 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Live Patching 15-SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves seven vulnerabilities can now be installed. ## Description: This update for the Linux Kernel 6.4.0-150600_23_14 fixes several issues. The following security issues were fixed: * CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233712). * CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229553). * CVE-2024-42133: Bluetooth: Ignore too large handle values in BIG (bsc#1231419). * CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1229273). * CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225819). * CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808) * CVE-2024-40909: bpf: Fix a potential use-after-free in bpf_link_free() (bsc#1228349). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch SUSE-2025-188=1 * SUSE Linux Enterprise Live Patching 15-SP6 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP6-2025-188=1 ## Package List: * openSUSE Leap 15.6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_14-default-debuginfo-6-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_14-default-6-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_2-debugsource-6-150600.13.6.1 * SUSE Linux Enterprise Live Patching 15-SP6 (ppc64le s390x x86_64) * kernel-livepatch-6_4_0-150600_23_14-default-debuginfo-6-150600.13.6.1 * kernel-livepatch-6_4_0-150600_23_14-default-6-150600.13.6.1 * kernel-livepatch-SLE15-SP6_Update_2-debugsource-6-150600.13.6.1 ## References: * https://www.suse.com/security/cve/CVE-2023-52752.html * https://www.suse.com/security/cve/CVE-2024-35949.html * https://www.suse.com/security/cve/CVE-2024-40909.html * https://www.suse.com/security/cve/CVE-2024-40954.html * https://www.suse.com/security/cve/CVE-2024-42133.html * https://www.suse.com/security/cve/CVE-2024-43861.html * https://www.suse.com/security/cve/CVE-2024-50264.html * https://bugzilla.suse.com/show_bug.cgi?id=1225819 * https://bugzilla.suse.com/show_bug.cgi?id=1228349 * https://bugzilla.suse.com/show_bug.cgi?id=1228786 * https://bugzilla.suse.com/show_bug.cgi?id=1229273 * https://bugzilla.suse.com/show_bug.cgi?id=1229553 * https://bugzilla.suse.com/show_bug.cgi?id=1231419 * https://bugzilla.suse.com/show_bug.cgi?id=1233712

1 0

openSUSE-SU-2025:14663-1: moderate: velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media
by meissner＠suse.com 18 Jan '25

18 Jan '25

# velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media Announcement ID: openSUSE-SU-2025:14663-1 Rating: moderate Cross-References: * CVE-2023-1732 * CVE-2023-44270 * CVE-2023-45133 * CVE-2023-45683 * CVE-2023-46234 * CVE-2024-21538 * CVE-2024-23331 * CVE-2024-24786 * CVE-2024-28180 * CVE-2024-31207 * CVE-2024-37298 * CVE-2024-4067 * CVE-2024-4068 * CVE-2024-42459 * CVE-2024-42460 * CVE-2024-42461 * CVE-2024-45296 * CVE-2024-45338 * CVE-2024-45811 * CVE-2024-45812 * CVE-2024-47068 * CVE-2024-47875 * CVE-2024-48948 * CVE-2024-48949 * CVE-2024-51744 * CVE-2024-55565 * CVE-2024-6104 CVSS scores: * CVE-2023-45683 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L * CVE-2024-21538 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2024-21538 ( SUSE ): 5.6 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2024-24786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-28180 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2024-28180 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2024-4067 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-4068 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-42459 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2024-42460 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2024-42461 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2024-45338 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45338 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2024-47875 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L * CVE-2024-47875 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2024-48948 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2024-48948 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2024-48949 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N * CVE-2024-48949 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N * CVE-2024-51744 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2024-6104 ( SUSE ): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Affected Products: * openSUSE Tumbleweed An update that solves 27 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the velociraptor-0.7.0.4.git142.862ef23-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * velociraptor 0.7.0.4.git142.862ef23-1.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1732.html * https://www.suse.com/security/cve/CVE-2023-44270.html * https://www.suse.com/security/cve/CVE-2023-45133.html * https://www.suse.com/security/cve/CVE-2023-45683.html * https://www.suse.com/security/cve/CVE-2023-46234.html * https://www.suse.com/security/cve/CVE-2024-21538.html * https://www.suse.com/security/cve/CVE-2024-23331.html * https://www.suse.com/security/cve/CVE-2024-24786.html * https://www.suse.com/security/cve/CVE-2024-28180.html * https://www.suse.com/security/cve/CVE-2024-31207.html * https://www.suse.com/security/cve/CVE-2024-37298.html * https://www.suse.com/security/cve/CVE-2024-4067.html * https://www.suse.com/security/cve/CVE-2024-4068.html * https://www.suse.com/security/cve/CVE-2024-42459.html * https://www.suse.com/security/cve/CVE-2024-42460.html * https://www.suse.com/security/cve/CVE-2024-42461.html * https://www.suse.com/security/cve/CVE-2024-45296.html * https://www.suse.com/security/cve/CVE-2024-45338.html * https://www.suse.com/security/cve/CVE-2024-45811.html * https://www.suse.com/security/cve/CVE-2024-45812.html * https://www.suse.com/security/cve/CVE-2024-47068.html * https://www.suse.com/security/cve/CVE-2024-47875.html * https://www.suse.com/security/cve/CVE-2024-48948.html * https://www.suse.com/security/cve/CVE-2024-48949.html * https://www.suse.com/security/cve/CVE-2024-51744.html * https://www.suse.com/security/cve/CVE-2024-55565.html * https://www.suse.com/security/cve/CVE-2024-6104.html

