Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-45338 (GCVE-0-2024-45338)
Vulnerability from cvelistv5 – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
VLAI
EPSS
Title
Non-linear parsing of case-insensitive content in golang.org/x/net/html
Summary
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.33.0
(semver)
|
Credits
Guido Vranken
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T19:51:42.228627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:55:04.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:32.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parseDoctype"
},
{
"name": "htmlIntegrationPoint"
},
{
"name": "inTableIM"
},
{
"name": "inBodyIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.33.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T20:38:22.660Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/637536"
},
{
"url": "https://go.dev/issue/70906"
},
{
"url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-3333"
}
],
"title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45338",
"datePublished": "2024-12-18T20:38:22.660Z",
"dateReserved": "2024-08-27T19:41:58.555Z",
"dateUpdated": "2025-02-21T18:03:32.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-45338",
"date": "2026-06-12",
"epss": "0.00046",
"percentile": "0.14678"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"}, {\"lang\": \"es\", \"value\": \"Un atacante puede manipular una entrada para las funciones de an\\u00e1lisis que se procesar\\u00eda de forma no lineal con respecto a su longitud, lo que dar\\u00eda como resultado un an\\u00e1lisis extremadamente lento. Esto podr\\u00eda causar una denegaci\\u00f3n de servicio.\"}]",
"id": "CVE-2024-45338",
"lastModified": "2024-12-31T20:16:06.603",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-12-18T21:15:08.173",
"references": "[{\"url\": \"https://go.dev/cl/637536\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/issue/70906\", \"source\": \"security@golang.org\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\", \"source\": \"security@golang.org\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-3333\", \"source\": \"security@golang.org\"}]",
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1333\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45338\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2024-12-18T21:15:08.173\",\"lastModified\":\"2025-02-21T18:15:17.717\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"},{\"lang\":\"es\",\"value\":\"Un atacante puede manipular una entrada para las funciones de an\u00e1lisis que se procesar\u00eda de forma no lineal con respecto a su longitud, lo que dar\u00eda como resultado un an\u00e1lisis extremadamente lento. Esto podr\u00eda causar una denegaci\u00f3n de servicio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://go.dev/cl/637536\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/70906\",\"source\":\"security@golang.org\"},{\"url\":\"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2024-3333\",\"source\":\"security@golang.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250221-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250221-0001/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-02-21T18:03:32.301Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45338\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-31T19:51:42.228627Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333 Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-31T19:54:57.693Z\"}}], \"cna\": {\"title\": \"Non-linear parsing of case-insensitive content in golang.org/x/net/html\", \"credits\": [{\"lang\": \"en\", \"value\": \"Guido Vranken\"}], \"affected\": [{\"vendor\": \"golang.org/x/net\", \"product\": \"golang.org/x/net/html\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.33.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/net/html\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"parseDoctype\"}, {\"name\": \"htmlIntegrationPoint\"}, {\"name\": \"inTableIM\"}, {\"name\": \"inBodyIM\"}, {\"name\": \"Parse\"}, {\"name\": \"ParseFragment\"}, {\"name\": \"ParseFragmentWithOptions\"}, {\"name\": \"ParseWithOptions\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/637536\"}, {\"url\": \"https://go.dev/issue/70906\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-3333\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-405: Asymmetric Resource Consumption (Amplification)\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2024-12-18T20:38:22.660Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45338\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-21T18:03:32.301Z\", \"dateReserved\": \"2024-08-27T19:41:58.555Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2024-12-18T20:38:22.660Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2025:14907-1
Vulnerability from csaf_opensuse - Published: 2025-03-18 00:00 - Updated: 2025-03-18 00:00Summary
kured-1.17.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: kured-1.17.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the kured-1.17.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14907
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kured-1.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-1.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-1.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-1.17.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "kured-1.17.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the kured-1.17.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14907",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14907-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14907-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CZP3P5NBSLZINLGQH7DRQMDTIOVW4D3C/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14907-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CZP3P5NBSLZINLGQH7DRQMDTIOVW4D3C/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "kured-1.17.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-03-18T00:00:00Z",
"generator": {
"date": "2025-03-18T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14907-1",
"initial_release_date": "2025-03-18T00:00:00Z",
"revision_history": [
{
"date": "2025-03-18T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kured-1.17.1-1.1.aarch64",
"product": {
"name": "kured-1.17.1-1.1.aarch64",
"product_id": "kured-1.17.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kured-k8s-yaml-1.17.1-1.1.aarch64",
"product": {
"name": "kured-k8s-yaml-1.17.1-1.1.aarch64",
"product_id": "kured-k8s-yaml-1.17.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kured-1.17.1-1.1.ppc64le",
"product": {
"name": "kured-1.17.1-1.1.ppc64le",
"product_id": "kured-1.17.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kured-k8s-yaml-1.17.1-1.1.ppc64le",
"product": {
"name": "kured-k8s-yaml-1.17.1-1.1.ppc64le",
"product_id": "kured-k8s-yaml-1.17.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kured-1.17.1-1.1.s390x",
"product": {
"name": "kured-1.17.1-1.1.s390x",
"product_id": "kured-1.17.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kured-k8s-yaml-1.17.1-1.1.s390x",
"product": {
"name": "kured-k8s-yaml-1.17.1-1.1.s390x",
"product_id": "kured-k8s-yaml-1.17.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kured-1.17.1-1.1.x86_64",
"product": {
"name": "kured-1.17.1-1.1.x86_64",
"product_id": "kured-1.17.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kured-k8s-yaml-1.17.1-1.1.x86_64",
"product": {
"name": "kured-k8s-yaml-1.17.1-1.1.x86_64",
"product_id": "kured-k8s-yaml-1.17.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-1.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-1.17.1-1.1.aarch64"
},
"product_reference": "kured-1.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-1.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-1.17.1-1.1.ppc64le"
},
"product_reference": "kured-1.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-1.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-1.17.1-1.1.s390x"
},
"product_reference": "kured-1.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-1.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-1.17.1-1.1.x86_64"
},
"product_reference": "kured-1.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-k8s-yaml-1.17.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.aarch64"
},
"product_reference": "kured-k8s-yaml-1.17.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-k8s-yaml-1.17.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.ppc64le"
},
"product_reference": "kured-k8s-yaml-1.17.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-k8s-yaml-1.17.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.s390x"
},
"product_reference": "kured-k8s-yaml-1.17.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kured-k8s-yaml-1.17.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.x86_64"
},
"product_reference": "kured-k8s-yaml-1.17.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kured-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-1.17.1-1.1.x86_64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kured-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-1.17.1-1.1.x86_64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kured-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-1.17.1-1.1.x86_64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.aarch64",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.ppc64le",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.s390x",
"openSUSE Tumbleweed:kured-k8s-yaml-1.17.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14909-1
Vulnerability from csaf_opensuse - Published: 2025-03-19 00:00 - Updated: 2025-03-19 00:00Summary
apptainer-1.3.6-5.1 on GA media
Severity
Moderate
Notes
Title of the patch: apptainer-1.3.6-5.1 on GA media
Description of the patch: These are all security issues fixed in the apptainer-1.3.6-5.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14909
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.9 (Critical)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
8.1 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.4 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
24 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apptainer-1.3.6-5.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apptainer-1.3.6-5.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14909",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14909-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14909-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BIPGSRATX6BG2ZXWE7566EGQCKXLC4RV/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14909-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BIPGSRATX6BG2ZXWE7566EGQCKXLC4RV/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-41110 page",
"url": "https://www.suse.com/security/cve/CVE-2024-41110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
}
],
"title": "apptainer-1.3.6-5.1 on GA media",
"tracking": {
"current_release_date": "2025-03-19T00:00:00Z",
"generator": {
"date": "2025-03-19T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14909-1",
"initial_release_date": "2025-03-19T00:00:00Z",
"revision_history": [
{
"date": "2025-03-19T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.6-5.1.aarch64",
"product": {
"name": "apptainer-1.3.6-5.1.aarch64",
"product_id": "apptainer-1.3.6-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.3.6-5.1.aarch64",
"product": {
"name": "apptainer-leap-1.3.6-5.1.aarch64",
"product_id": "apptainer-leap-1.3.6-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_5-1.3.6-5.1.aarch64",
"product": {
"name": "apptainer-sle15_5-1.3.6-5.1.aarch64",
"product_id": "apptainer-sle15_5-1.3.6-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_6-1.3.6-5.1.aarch64",
"product": {
"name": "apptainer-sle15_6-1.3.6-5.1.aarch64",
"product_id": "apptainer-sle15_6-1.3.6-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.3.6-5.1.aarch64",
"product": {
"name": "apptainer-sle15_7-1.3.6-5.1.aarch64",
"product_id": "apptainer-sle15_7-1.3.6-5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.6-5.1.ppc64le",
"product": {
"name": "apptainer-1.3.6-5.1.ppc64le",
"product_id": "apptainer-1.3.6-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.3.6-5.1.ppc64le",
"product": {
"name": "apptainer-leap-1.3.6-5.1.ppc64le",
"product_id": "apptainer-leap-1.3.6-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_5-1.3.6-5.1.ppc64le",
"product": {
"name": "apptainer-sle15_5-1.3.6-5.1.ppc64le",
"product_id": "apptainer-sle15_5-1.3.6-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_6-1.3.6-5.1.ppc64le",
"product": {
"name": "apptainer-sle15_6-1.3.6-5.1.ppc64le",
"product_id": "apptainer-sle15_6-1.3.6-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.3.6-5.1.ppc64le",
"product": {
"name": "apptainer-sle15_7-1.3.6-5.1.ppc64le",
"product_id": "apptainer-sle15_7-1.3.6-5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.6-5.1.s390x",
"product": {
"name": "apptainer-1.3.6-5.1.s390x",
"product_id": "apptainer-1.3.6-5.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.3.6-5.1.s390x",
"product": {
"name": "apptainer-leap-1.3.6-5.1.s390x",
"product_id": "apptainer-leap-1.3.6-5.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_5-1.3.6-5.1.s390x",
"product": {
"name": "apptainer-sle15_5-1.3.6-5.1.s390x",
"product_id": "apptainer-sle15_5-1.3.6-5.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_6-1.3.6-5.1.s390x",
"product": {
"name": "apptainer-sle15_6-1.3.6-5.1.s390x",
"product_id": "apptainer-sle15_6-1.3.6-5.1.s390x"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.3.6-5.1.s390x",
"product": {
"name": "apptainer-sle15_7-1.3.6-5.1.s390x",
"product_id": "apptainer-sle15_7-1.3.6-5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.6-5.1.x86_64",
"product": {
"name": "apptainer-1.3.6-5.1.x86_64",
"product_id": "apptainer-1.3.6-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-leap-1.3.6-5.1.x86_64",
"product": {
"name": "apptainer-leap-1.3.6-5.1.x86_64",
"product_id": "apptainer-leap-1.3.6-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_5-1.3.6-5.1.x86_64",
"product": {
"name": "apptainer-sle15_5-1.3.6-5.1.x86_64",
"product_id": "apptainer-sle15_5-1.3.6-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_6-1.3.6-5.1.x86_64",
"product": {
"name": "apptainer-sle15_6-1.3.6-5.1.x86_64",
"product_id": "apptainer-sle15_6-1.3.6-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_7-1.3.6-5.1.x86_64",
"product": {
"name": "apptainer-sle15_7-1.3.6-5.1.x86_64",
"product_id": "apptainer-sle15_7-1.3.6-5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64"
},
"product_reference": "apptainer-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le"
},
"product_reference": "apptainer-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x"
},
"product_reference": "apptainer-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64"
},
"product_reference": "apptainer-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64"
},
"product_reference": "apptainer-leap-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le"
},
"product_reference": "apptainer-leap-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x"
},
"product_reference": "apptainer-leap-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64"
},
"product_reference": "apptainer-leap-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64"
},
"product_reference": "apptainer-sle15_5-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le"
},
"product_reference": "apptainer-sle15_5-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x"
},
"product_reference": "apptainer-sle15_5-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64"
},
"product_reference": "apptainer-sle15_5-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64"
},
"product_reference": "apptainer-sle15_6-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le"
},
"product_reference": "apptainer-sle15_6-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x"
},
"product_reference": "apptainer-sle15_6-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64"
},
"product_reference": "apptainer-sle15_6-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64"
},
"product_reference": "apptainer-sle15_7-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le"
},
"product_reference": "apptainer-sle15_7-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x"
},
"product_reference": "apptainer-sle15_7-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_7-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
},
"product_reference": "apptainer-sle15_7-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-41110"
}
],
"notes": [
{
"category": "general",
"text": "Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-41110",
"url": "https://www.suse.com/security/cve/CVE-2024-41110"
},
{
"category": "external",
"summary": "SUSE Bug 1228324 for CVE-2024-41110",
"url": "https://bugzilla.suse.com/1228324"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-41110"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-leap-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_5-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_6-1.3.6-5.1.x86_64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:apptainer-sle15_7-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-19T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
}
]
}
OPENSUSE-SU-2025:15304-1
Vulnerability from csaf_opensuse - Published: 2025-07-03 00:00 - Updated: 2025-07-03 00:00Summary
traefik-3.4.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: traefik-3.4.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the traefik-3.4.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15304
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
24 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "traefik-3.4.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the traefik-3.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15304",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15304-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-4533 page",
"url": "https://www.suse.com/security/cve/CVE-2024-4533/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47952 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47952/"
}
],
"title": "traefik-3.4.3-1.1 on GA media",
"tracking": {
"current_release_date": "2025-07-03T00:00:00Z",
"generator": {
"date": "2025-07-03T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15304-1",
"initial_release_date": "2025-07-03T00:00:00Z",
"revision_history": [
{
"date": "2025-07-03T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.4.3-1.1.aarch64",
"product": {
"name": "traefik-3.4.3-1.1.aarch64",
"product_id": "traefik-3.4.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.4.3-1.1.ppc64le",
"product": {
"name": "traefik-3.4.3-1.1.ppc64le",
"product_id": "traefik-3.4.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.4.3-1.1.s390x",
"product": {
"name": "traefik-3.4.3-1.1.s390x",
"product_id": "traefik-3.4.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.4.3-1.1.x86_64",
"product": {
"name": "traefik-3.4.3-1.1.x86_64",
"product_id": "traefik-3.4.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64"
},
"product_reference": "traefik-3.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le"
},
"product_reference": "traefik-3.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x"
},
"product_reference": "traefik-3.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
},
"product_reference": "traefik-3.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-4533",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-4533"
}
],
"notes": [
{
"category": "general",
"text": "The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-4533",
"url": "https://www.suse.com/security/cve/CVE-2024-4533"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-4533"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
},
{
"cve": "CVE-2025-47952",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47952"
}
],
"notes": [
{
"category": "general",
"text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47952",
"url": "https://www.suse.com/security/cve/CVE-2025-47952"
},
{
"category": "external",
"summary": "SUSE Bug 1243818 for CVE-2025-47952",
"url": "https://bugzilla.suse.com/1243818"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-47952"
}
]
}
OPENSUSE-SU-2025:15305-1
Vulnerability from csaf_opensuse - Published: 2025-07-03 00:00 - Updated: 2025-07-03 00:00Summary
traefik2-2.11.26-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: traefik2-2.11.26-1.1 on GA media
Description of the patch: These are all security issues fixed in the traefik2-2.11.26-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15305
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "traefik2-2.11.26-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the traefik2-2.11.26-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15305",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15305-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28180 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28180/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22871 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22871/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-32431 page",
"url": "https://www.suse.com/security/cve/CVE-2025-32431/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47952 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47952/"
}
],
"title": "traefik2-2.11.26-1.1 on GA media",
"tracking": {
"current_release_date": "2025-07-03T00:00:00Z",
"generator": {
"date": "2025-07-03T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15305-1",
"initial_release_date": "2025-07-03T00:00:00Z",
"revision_history": [
{
"date": "2025-07-03T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "traefik2-2.11.26-1.1.aarch64",
"product": {
"name": "traefik2-2.11.26-1.1.aarch64",
"product_id": "traefik2-2.11.26-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik2-2.11.26-1.1.ppc64le",
"product": {
"name": "traefik2-2.11.26-1.1.ppc64le",
"product_id": "traefik2-2.11.26-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik2-2.11.26-1.1.s390x",
"product": {
"name": "traefik2-2.11.26-1.1.s390x",
"product_id": "traefik2-2.11.26-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik2-2.11.26-1.1.x86_64",
"product": {
"name": "traefik2-2.11.26-1.1.x86_64",
"product_id": "traefik2-2.11.26-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik2-2.11.26-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64"
},