1 0

openSUSE-SU-2025:14660-1: moderate: golang-github-prometheus-prometheus-3.1.0-1.1 on GA media
by meissner＠suse.com 18 Jan '25

18 Jan '25

# golang-github-prometheus-prometheus-3.1.0-1.1 on GA media Announcement ID: openSUSE-SU-2025:14660-1 Rating: moderate Cross-References: * CVE-2024-45337 CVSS scores: * CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the golang-github-prometheus-prometheus-3.1.0-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * golang-github-prometheus-prometheus 3.1.0-1.1 ## References: * https://www.suse.com/security/cve/CVE-2024-45337.html

1 0

openSUSE-SU-2025:14659-1: moderate: chromedriver-132.0.6834.83-1.1 on GA media
by meissner＠suse.com 18 Jan '25

18 Jan '25

# chromedriver-132.0.6834.83-1.1 on GA media Announcement ID: openSUSE-SU-2025:14659-1 Rating: moderate Cross-References: * CVE-2025-0434 * CVE-2025-0435 * CVE-2025-0436 * CVE-2025-0437 * CVE-2025-0438 * CVE-2025-0439 * CVE-2025-0440 * CVE-2025-0441 * CVE-2025-0442 * CVE-2025-0443 * CVE-2025-0446 * CVE-2025-0447 * CVE-2025-0448 Affected Products: * openSUSE Tumbleweed An update that solves 13 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the chromedriver-132.0.6834.83-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * chromedriver 132.0.6834.83-1.1 * chromium 132.0.6834.83-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-0434.html * https://www.suse.com/security/cve/CVE-2025-0435.html * https://www.suse.com/security/cve/CVE-2025-0436.html * https://www.suse.com/security/cve/CVE-2025-0437.html * https://www.suse.com/security/cve/CVE-2025-0438.html * https://www.suse.com/security/cve/CVE-2025-0439.html * https://www.suse.com/security/cve/CVE-2025-0440.html * https://www.suse.com/security/cve/CVE-2025-0441.html * https://www.suse.com/security/cve/CVE-2025-0442.html * https://www.suse.com/security/cve/CVE-2025-0443.html * https://www.suse.com/security/cve/CVE-2025-0446.html * https://www.suse.com/security/cve/CVE-2025-0447.html * https://www.suse.com/security/cve/CVE-2025-0448.html

1 0