"product_reference": "traefik2-2.11.26-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik2-2.11.26-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le"
},
"product_reference": "traefik2-2.11.26-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik2-2.11.26-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x"
},
"product_reference": "traefik2-2.11.26-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik2-2.11.26-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
},
"product_reference": "traefik2-2.11.26-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-28180",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28180"
}
],
"notes": [
{
"category": "general",
"text": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28180",
"url": "https://www.suse.com/security/cve/CVE-2024-28180"
},
{
"category": "external",
"summary": "SUSE Bug 1234984 for CVE-2024-28180",
"url": "https://bugzilla.suse.com/1234984"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-28180"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22871",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22871"
}
],
"notes": [
{
"category": "general",
"text": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22871",
"url": "https://www.suse.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "SUSE Bug 1240550 for CVE-2025-22871",
"url": "https://bugzilla.suse.com/1240550"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22871"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
},
{
"cve": "CVE-2025-32431",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-32431"
}
],
"notes": [
{
"category": "general",
"text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-32431",
"url": "https://www.suse.com/security/cve/CVE-2025-32431"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-32431"
},
{
"cve": "CVE-2025-47952",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47952"
}
],
"notes": [
{
"category": "general",
"text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47952",
"url": "https://www.suse.com/security/cve/CVE-2025-47952"
},
{
"category": "external",
"summary": "SUSE Bug 1243818 for CVE-2025-47952",
"url": "https://bugzilla.suse.com/1243818"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
"openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-47952"
}
]
}
OPENSUSE-SU-2025:15779-1
Vulnerability from csaf_opensuse - Published: 2025-11-28 00:00 - Updated: 2025-11-28 00:00Summary
helm3-3.19.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: helm3-3.19.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the helm3-3.19.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15779
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.7 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.1 (Critical)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.4 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.4 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
70 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helm3-3.19.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helm3-3.19.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15779",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15779-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21272 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21272/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-1996 page",
"url": "https://www.suse.com/security/cve/CVE-2022-1996/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23524 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23524/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23525 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23525/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23526 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23526/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36055 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36055/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25165 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25165/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25173 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25173/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-25620 page",
"url": "https://www.suse.com/security/cve/CVE-2024-25620/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-26147 page",
"url": "https://www.suse.com/security/cve/CVE-2024-26147/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-53547 page",
"url": "https://www.suse.com/security/cve/CVE-2025-53547/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "helm3-3.19.2-1.1 on GA media",
"tracking": {
"current_release_date": "2025-11-28T00:00:00Z",
"generator": {
"date": "2025-11-28T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15779-1",
"initial_release_date": "2025-11-28T00:00:00Z",
"revision_history": [
{
"date": "2025-11-28T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm3-3.19.2-1.1.aarch64",
"product": {
"name": "helm3-3.19.2-1.1.aarch64",
"product_id": "helm3-3.19.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm3-bash-completion-3.19.2-1.1.aarch64",
"product": {
"name": "helm3-bash-completion-3.19.2-1.1.aarch64",
"product_id": "helm3-bash-completion-3.19.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm3-fish-completion-3.19.2-1.1.aarch64",
"product": {
"name": "helm3-fish-completion-3.19.2-1.1.aarch64",
"product_id": "helm3-fish-completion-3.19.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm3-zsh-completion-3.19.2-1.1.aarch64",
"product": {
"name": "helm3-zsh-completion-3.19.2-1.1.aarch64",
"product_id": "helm3-zsh-completion-3.19.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm3-3.19.2-1.1.ppc64le",
"product": {
"name": "helm3-3.19.2-1.1.ppc64le",
"product_id": "helm3-3.19.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm3-bash-completion-3.19.2-1.1.ppc64le",
"product": {
"name": "helm3-bash-completion-3.19.2-1.1.ppc64le",
"product_id": "helm3-bash-completion-3.19.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm3-fish-completion-3.19.2-1.1.ppc64le",
"product": {
"name": "helm3-fish-completion-3.19.2-1.1.ppc64le",
"product_id": "helm3-fish-completion-3.19.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
"product": {
"name": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
"product_id": "helm3-zsh-completion-3.19.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm3-3.19.2-1.1.s390x",
"product": {
"name": "helm3-3.19.2-1.1.s390x",
"product_id": "helm3-3.19.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm3-bash-completion-3.19.2-1.1.s390x",
"product": {
"name": "helm3-bash-completion-3.19.2-1.1.s390x",
"product_id": "helm3-bash-completion-3.19.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm3-fish-completion-3.19.2-1.1.s390x",
"product": {
"name": "helm3-fish-completion-3.19.2-1.1.s390x",
"product_id": "helm3-fish-completion-3.19.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm3-zsh-completion-3.19.2-1.1.s390x",
"product": {
"name": "helm3-zsh-completion-3.19.2-1.1.s390x",
"product_id": "helm3-zsh-completion-3.19.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm3-3.19.2-1.1.x86_64",
"product": {
"name": "helm3-3.19.2-1.1.x86_64",
"product_id": "helm3-3.19.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm3-bash-completion-3.19.2-1.1.x86_64",
"product": {
"name": "helm3-bash-completion-3.19.2-1.1.x86_64",
"product_id": "helm3-bash-completion-3.19.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm3-fish-completion-3.19.2-1.1.x86_64",
"product": {
"name": "helm3-fish-completion-3.19.2-1.1.x86_64",
"product_id": "helm3-fish-completion-3.19.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm3-zsh-completion-3.19.2-1.1.x86_64",
"product": {
"name": "helm3-zsh-completion-3.19.2-1.1.x86_64",
"product_id": "helm3-zsh-completion-3.19.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64"
},
"product_reference": "helm3-3.19.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le"
},
"product_reference": "helm3-3.19.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x"
},
"product_reference": "helm3-3.19.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64"
},
"product_reference": "helm3-3.19.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-bash-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64"
},
"product_reference": "helm3-bash-completion-3.19.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-bash-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le"
},
"product_reference": "helm3-bash-completion-3.19.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-bash-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x"
},
"product_reference": "helm3-bash-completion-3.19.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-bash-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64"
},
"product_reference": "helm3-bash-completion-3.19.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-fish-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64"
},
"product_reference": "helm3-fish-completion-3.19.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-fish-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le"
},
"product_reference": "helm3-fish-completion-3.19.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-fish-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x"
},
"product_reference": "helm3-fish-completion-3.19.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-fish-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64"
},
"product_reference": "helm3-fish-completion-3.19.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-zsh-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64"
},
"product_reference": "helm3-zsh-completion-3.19.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-zsh-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le"
},
"product_reference": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-zsh-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x"
},
"product_reference": "helm3-zsh-completion-3.19.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm3-zsh-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
},
"product_reference": "helm3-zsh-completion-3.19.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2021-21272",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21272"
}
],
"notes": [
{
"category": "general",
"text": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21272",
"url": "https://www.suse.com/security/cve/CVE-2021-21272"
},
{
"category": "external",
"summary": "SUSE Bug 1181419 for CVE-2021-21272",
"url": "https://bugzilla.suse.com/1181419"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-21272"
},
{
"cve": "CVE-2022-1996",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-1996"
}
],
"notes": [
{
"category": "general",
"text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-1996",
"url": "https://www.suse.com/security/cve/CVE-2022-1996"
},
{
"category": "external",
"summary": "SUSE Bug 1200528 for CVE-2022-1996",
"url": "https://bugzilla.suse.com/1200528"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-1996"
},
{
"cve": "CVE-2022-23524",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23524"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23524",
"url": "https://www.suse.com/security/cve/CVE-2022-23524"
},
{
"category": "external",
"summary": "SUSE Bug 1206467 for CVE-2022-23524",
"url": "https://bugzilla.suse.com/1206467"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23524"
},
{
"cve": "CVE-2022-23525",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23525"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23525",
"url": "https://www.suse.com/security/cve/CVE-2022-23525"
},
{
"category": "external",
"summary": "SUSE Bug 1206469 for CVE-2022-23525",
"url": "https://bugzilla.suse.com/1206469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2022-23525"
},
{
"cve": "CVE-2022-23526",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23526"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23526",
"url": "https://www.suse.com/security/cve/CVE-2022-23526"
},
{
"category": "external",
"summary": "SUSE Bug 1206471 for CVE-2022-23526",
"url": "https://bugzilla.suse.com/1206471"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2022-23526"
},
{
"cve": "CVE-2022-36055",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36055"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36055",
"url": "https://www.suse.com/security/cve/CVE-2022-36055"
},
{
"category": "external",
"summary": "SUSE Bug 1203054 for CVE-2022-36055",
"url": "https://bugzilla.suse.com/1203054"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-36055"
},
{
"cve": "CVE-2023-25165",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25165"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25165",
"url": "https://www.suse.com/security/cve/CVE-2023-25165"
},
{
"category": "external",
"summary": "SUSE Bug 1208083 for CVE-2023-25165",
"url": "https://bugzilla.suse.com/1208083"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-25165"
},
{
"cve": "CVE-2023-25173",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25173"
}
],
"notes": [
{
"category": "general",
"text": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25173",
"url": "https://www.suse.com/security/cve/CVE-2023-25173"
},
{
"category": "external",
"summary": "SUSE Bug 1208426 for CVE-2023-25173",
"url": "https://bugzilla.suse.com/1208426"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2023-25173",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-25173"
},
{
"cve": "CVE-2024-25620",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-25620"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-25620",
"url": "https://www.suse.com/security/cve/CVE-2024-25620"
},
{
"category": "external",
"summary": "SUSE Bug 1219969 for CVE-2024-25620",
"url": "https://bugzilla.suse.com/1219969"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-25620"
},
{
"cve": "CVE-2024-26147",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-26147"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-26147",
"url": "https://www.suse.com/security/cve/CVE-2024-26147"
},
{
"category": "external",
"summary": "SUSE Bug 1220207 for CVE-2024-26147",
"url": "https://bugzilla.suse.com/1220207"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-26147"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-53547",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-53547"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-53547",
"url": "https://www.suse.com/security/cve/CVE-2025-53547"
},
{
"category": "external",
"summary": "SUSE Bug 1246150 for CVE-2025-53547",
"url": "https://bugzilla.suse.com/1246150"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-53547"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
"openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2025:20097-1
Vulnerability from csaf_opensuse - Published: 2025-12-30 17:00 - Updated: 2025-12-30 17:00Summary
Security update for helmfile
Severity
Important
Notes
Title of the patch: Security update for helmfile
Description of the patch: This update for helmfile fixes the following issues:
Changes in helmfile:
Update to version 1.1.9:
* feat: update strategy for reinstall by @simbou2000 in #2019
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3
from 1.88.7 to 1.89.0 by @dependabot[bot] in #2239
* Fix: Handle empty helmBinary in base files with environment
values by @Copilot in #2237
Update to version 1.1.8:
* build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to
1.8.1 by @dependabot[bot] in #2194
* fix typos in both comment and error message by @d-fal in #2199
* cleanup disk in release ci by @yxxhero in #2203
* Migrate AWS SDK from v1 to v2 to resolve deprecation warnings
by @Copilot in #2202
* build(deps): bump github.com/helmfile/vals from 0.42.1 to 0.42.2
by @dependabot[bot] in #2200
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.2 to 1.88.3 by @dependabot[bot] in #2206
* Bump Alpine to 3.22 in Dockerfile by @orishamir in #2205
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.10 to 1.31.12 by @dependabot[bot] in #2207
* Add yq to Dockerfile by @orishamir in #2208
* fix: skip chartify for build command jsonPatches by @sstarcher
in #2212
* build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to
1.8.2 by @dependabot[bot] in #2210
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.3 to 1.88.4 by @dependabot[bot] in #2213
* build(deps): bump golang.org/x/term from 0.35.0 to 0.36.0 by
@dependabot[bot] in #2214
* Avoid fetching same chart/version multiple times by @Copilot
in #2197
* build(deps): bump github.com/helmfile/vals from 0.42.2 to
0.42.4 by @dependabot[bot] in #2217
* docs: add zread badge to README by @yxxhero in #2219
* Bump helm-diff to v3.13.1 by @Copilot in #2223
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.4 to 1.88.5 by @dependabot[bot] in #2226
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.12 to 1.31.13 by @dependabot[bot] in #2225
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.5 to 1.88.6 by @dependabot[bot] in #2230
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from
1.88.6 to 1.88.7 by @dependabot[bot] in #2232
* build(deps): bump github.com/aws/aws-sdk-go-v2/config from
1.31.13 to 1.31.15 by @dependabot[bot] in #2233
* Fix helmBinary and kustomizeBinary being ignored when using
bases by @Copilot in #2228
Update to version 1.1.7:
What's Changed
* fix pflag error by @zhaque44 in #2164
* build(deps): bump actions/setup-go from 5 to 6 by
@dependabot[bot] in #2166
* build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to
1.7.10 by @dependabot[bot] in #2165
* build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10
by @dependabot[bot] in #2163
* Add helm diff installation to README by @nwneisen in #2170
* build(deps): bump github.com/hashicorp/go-getter from 1.7.10
to 1.8.0 by @dependabot[bot] in #2175
* build(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 by
@dependabot[bot] in #2174
* build(deps): bump github.com/zclconf/go-cty from 1.16.4 to
1.17.0 by @dependabot[bot] in #2173
* Fix panic when helm isn't installed by @nwneisen in #2169
* build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by
@dependabot[bot] in #2172
* ci: update minikube and kubernetes versions by @yxxhero in #2181
* build(deps): bump k8s.io/apimachinery from 0.34.0 to 0.34.1 by
@dependabot[bot] in #2180
* Remove deprecated --wait-retries flag support to fix Helm
compatibility error by @Copilot in #2179
* build(deps): bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 by
@dependabot[bot] in #2183
* build: update Helm to v3.19.0 across all components by @yxxhero
in #2187
* build: update helm-diff plugin to v3.13.0 by @yxxhero in #2189
* feat: Implement caching for pulling OCI charts by @mustdiechik
in #2171
* build(deps): bump github.com/helmfile/chartify from 0.24.7 to
0.25.0 by @dependabot[bot] in #2190
- Update to version 1.1.6:
What's Changed
* build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to
1.7.9 by @dependabot[bot] in #2139
* build(deps): bump github.com/zclconf/go-cty from 1.16.3 to
1.16.4 by @dependabot[bot] in #2145
* build: update helm to v3.18.6 by @yxxhero in #2144
* build(deps): bump github.com/stretchr/testify from 1.10.0 to
1.11.0 by @dependabot[bot] in #2150
* Add missing --timeout flag to helmfile sync command with
documentation by @Copilot in #2148
* Fix enableDNS flag missing in diff command and refactor
duplicate logic by @Copilot in #2147
* build(deps): bump github.com/stretchr/testify from 1.11.0 to
1.11.1 by @dependabot[bot] in #2151
* build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14
by @dependabot[bot] in #2154
* Bump github.com/ulikunitz/xz from v0.5.14 to v0.5.15 by @Copilot
in #2159
* build(deps): bump github.com/helmfile/vals from 0.42.0 to
0.42.1 by @dependabot[bot] in #2161
* build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9
by @dependabot[bot] in #2160
* build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1
by @dependabot[bot] in #2162
* Fix error propagation in helmfile diff when Kubernetes is
unreachable by @Copilot in #2149
- Update to version 1.1.5:
What's Changed
* build(deps): bump actions/checkout from 4 to 5 by
@dependabot[bot] in #2128
* Update recommended Helm versions in init.go and run.sh by
@yxxhero in #2129
* Add comprehensive .github/copilot-instructions.md for coding
agents by @Copilot in #2131
* refactor(state): extract getMissingFileHandler method for
clarity by @yxxhero in #2133
* Fix parseHelmVersion to handle helm versions without 'v'
prefix by @Copilot in #2132
* build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.4
by @dependabot[bot] in #2136
* build(deps): bump github.com/helmfile/chartify from 0.24.6 to
0.24.7 by @dependabot[bot] in #2135
- Update to version 1.1.4:
What's Changed
* build(deps): bump github.com/helmfile/vals from 0.41.2 to
0.41.3 by @dependabot[bot] in #2100
* build(deps): bump k8s.io/apimachinery from 0.33.2 to 0.33.3
by @dependabot[bot] in #2101
* fix: update Helm version to v3.17.4 in CI and init.go by
@yxxhero in #2102
* build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7
by @dependabot[bot] in #2104
* feat(state): add missingFileHandlerConfig and related logic
by @yxxhero in #2105
* refactor(filesystem): add CopyDir method and optimize Fetch
function by @yxxhero in #2111
* Allow caching of remote files to be disabled by @jess-sol in
#2112
* refactor(yaml): switch yaml library import paths from gopkg.in
to go.yaml.in by @yxxhero in #2114
* build(deps): bump actions/download-artifact from 4 to 5 by
@dependabot[bot] in #2121
* build(deps): bump golang.org/x/term from 0.33.0 to 0.34.0 by
@dependabot[bot] in #2123
- Update to version 1.1.3:
What's Changed
* build: update Helm to v3.18.3 and related dependencies by
@yxxhero in #2082
* Expose release version as .Release.ChartVersion for templating
by @Simske in #2080
* build(deps): bump github.com/helmfile/chartify from 0.24.3 to
0.24.4 by @dependabot[bot] in #2083
* build(deps): bump k8s.io/apimachinery from 0.33.1 to 0.33.2
by @dependabot[bot] in #2086
* build(deps): bump github.com/helmfile/chartify from 0.24.4 to
0.24.5 by @dependabot[bot] in #2087
* build(deps): bump github.com/Masterminds/semver/v3 from 3.3.1
to 3.4.0 by @dependabot[bot] in #2089
* build(deps): bump github.com/hashicorp/hcl/v2 from 2.23.0 to
2.24.0 by @dependabot[bot] in #2092
* build: update Helm and plugin versions to v3.18.4 and v3.12.3
by @yxxhero in #2093
* docs: update status section with May 2025 release information
by @yxxhero in #2096
* build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 by
@dependabot[bot] in #2099
* build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 by
@dependabot[bot] in #2098
- Update to version 1.1.2:
What's Changed
* build(deps): bump github.com/helmfile/chartify from 0.24.2 to
0.24.3 by @dependabot in #2065
* build: update Helm to v3.18.2 and adjust related configurations
by @yxxhero in #2064
* build(deps): bump github.com/helmfile/vals from 0.41.1 to
0.41.2 by @dependabot in #2067
* build(deps): bump golang.org/x/sync from 0.14.0 to 0.15.0
by @dependabot in #2068
* fix-insecure-flag by @anontrex in #2072
* build(deps): bump github.com/cloudflare/circl from 1.4.0 to
1.6.1 by @dependabot in #2074
* fix: update helm-diff to version 3.12.2 in CI and Dockerfiles
by @yxxhero in #2073
* fix: TestToYaml not working with 32-bit architectures by
@ProbstDJakob in #2075
- Update to version 1.1.1:
What's Changed
* Update README.md by @mumoshu in #2046
* build(deps): bump github.com/helmfile/vals from 0.41.0 to
0.41.1 by @dependabot in #2048
* build(helm) update to v3.18.0 by @yxxhero in #2044
* build(deps): bump github.com/helmfile/chartify from 0.23.0 to
0.24.1 by @dependabot in #2049
* build: update Helm and plugin versions in CI and Dockerfiles
by @yxxhero in #2059
- Update to version 1.1.0:
What's Changed
* chore: fix typo in create_test.go by @sadikkuzu in #2025
* build(deps): bump golangci/golangci-lint-action from 7 to 8 by
@dependabot in #2029
* build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 by
@dependabot in #2028
* build(deps): bump github.com/helmfile/chartify from 0.22.0 to
0.23.0 by @dependabot in #2027
* chore: remove test data files by @yxxhero in #2026
* build(deps): bump golang.org/x/term from 0.31.0 to 0.32.0 by
@dependabot in #2033
* build(deps): bump github.com/helmfile/vals from 0.40.1 to
0.41.0 by @dependabot in #2032
* build(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 by
@dependabot in #2035
* feat(tmpl): enhance ToYaml test with multiple scenarios by
@yxxhero in #2031
* [sops, age] update to have SSH key support with sops by
@itscaro in #2036
* feat(yaml): add JSON style encoding option to NewEncoder by
@yxxhero in #2038
* refactor(yaml): upgrade from gopkg.in/yaml.v2 to v3 by @yxxhero
in #2039
* Update readme & documentation with 2025 status of helmfile
project by @zhaque44 in #2040
* build(deps): bump k8s.io/apimachinery from 0.33.0 to 0.33.1 by
@dependabot in #2041
* build(deps): bump github.com/zclconf/go-cty from 1.16.2 to
1.16.3 by @dependabot in #2043
- Update to version 1.0.0:
PLEASE READ
https://github.com/helmfile/helmfile/blob/main/docs/proposals/towards-1.0.md
What's Changed:
* build(deps): bump github.com/helmfile/vals from 0.39.0 to 0.39.1
by @dependabot in #1926
* Bump kubectl to current version (1.32.1) by @DerDaku in #1924
* build(deps): bump github.com/goccy/go-yaml from 1.15.21 to 1.15.22
by @dependabot in #1925
* build: update Helm to v3.17.1 and related dependencies by
@yxxhero in #1928
* build(deps): bump k8s.io/apimachinery from 0.32.1 to 0.32.2 by
@dependabot in #1931
* feat: inject cli state values (--state-values-set) into environment
templating context by @Vince-Chenal in #1917
* docs: add skipSchemaValidation to index.md and update related
structs by @yxxhero in #1935
* refactor(state): optimize HelmState flags handling by @yxxhero
in #1937
* Update vals package to v0.39.2 by @aditmeno in #1938
* build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by
@dependabot in #1940
* build(deps): bump github.com/goccy/go-yaml from 1.15.22 to 1.15.23
by @dependabot in #1941
* build(deps): bump github.com/helmfile/chartify from 0.20.8 to
0.20.9 by @dependabot in #1942
* feat: colorized DELETED by @yurrriq in #1944
* feat(docs): add proposal to remove charts and delete subcommands
by @yxxhero in #1936
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
by @dependabot in #1945
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to
4.0.5 by @dependabot in #1946
* build: update golang version to 1.24 and golangci-lint to
v1.64.5 by @yxxhero in #1949
* build(deps): bump github.com/helmfile/vals from 0.39.2 to 0.39.3
by @dependabot in #1951
* build(deps): bump github.com/helmfile/chartify from 0.20.9 to
0.21.0 by @dependabot in #1950
* build(deps): bump golang.org/x/sync from 0.11.0 to 0.12.0 by
@dependabot in #1955
* build(deps): bump jinja2 from 3.1.5 to 3.1.6 in /docs by
@dependabot in #1956
* Don't warn if this and the needed release set installed: false
by @jayme-github in #1958
* build(deps): bump golang.org/x/term from 0.29.0 to 0.30.0 by
@dependabot in #1959
* Remove all v0.x references by @yxxhero in #1919
* build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.3
by @dependabot in #1960
* build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by
@dependabot in #1961
* build(deps): bump github.com/helmfile/vals from 0.39.3 to 0.39.4
by @dependabot in #1962
* build: update Helm to v3.17.2 and related dependencies by
@yxxhero in #1965
* build: update yaml.v3 dependency and remove colega/go-yaml-yaml
by @yxxhero in #1929
* build(deps): bump github.com/containerd/containerd from 1.7.24
to 1.7.27 by @dependabot in #1966
* build(deps): bump github.com/goccy/go-yaml from 1.15.23 to
1.16.0 by @dependabot in #1967
* build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to
5.2.2 by @dependabot in #1969
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to
4.5.2 by @dependabot in #1970
* build(deps): bump golangci/golangci-lint-action from 6 to 7
by @dependabot in #1975
* build(deps): bump github.com/helmfile/vals from 0.39.4 to
0.40.0 by @dependabot in #1978
* build(deps): bump github.com/helmfile/chartify from 0.21.0 to
0.21.1 by @dependabot in #1979
* docs(fix): correct typo in 'tier=fronted' to 'tier=frontend'
by @yxxhero in #1980
* feat: add labels for helm release by @yxxhero in #1046
* build(deps): bump github.com/helmfile/vals from 0.40.0 to
0.40.1 by @dependabot in #1981
* build(deps): bump github.com/goccy/go-yaml from 1.16.0 to 1.17.1
by @dependabot in #1982
* fix: Check needs with context and namespace by @aarnq in #1986
* build(deps): bump golang.org/x/sync from 0.12.0 to 0.13.0 by
@dependabot in #1991
* build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 by
@dependabot in #1990
* fix(state): enhance error message for missing .gotmpl extension
in helmfile v1 by @yxxhero in #1989
* build(deps): bump github.com/helmfile/chartify from 0.21.1 to
0.22.0 by @dependabot in #1996
* build: update Helm plugin versions in CI and Dockerfiles by
@yxxhero in #1995
* build: update Helm to v3.17.3 and update related Dockerfiles
by @yxxhero in #1993
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by
@dependabot in #2010
* feat: add helmfile archive configuration in goreleaser by
@yxxhero in #2000
* docs: add more complex examples section in README by @yxxhero
in #2013
* Feat: setting reuseValues flag in release by @blaskoa in #2004
* build(deps): bump k8s.io/apimachinery from 0.32.3 to 0.32.4 by
@dependabot in #2016
* build(deps): bump github.com/aws/aws-sdk-go from 1.55.6 to
1.55.7 by @dependabot in #2015
* chore: support parsing any type with fromYaml by @ProbstDJakob
in #2017
* build(deps): bump k8s.io/apimachinery from 0.32.4 to 0.33.0 by
@dependabot in #2018
* feat: add --take-ownership flag to helm diff and related config
by @yxxhero in #1992
- Update to version 0.171.0:
* feat: execute templates against postRendererHooks by @allanger
in #1839
* build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
by @dependabot in #1897
* build(deps): bump github.com/goccy/go-yaml from 1.15.15 to
1.15.16 by @dependabot in #1901
* build(deps): bump github.com/goccy/go-yaml from 1.15.16 to
1.15.17 by @dependabot in #1905
* Use a regex to match --state-values-set-string arguments
by @gllb in #1902
* build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0
by @dependabot in #1911
* Chartify v0.20.8 update by @scodeman in #1908
* cleanup: remove all about v0.x by @yxxhero in #1903
* build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
by @dependabot in #1913
* chore: update babel to resolve CVEs by @zhaque44 in #1916
* remove deprecated charts.yaml by @yxxhero in #1437
* Revert "cleanup: remove all about v0.x" by @yxxhero in #1918
* build(deps): bump github.com/goccy/go-yaml from 1.15.17 to
1.15.19 by @dependabot in #1920
* build(deps): bump github.com/goccy/go-yaml from 1.15.19 to
1.15.20 by @dependabot in #1921
* feat: Add support for --wait-retries flag. by @connyay in #1922
* build: update go-yaml to v1.15.21 by @yxxhero in #1923
- Update to version 0.170.1:
* build(deps): bump github.com/goccy/go-yaml from 1.15.14 to
1.15.15 by @dependabot in #1882
* build(deps): bump github.com/hashicorp/go-slug from 0.15.0 to
0.16.3 by @dependabot in #1886 (CVE-2025-0377)
* Ensure 'helm repo add' is also not pollute on helmfile template
by @baurmatt in #1887
* build(deps): bump github.com/zclconf/go-cty from 1.16.1 to
1.16.2 by @dependabot in #1888
* fix: using correct option for takeOwnership flag by @blaskoa
in #1892
* fix typo in docs by @adamab48 in #1889
- Update to version 0.170.0:
* build(deps): bump github.com/goccy/go-yaml from 1.15.6 to 1.15.7
by @dependabot in #1818
* build(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 by
@dependabot in #1817
* chore(doc): fix the indent of the selector usage sample yaml by
@Ladicle in #1819
* feat(state): add support for setString in ReleaseSpec and
HelmState by @yxxhero in #1821
* build(deps): bump github.com/goccy/go-yaml from 1.15.7 to 1.15.8
by @dependabot in #1822
* test(state): add TestHelmState_setStringFlags for setStringFlags
method by @yxxhero in #1823
* build(deps): bump k8s.io/apimachinery from 0.31.3 to 0.31.4 by
@dependabot in #1826
* build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by
@dependabot in #1828
* build(deps): bump github.com/goccy/go-yaml from 1.15.8 to
1.15.9 by @dependabot in #1831
* build(deps): bump k8s.io/apimachinery from 0.31.4 to 0.32.0 by
@dependabot in #1830
* feat: updating sops version to 3.9.2 by @zhaque44 in #1834
* build(deps): bump github.com/goccy/go-yaml from 1.15.9 to
1.15.10 by @dependabot in #1835
* build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 by
@dependabot in #1836
* build: update Helm version to v3.16.4 in CI and Dockerfiles by
@yxxhero in #1837
* build(deps): bump github.com/goccy/go-yaml from 1.15.10 to
1.15.11 by @dependabot in #1838
* build(deps): bump filippo.io/age from 1.2.0 to 1.2.1 by
@dependabot in #1840
* build(deps): bump github.com/goccy/go-yaml from 1.15.11 to
1.15.12 by @dependabot in #1843
* build: update helm-diff to v3.9.13 in Dockerfiles and init.go
by @yxxhero in #1841
* build(deps): bump github.com/helmfile/chartify from 0.20.4 to
0.20.5 by @dependabot in #1845
* build(deps): bump github.com/goccy/go-yaml from 1.15.12 to
1.15.13 by @dependabot in #1844
* build(deps): bump jinja2 from 3.1.4 to 3.1.5 in /docs by
@dependabot in #1846
* CVE-2024-45338: updating golang.org/x/net: to version: v0.33.0
by @zhaque44 in #1849
* build(deps): bump github.com/zclconf/go-cty from 1.15.1 to
1.16.0 by @dependabot in #1851
* build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0
by @dependabot in #1852
* update sops versions to 3.9.3 by @zhaque44 in #1861
* build(deps): bump github.com/hashicorp/go-getter from 1.7.6
to 1.7.7 by @dependabot in #1862
* feat: add --take-ownership flag to apply and sync commands by
@yxxhero in #1863
* fix: ensure plain http is supported across all helmfile
commands by @purpleclay in #1858
* fix: ensure development versions of charts can be used across
helmfile commands by @purpleclay in #1865
* build(deps): bump github.com/helmfile/chartify from 0.20.5 to
0.20.6 by @dependabot in #1866
* update kubectl version (1.30) to stay up to date with new
releases by @zhaque44 in #1867
* build(deps): bump github.com/zclconf/go-cty from 1.16.0 to
1.16.1 by @dependabot in #1870
* build(deps): bump github.com/hashicorp/go-getter from 1.7.7 to
1.7.8 by @dependabot in #1869
* feat: Add "--no-hooks" to helmfile template by @jwlai in #1813
* update helm and k8s versions in ci, dockerfiles, and go.mod by
@yxxhero in #1872
* build(deps): bump github.com/helmfile/vals from 0.38.0 to 0.39.0
by @dependabot in #1876
* build(deps): bump k8s.io/apimachinery from 0.32.0 to 0.32.1 by
@dependabot in #1873
* build(deps): bump github.com/goccy/go-yaml from 1.15.13 to
1.15.14 by @dependabot in #1874
* build: update helm-diff to v3.9.14 in Dockerfiles and init.go
by @yxxhero in #1877
- Update to version 0.169.2:
* build(deps): bump github.com/helmfile/vals from 0.37.6 to 0.37.7
by @dependabot in #1747
* build(deps): bump k8s.io/apimachinery from 0.31.1 to 0.31.2 by
@dependabot in #1754
* Reset extra args before running 'dependency build' by @baurmatt
in #1751
* Introducing Helmfile Guru on Gurubase.io by @kursataktas in #1748
* feat: add skip json schema validation during the install /upgrade
of a Chart by @zhaque44 in #1737
* fix(maputil): prevent nil value overwrite by @ban11111 in #1755
* build(deps): bump github.com/goccy/go-yaml from 1.12.0 to
1.13.0 by @dependabot in #1759
* fix: this url doesn't work anymore by @zekena2 in #1760
* build(deps): bump github.com/goccy/go-yaml from 1.13.0 to
1.13.1 by @dependabot in #1762
* build(deps): bump github.com/goccy/go-yaml from 1.13.1 to
1.13.2 by @dependabot in #1763
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to
4.5.1 by @dependabot in #1767
* build(deps): bump github.com/helmfile/vals from 0.37.7 to
0.37.8 by @dependabot in #1764
* build(deps): bump github.com/goccy/go-yaml from 1.13.2 to
1.13.4 by @dependabot in #1765
* fix(integration-tests): read correct minikube status (#1768)
by @ceriath in #1769
* build(deps): bump github.com/goccy/go-yaml from 1.13.4 to
1.13.5 by @dependabot in #1770
* Add integration tests for #1749 by @baurmatt in #1766
* fix: update acme chart URL in input.yaml by @yxxhero in #1773
* build(deps): bump github.com/goccy/go-yaml from 1.13.5 to
1.13.6 by @dependabot in #1771
* build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 by
@dependabot in #1775
* build(deps): bump golang.org/x/term from 0.25.0 to 0.26.0
by @dependabot in #1774
* Revive dead badge links by @eggplants in #1776
* feat: refactor label creation in state.go by @yxxhero in #1758
* docs: Add Gurubase badge to README-zh_CN by @yxxhero in #1777
* build(deps): bump github.com/goccy/go-yaml from 1.13.6 to
1.13.9 by @dependabot in #1781
* build(deps): bump github.com/goccy/go-yaml from 1.13.9 to
1.14.0 by @dependabot in #1782
* build(deps): bump github.com/goccy/go-yaml from 1.14.0 to
1.14.3 by @dependabot in #1788
* build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by
@dependabot in #1786
* fix: update helm-diff to version 3.9.12 in CI and Dockerfiles
by @yxxhero in #1792
* build: update Helm version to v3.16.3 in CI and Dockerfiles
by @yxxhero in #1791
* feat: add HELMFILE_INTERACTIVE env var to enable interactive
mode by @thevops in #1787
* build(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to
2.23.0 by @dependabot in #1793
* build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0
to 3.3.1 by @dependabot in #1795
* chore: update with testify/assert assertion and table driven
tests for fs.go by @zhaque44 in #1794
* build(deps): bump k8s.io/apimachinery from 0.31.2 to 0.31.3
by @dependabot in #1798
* build(deps): bump github.com/stretchr/testify from 1.9.0 to
1.10.0 by @dependabot in #1800
* build(deps): bump github.com/goccy/go-yaml from 1.14.3 to
1.15.0 by @dependabot in #1804
* build(deps): bump github.com/goccy/go-yaml from 1.15.0 to
1.15.1 by @dependabot in #1807
* build(deps): bump github.com/zclconf/go-cty from 1.15.0 to
1.15.1 by @dependabot in #1806
* update example chart URL in remote-secrets doc by @daveneeley
in #1809
* build(deps): bump github.com/goccy/go-yaml from 1.15.1 to
1.15.3 by @dependabot in #1811
* build(deps): bump github.com/goccy/go-yaml from 1.15.3 to
1.15.6 by @dependabot in #1812
* fix: inject global values in Chartify by @xabufr in #1805
* build(deps): bump github.com/helmfile/vals from 0.37.8 to
0.38.0 by @dependabot in #1814
* build(deps): bump github.com/helmfile/chartify from 0.20.3 to
0.20.4 by @dependabot in #1815
* build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by
@dependabot in #1816
- Update to version 0.169.1:
* feat: update sops version to 3.9.1 by @zhaque44 in #1742
* chore: improve test assertions and descriptions for file
download test by @zhaque44 in #1745
* feat: add 'hide-notes' flag to helm in sync and apply commands
by @yxxhero in #1746
Patchnames: openSUSE-Leap-16.0-packagehub-30
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.1 (Critical)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helmfile",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helmfile fixes the following issues:\n\nChanges in helmfile:\n\nUpdate to version 1.1.9:\n\n * feat: update strategy for reinstall by @simbou2000 in #2019\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3\n from 1.88.7 to 1.89.0 by @dependabot[bot] in #2239\n * Fix: Handle empty helmBinary in base files with environment\n values by @Copilot in #2237\n\nUpdate to version 1.1.8:\n\n * build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to\n 1.8.1 by @dependabot[bot] in #2194\n * fix typos in both comment and error message by @d-fal in #2199\n * cleanup disk in release ci by @yxxhero in #2203\n * Migrate AWS SDK from v1 to v2 to resolve deprecation warnings\n by @Copilot in #2202\n * build(deps): bump github.com/helmfile/vals from 0.42.1 to 0.42.2\n by @dependabot[bot] in #2200\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from\n 1.88.2 to 1.88.3 by @dependabot[bot] in #2206\n * Bump Alpine to 3.22 in Dockerfile by @orishamir in #2205\n * build(deps): bump github.com/aws/aws-sdk-go-v2/config from\n 1.31.10 to 1.31.12 by @dependabot[bot] in #2207\n * Add yq to Dockerfile by @orishamir in #2208\n * fix: skip chartify for build command jsonPatches by @sstarcher\n in #2212\n * build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to\n 1.8.2 by @dependabot[bot] in #2210\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from\n 1.88.3 to 1.88.4 by @dependabot[bot] in #2213\n * build(deps): bump golang.org/x/term from 0.35.0 to 0.36.0 by\n @dependabot[bot] in #2214\n * Avoid fetching same chart/version multiple times by @Copilot\n in #2197\n * build(deps): bump github.com/helmfile/vals from 0.42.2 to\n 0.42.4 by @dependabot[bot] in #2217\n * docs: add zread badge to README by @yxxhero in #2219\n * Bump helm-diff to v3.13.1 by @Copilot in #2223\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from\n 1.88.4 to 1.88.5 by @dependabot[bot] in #2226\n * build(deps): bump github.com/aws/aws-sdk-go-v2/config from\n 1.31.12 to 1.31.13 by @dependabot[bot] in #2225\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from\n 1.88.5 to 1.88.6 by @dependabot[bot] in #2230\n * build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from\n 1.88.6 to 1.88.7 by @dependabot[bot] in #2232\n * build(deps): bump github.com/aws/aws-sdk-go-v2/config from\n 1.31.13 to 1.31.15 by @dependabot[bot] in #2233\n * Fix helmBinary and kustomizeBinary being ignored when using\n bases by @Copilot in #2228\n\nUpdate to version 1.1.7:\n\n What\u0027s Changed\n\n * fix pflag error by @zhaque44 in #2164\n * build(deps): bump actions/setup-go from 5 to 6 by\n @dependabot[bot] in #2166\n * build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to\n 1.7.10 by @dependabot[bot] in #2165\n * build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10\n by @dependabot[bot] in #2163\n * Add helm diff installation to README by @nwneisen in #2170\n * build(deps): bump github.com/hashicorp/go-getter from 1.7.10\n to 1.8.0 by @dependabot[bot] in #2175\n * build(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 by\n @dependabot[bot] in #2174\n * build(deps): bump github.com/zclconf/go-cty from 1.16.4 to\n 1.17.0 by @dependabot[bot] in #2173\n * Fix panic when helm isn\u0027t installed by @nwneisen in #2169\n * build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by\n @dependabot[bot] in #2172\n * ci: update minikube and kubernetes versions by @yxxhero in #2181\n * build(deps): bump k8s.io/apimachinery from 0.34.0 to 0.34.1 by\n @dependabot[bot] in #2180\n * Remove deprecated --wait-retries flag support to fix Helm\n compatibility error by @Copilot in #2179\n * build(deps): bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 by\n @dependabot[bot] in #2183\n * build: update Helm to v3.19.0 across all components by @yxxhero\n in #2187\n * build: update helm-diff plugin to v3.13.0 by @yxxhero in #2189\n * feat: Implement caching for pulling OCI charts by @mustdiechik\n in #2171\n * build(deps): bump github.com/helmfile/chartify from 0.24.7 to\n 0.25.0 by @dependabot[bot] in #2190\n\n- Update to version 1.1.6:\n What\u0027s Changed\n * build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to\n 1.7.9 by @dependabot[bot] in #2139\n * build(deps): bump github.com/zclconf/go-cty from 1.16.3 to\n 1.16.4 by @dependabot[bot] in #2145\n * build: update helm to v3.18.6 by @yxxhero in #2144\n * build(deps): bump github.com/stretchr/testify from 1.10.0 to\n 1.11.0 by @dependabot[bot] in #2150\n * Add missing --timeout flag to helmfile sync command with\n documentation by @Copilot in #2148\n * Fix enableDNS flag missing in diff command and refactor\n duplicate logic by @Copilot in #2147\n * build(deps): bump github.com/stretchr/testify from 1.11.0 to\n 1.11.1 by @dependabot[bot] in #2151\n * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14\n by @dependabot[bot] in #2154\n * Bump github.com/ulikunitz/xz from v0.5.14 to v0.5.15 by @Copilot\n in #2159\n * build(deps): bump github.com/helmfile/vals from 0.42.0 to\n 0.42.1 by @dependabot[bot] in #2161\n * build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9\n by @dependabot[bot] in #2160\n * build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1\n by @dependabot[bot] in #2162\n * Fix error propagation in helmfile diff when Kubernetes is\n unreachable by @Copilot in #2149\n\n- Update to version 1.1.5:\n What\u0027s Changed\n * build(deps): bump actions/checkout from 4 to 5 by\n @dependabot[bot] in #2128\n * Update recommended Helm versions in init.go and run.sh by\n @yxxhero in #2129\n * Add comprehensive .github/copilot-instructions.md for coding\n agents by @Copilot in #2131\n * refactor(state): extract getMissingFileHandler method for\n clarity by @yxxhero in #2133\n * Fix parseHelmVersion to handle helm versions without \u0027v\u0027\n prefix by @Copilot in #2132\n * build(deps): bump k8s.io/apimachinery from 0.33.3 to 0.33.4\n by @dependabot[bot] in #2136\n * build(deps): bump github.com/helmfile/chartify from 0.24.6 to\n 0.24.7 by @dependabot[bot] in #2135\n\n- Update to version 1.1.4:\n What\u0027s Changed\n * build(deps): bump github.com/helmfile/vals from 0.41.2 to\n 0.41.3 by @dependabot[bot] in #2100\n * build(deps): bump k8s.io/apimachinery from 0.33.2 to 0.33.3\n by @dependabot[bot] in #2101\n * fix: update Helm version to v3.17.4 in CI and init.go by\n @yxxhero in #2102\n * build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7\n by @dependabot[bot] in #2104\n * feat(state): add missingFileHandlerConfig and related logic\n by @yxxhero in #2105\n * refactor(filesystem): add CopyDir method and optimize Fetch\n function by @yxxhero in #2111\n * Allow caching of remote files to be disabled by @jess-sol in\n #2112\n * refactor(yaml): switch yaml library import paths from gopkg.in\n to go.yaml.in by @yxxhero in #2114\n * build(deps): bump actions/download-artifact from 4 to 5 by\n @dependabot[bot] in #2121\n * build(deps): bump golang.org/x/term from 0.33.0 to 0.34.0 by\n @dependabot[bot] in #2123\n\n- Update to version 1.1.3:\n What\u0027s Changed\n * build: update Helm to v3.18.3 and related dependencies by\n @yxxhero in #2082\n * Expose release version as .Release.ChartVersion for templating\n by @Simske in #2080\n * build(deps): bump github.com/helmfile/chartify from 0.24.3 to\n 0.24.4 by @dependabot[bot] in #2083\n * build(deps): bump k8s.io/apimachinery from 0.33.1 to 0.33.2\n by @dependabot[bot] in #2086\n * build(deps): bump github.com/helmfile/chartify from 0.24.4 to\n 0.24.5 by @dependabot[bot] in #2087\n * build(deps): bump github.com/Masterminds/semver/v3 from 3.3.1\n to 3.4.0 by @dependabot[bot] in #2089\n * build(deps): bump github.com/hashicorp/hcl/v2 from 2.23.0 to\n 2.24.0 by @dependabot[bot] in #2092\n * build: update Helm and plugin versions to v3.18.4 and v3.12.3\n by @yxxhero in #2093\n * docs: update status section with May 2025 release information\n by @yxxhero in #2096\n * build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 by\n @dependabot[bot] in #2099\n * build(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 by\n @dependabot[bot] in #2098\n\n- Update to version 1.1.2:\n What\u0027s Changed\n * build(deps): bump github.com/helmfile/chartify from 0.24.2 to\n 0.24.3 by @dependabot in #2065\n * build: update Helm to v3.18.2 and adjust related configurations\n by @yxxhero in #2064\n * build(deps): bump github.com/helmfile/vals from 0.41.1 to\n 0.41.2 by @dependabot in #2067\n * build(deps): bump golang.org/x/sync from 0.14.0 to 0.15.0\n by @dependabot in #2068\n * fix-insecure-flag by @anontrex in #2072\n * build(deps): bump github.com/cloudflare/circl from 1.4.0 to\n 1.6.1 by @dependabot in #2074\n * fix: update helm-diff to version 3.12.2 in CI and Dockerfiles\n by @yxxhero in #2073\n * fix: TestToYaml not working with 32-bit architectures by\n @ProbstDJakob in #2075\n\n- Update to version 1.1.1:\n What\u0027s Changed\n * Update README.md by @mumoshu in #2046\n * build(deps): bump github.com/helmfile/vals from 0.41.0 to\n 0.41.1 by @dependabot in #2048\n * build(helm) update to v3.18.0 by @yxxhero in #2044\n * build(deps): bump github.com/helmfile/chartify from 0.23.0 to\n 0.24.1 by @dependabot in #2049\n * build: update Helm and plugin versions in CI and Dockerfiles\n by @yxxhero in #2059\n\n- Update to version 1.1.0:\n What\u0027s Changed\n * chore: fix typo in create_test.go by @sadikkuzu in #2025\n * build(deps): bump golangci/golangci-lint-action from 7 to 8 by\n @dependabot in #2029\n * build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 by\n @dependabot in #2028\n * build(deps): bump github.com/helmfile/chartify from 0.22.0 to\n 0.23.0 by @dependabot in #2027\n * chore: remove test data files by @yxxhero in #2026\n * build(deps): bump golang.org/x/term from 0.31.0 to 0.32.0 by\n @dependabot in #2033\n * build(deps): bump github.com/helmfile/vals from 0.40.1 to\n 0.41.0 by @dependabot in #2032\n * build(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 by\n @dependabot in #2035\n * feat(tmpl): enhance ToYaml test with multiple scenarios by\n @yxxhero in #2031\n * [sops, age] update to have SSH key support with sops by\n @itscaro in #2036\n * feat(yaml): add JSON style encoding option to NewEncoder by\n @yxxhero in #2038\n * refactor(yaml): upgrade from gopkg.in/yaml.v2 to v3 by @yxxhero\n in #2039\n * Update readme \u0026 documentation with 2025 status of helmfile\n project by @zhaque44 in #2040\n * build(deps): bump k8s.io/apimachinery from 0.33.0 to 0.33.1 by\n @dependabot in #2041\n * build(deps): bump github.com/zclconf/go-cty from 1.16.2 to\n 1.16.3 by @dependabot in #2043\n\n- Update to version 1.0.0:\n PLEASE READ\n https://github.com/helmfile/helmfile/blob/main/docs/proposals/towards-1.0.md\n\n What\u0027s Changed:\n * build(deps): bump github.com/helmfile/vals from 0.39.0 to 0.39.1\n by @dependabot in #1926\n * Bump kubectl to current version (1.32.1) by @DerDaku in #1924\n * build(deps): bump github.com/goccy/go-yaml from 1.15.21 to 1.15.22\n by @dependabot in #1925\n * build: update Helm to v3.17.1 and related dependencies by\n @yxxhero in #1928\n * build(deps): bump k8s.io/apimachinery from 0.32.1 to 0.32.2 by\n @dependabot in #1931\n * feat: inject cli state values (--state-values-set) into environment\n templating context by @Vince-Chenal in #1917\n * docs: add skipSchemaValidation to index.md and update related\n structs by @yxxhero in #1935\n * refactor(state): optimize HelmState flags handling by @yxxhero\n in #1937\n * Update vals package to v0.39.2 by @aditmeno in #1938\n * build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by\n @dependabot in #1940\n * build(deps): bump github.com/goccy/go-yaml from 1.15.22 to 1.15.23\n by @dependabot in #1941\n * build(deps): bump github.com/helmfile/chartify from 0.20.8 to\n 0.20.9 by @dependabot in #1942\n * feat: colorized DELETED by @yurrriq in #1944\n * feat(docs): add proposal to remove charts and delete subcommands\n by @yxxhero in #1936\n * build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0\n by @dependabot in #1945\n * build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to\n 4.0.5 by @dependabot in #1946\n * build: update golang version to 1.24 and golangci-lint to\n v1.64.5 by @yxxhero in #1949\n * build(deps): bump github.com/helmfile/vals from 0.39.2 to 0.39.3\n by @dependabot in #1951\n * build(deps): bump github.com/helmfile/chartify from 0.20.9 to\n 0.21.0 by @dependabot in #1950\n * build(deps): bump golang.org/x/sync from 0.11.0 to 0.12.0 by\n @dependabot in #1955\n * build(deps): bump jinja2 from 3.1.5 to 3.1.6 in /docs by\n @dependabot in #1956\n * Don\u0027t warn if this and the needed release set installed: false\n by @jayme-github in #1958\n * build(deps): bump golang.org/x/term from 0.29.0 to 0.30.0 by\n @dependabot in #1959\n * Remove all v0.x references by @yxxhero in #1919\n * build(deps): bump k8s.io/apimachinery from 0.32.2 to 0.32.3\n by @dependabot in #1960\n * build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by\n @dependabot in #1961\n * build(deps): bump github.com/helmfile/vals from 0.39.3 to 0.39.4\n by @dependabot in #1962\n * build: update Helm to v3.17.2 and related dependencies by\n @yxxhero in #1965\n * build: update yaml.v3 dependency and remove colega/go-yaml-yaml\n by @yxxhero in #1929\n * build(deps): bump github.com/containerd/containerd from 1.7.24\n to 1.7.27 by @dependabot in #1966\n * build(deps): bump github.com/goccy/go-yaml from 1.15.23 to\n 1.16.0 by @dependabot in #1967\n * build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to\n 5.2.2 by @dependabot in #1969\n * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to\n 4.5.2 by @dependabot in #1970\n * build(deps): bump golangci/golangci-lint-action from 6 to 7\n by @dependabot in #1975\n * build(deps): bump github.com/helmfile/vals from 0.39.4 to\n 0.40.0 by @dependabot in #1978\n * build(deps): bump github.com/helmfile/chartify from 0.21.0 to\n 0.21.1 by @dependabot in #1979\n * docs(fix): correct typo in \u0027tier=fronted\u0027 to \u0027tier=frontend\u0027\n by @yxxhero in #1980\n * feat: add labels for helm release by @yxxhero in #1046\n * build(deps): bump github.com/helmfile/vals from 0.40.0 to\n 0.40.1 by @dependabot in #1981\n * build(deps): bump github.com/goccy/go-yaml from 1.16.0 to 1.17.1\n by @dependabot in #1982\n * fix: Check needs with context and namespace by @aarnq in #1986\n * build(deps): bump golang.org/x/sync from 0.12.0 to 0.13.0 by\n @dependabot in #1991\n * build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 by\n @dependabot in #1990\n * fix(state): enhance error message for missing .gotmpl extension\n in helmfile v1 by @yxxhero in #1989\n * build(deps): bump github.com/helmfile/chartify from 0.21.1 to\n 0.22.0 by @dependabot in #1996\n * build: update Helm plugin versions in CI and Dockerfiles by\n @yxxhero in #1995\n * build: update Helm to v3.17.3 and update related Dockerfiles\n by @yxxhero in #1993\n * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by\n @dependabot in #2010\n * feat: add helmfile archive configuration in goreleaser by\n @yxxhero in #2000\n * docs: add more complex examples section in README by @yxxhero\n in #2013\n * Feat: setting reuseValues flag in release by @blaskoa in #2004\n * build(deps): bump k8s.io/apimachinery from 0.32.3 to 0.32.4 by\n @dependabot in #2016\n * build(deps): bump github.com/aws/aws-sdk-go from 1.55.6 to\n 1.55.7 by @dependabot in #2015\n * chore: support parsing any type with fromYaml by @ProbstDJakob\n in #2017\n * build(deps): bump k8s.io/apimachinery from 0.32.4 to 0.33.0 by\n @dependabot in #2018\n * feat: add --take-ownership flag to helm diff and related config\n by @yxxhero in #1992\n\n- Update to version 0.171.0:\n * feat: execute templates against postRendererHooks by @allanger\n in #1839\n * build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6\n by @dependabot in #1897\n * build(deps): bump github.com/goccy/go-yaml from 1.15.15 to\n 1.15.16 by @dependabot in #1901\n * build(deps): bump github.com/goccy/go-yaml from 1.15.16 to\n 1.15.17 by @dependabot in #1905\n * Use a regex to match --state-values-set-string arguments\n by @gllb in #1902\n * build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0\n by @dependabot in #1911\n * Chartify v0.20.8 update by @scodeman in #1908\n * cleanup: remove all about v0.x by @yxxhero in #1903\n * build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0\n by @dependabot in #1913\n * chore: update babel to resolve CVEs by @zhaque44 in #1916\n * remove deprecated charts.yaml by @yxxhero in #1437\n * Revert \"cleanup: remove all about v0.x\" by @yxxhero in #1918\n * build(deps): bump github.com/goccy/go-yaml from 1.15.17 to\n 1.15.19 by @dependabot in #1920\n * build(deps): bump github.com/goccy/go-yaml from 1.15.19 to\n 1.15.20 by @dependabot in #1921\n * feat: Add support for --wait-retries flag. by @connyay in #1922\n * build: update go-yaml to v1.15.21 by @yxxhero in #1923\n\n- Update to version 0.170.1:\n * build(deps): bump github.com/goccy/go-yaml from 1.15.14 to\n 1.15.15 by @dependabot in #1882\n * build(deps): bump github.com/hashicorp/go-slug from 0.15.0 to\n 0.16.3 by @dependabot in #1886 (CVE-2025-0377)\n * Ensure \u0027helm repo add\u0027 is also not pollute on helmfile template\n by @baurmatt in #1887\n * build(deps): bump github.com/zclconf/go-cty from 1.16.1 to\n 1.16.2 by @dependabot in #1888\n * fix: using correct option for takeOwnership flag by @blaskoa\n in #1892\n * fix typo in docs by @adamab48 in #1889\n\n- Update to version 0.170.0:\n * build(deps): bump github.com/goccy/go-yaml from 1.15.6 to 1.15.7\n by @dependabot in #1818\n * build(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 by\n @dependabot in #1817\n * chore(doc): fix the indent of the selector usage sample yaml by\n @Ladicle in #1819\n * feat(state): add support for setString in ReleaseSpec and\n HelmState by @yxxhero in #1821\n * build(deps): bump github.com/goccy/go-yaml from 1.15.7 to 1.15.8\n by @dependabot in #1822\n * test(state): add TestHelmState_setStringFlags for setStringFlags\n method by @yxxhero in #1823\n * build(deps): bump k8s.io/apimachinery from 0.31.3 to 0.31.4 by\n @dependabot in #1826\n * build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by\n @dependabot in #1828\n * build(deps): bump github.com/goccy/go-yaml from 1.15.8 to\n 1.15.9 by @dependabot in #1831\n * build(deps): bump k8s.io/apimachinery from 0.31.4 to 0.32.0 by\n @dependabot in #1830\n * feat: updating sops version to 3.9.2 by @zhaque44 in #1834\n * build(deps): bump github.com/goccy/go-yaml from 1.15.9 to\n 1.15.10 by @dependabot in #1835\n * build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 by\n @dependabot in #1836\n * build: update Helm version to v3.16.4 in CI and Dockerfiles by\n @yxxhero in #1837\n * build(deps): bump github.com/goccy/go-yaml from 1.15.10 to\n 1.15.11 by @dependabot in #1838\n * build(deps): bump filippo.io/age from 1.2.0 to 1.2.1 by\n @dependabot in #1840\n * build(deps): bump github.com/goccy/go-yaml from 1.15.11 to\n 1.15.12 by @dependabot in #1843\n * build: update helm-diff to v3.9.13 in Dockerfiles and init.go\n by @yxxhero in #1841\n * build(deps): bump github.com/helmfile/chartify from 0.20.4 to\n 0.20.5 by @dependabot in #1845\n * build(deps): bump github.com/goccy/go-yaml from 1.15.12 to\n 1.15.13 by @dependabot in #1844\n * build(deps): bump jinja2 from 3.1.4 to 3.1.5 in /docs by\n @dependabot in #1846\n * CVE-2024-45338: updating golang.org/x/net: to version: v0.33.0\n by @zhaque44 in #1849\n * build(deps): bump github.com/zclconf/go-cty from 1.15.1 to\n 1.16.0 by @dependabot in #1851\n * build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0\n by @dependabot in #1852\n * update sops versions to 3.9.3 by @zhaque44 in #1861\n * build(deps): bump github.com/hashicorp/go-getter from 1.7.6\n to 1.7.7 by @dependabot in #1862\n * feat: add --take-ownership flag to apply and sync commands by\n @yxxhero in #1863\n * fix: ensure plain http is supported across all helmfile\n commands by @purpleclay in #1858\n * fix: ensure development versions of charts can be used across\n helmfile commands by @purpleclay in #1865\n * build(deps): bump github.com/helmfile/chartify from 0.20.5 to\n 0.20.6 by @dependabot in #1866\n * update kubectl version (1.30) to stay up to date with new\n releases by @zhaque44 in #1867\n * build(deps): bump github.com/zclconf/go-cty from 1.16.0 to\n 1.16.1 by @dependabot in #1870\n * build(deps): bump github.com/hashicorp/go-getter from 1.7.7 to\n 1.7.8 by @dependabot in #1869\n * feat: Add \"--no-hooks\" to helmfile template by @jwlai in #1813\n * update helm and k8s versions in ci, dockerfiles, and go.mod by\n @yxxhero in #1872\n * build(deps): bump github.com/helmfile/vals from 0.38.0 to 0.39.0\n by @dependabot in #1876\n * build(deps): bump k8s.io/apimachinery from 0.32.0 to 0.32.1 by\n @dependabot in #1873\n * build(deps): bump github.com/goccy/go-yaml from 1.15.13 to\n 1.15.14 by @dependabot in #1874\n * build: update helm-diff to v3.9.14 in Dockerfiles and init.go\n by @yxxhero in #1877\n\n- Update to version 0.169.2:\n * build(deps): bump github.com/helmfile/vals from 0.37.6 to 0.37.7\n by @dependabot in #1747\n * build(deps): bump k8s.io/apimachinery from 0.31.1 to 0.31.2 by\n @dependabot in #1754\n * Reset extra args before running \u0027dependency build\u0027 by @baurmatt\n in #1751\n * Introducing Helmfile Guru on Gurubase.io by @kursataktas in #1748\n * feat: add skip json schema validation during the install /upgrade\n of a Chart by @zhaque44 in #1737\n * fix(maputil): prevent nil value overwrite by @ban11111 in #1755\n * build(deps): bump github.com/goccy/go-yaml from 1.12.0 to\n 1.13.0 by @dependabot in #1759\n * fix: this url doesn\u0027t work anymore by @zekena2 in #1760\n * build(deps): bump github.com/goccy/go-yaml from 1.13.0 to\n 1.13.1 by @dependabot in #1762\n * build(deps): bump github.com/goccy/go-yaml from 1.13.1 to\n 1.13.2 by @dependabot in #1763\n * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to\n 4.5.1 by @dependabot in #1767\n * build(deps): bump github.com/helmfile/vals from 0.37.7 to\n 0.37.8 by @dependabot in #1764\n * build(deps): bump github.com/goccy/go-yaml from 1.13.2 to\n 1.13.4 by @dependabot in #1765\n * fix(integration-tests): read correct minikube status (#1768)\n by @ceriath in #1769\n * build(deps): bump github.com/goccy/go-yaml from 1.13.4 to\n 1.13.5 by @dependabot in #1770\n * Add integration tests for #1749 by @baurmatt in #1766\n * fix: update acme chart URL in input.yaml by @yxxhero in #1773\n * build(deps): bump github.com/goccy/go-yaml from 1.13.5 to\n 1.13.6 by @dependabot in #1771\n * build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 by\n @dependabot in #1775\n * build(deps): bump golang.org/x/term from 0.25.0 to 0.26.0\n by @dependabot in #1774\n * Revive dead badge links by @eggplants in #1776\n * feat: refactor label creation in state.go by @yxxhero in #1758\n * docs: Add Gurubase badge to README-zh_CN by @yxxhero in #1777\n * build(deps): bump github.com/goccy/go-yaml from 1.13.6 to\n 1.13.9 by @dependabot in #1781\n * build(deps): bump github.com/goccy/go-yaml from 1.13.9 to\n 1.14.0 by @dependabot in #1782\n * build(deps): bump github.com/goccy/go-yaml from 1.14.0 to\n 1.14.3 by @dependabot in #1788\n * build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by\n @dependabot in #1786\n * fix: update helm-diff to version 3.9.12 in CI and Dockerfiles\n by @yxxhero in #1792\n * build: update Helm version to v3.16.3 in CI and Dockerfiles\n by @yxxhero in #1791\n * feat: add HELMFILE_INTERACTIVE env var to enable interactive\n mode by @thevops in #1787\n * build(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to\n 2.23.0 by @dependabot in #1793\n * build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0\n to 3.3.1 by @dependabot in #1795\n * chore: update with testify/assert assertion and table driven\n tests for fs.go by @zhaque44 in #1794\n * build(deps): bump k8s.io/apimachinery from 0.31.2 to 0.31.3\n by @dependabot in #1798\n * build(deps): bump github.com/stretchr/testify from 1.9.0 to\n 1.10.0 by @dependabot in #1800\n * build(deps): bump github.com/goccy/go-yaml from 1.14.3 to\n 1.15.0 by @dependabot in #1804\n * build(deps): bump github.com/goccy/go-yaml from 1.15.0 to\n 1.15.1 by @dependabot in #1807\n * build(deps): bump github.com/zclconf/go-cty from 1.15.0 to\n 1.15.1 by @dependabot in #1806\n * update example chart URL in remote-secrets doc by @daveneeley\n in #1809\n * build(deps): bump github.com/goccy/go-yaml from 1.15.1 to\n 1.15.3 by @dependabot in #1811\n * build(deps): bump github.com/goccy/go-yaml from 1.15.3 to\n 1.15.6 by @dependabot in #1812\n * fix: inject global values in Chartify by @xabufr in #1805\n * build(deps): bump github.com/helmfile/vals from 0.37.8 to\n 0.38.0 by @dependabot in #1814\n * build(deps): bump github.com/helmfile/chartify from 0.20.3 to\n 0.20.4 by @dependabot in #1815\n * build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by\n @dependabot in #1816\n\n- Update to version 0.169.1:\n * feat: update sops version to 3.9.1 by @zhaque44 in #1742\n * chore: improve test assertions and descriptions for file\n download test by @zhaque44 in #1745\n * feat: add \u0027hide-notes\u0027 flag to helm in sync and apply commands\n by @yxxhero in #1746\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-30",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20097-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-0377 page",
"url": "https://www.suse.com/security/cve/CVE-2025-0377/"
}
],
"title": "Security update for helmfile",
"tracking": {
"current_release_date": "2025-12-30T17:00:02Z",
"generator": {
"date": "2025-12-30T17:00:02Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20097-1",
"initial_release_date": "2025-12-30T17:00:02Z",
"revision_history": [
{
"date": "2025-12-30T17:00:02Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helmfile-1.1.9-bp160.1.1.aarch64",
"product": {
"name": "helmfile-1.1.9-bp160.1.1.aarch64",
"product_id": "helmfile-1.1.9-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"product": {
"name": "helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"product_id": "helmfile-bash-completion-1.1.9-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"product": {
"name": "helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"product_id": "helmfile-fish-completion-1.1.9-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "helmfile-zsh-completion-1.1.9-bp160.1.1.noarch",
"product": {
"name": "helmfile-zsh-completion-1.1.9-bp160.1.1.noarch",
"product_id": "helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-1.1.9-bp160.1.1.ppc64le",
"product": {
"name": "helmfile-1.1.9-bp160.1.1.ppc64le",
"product_id": "helmfile-1.1.9-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-1.1.9-bp160.1.1.s390x",
"product": {
"name": "helmfile-1.1.9-bp160.1.1.s390x",
"product_id": "helmfile-1.1.9-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-1.1.9-bp160.1.1.x86_64",
"product": {
"name": "helmfile-1.1.9-bp160.1.1.x86_64",
"product_id": "helmfile-1.1.9-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-1.1.9-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64"
},
"product_reference": "helmfile-1.1.9-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-1.1.9-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le"
},
"product_reference": "helmfile-1.1.9-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-1.1.9-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x"
},
"product_reference": "helmfile-1.1.9-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-1.1.9-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64"
},
"product_reference": "helmfile-1.1.9-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-bash-completion-1.1.9-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch"
},
"product_reference": "helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-fish-completion-1.1.9-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch"
},
"product_reference": "helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-zsh-completion-1.1.9-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
},
"product_reference": "helmfile-zsh-completion-1.1.9-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-30T17:00:02Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-0377",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-0377"
}
],
"notes": [
{
"category": "general",
"text": "HashiCorp\u0027s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-0377",
"url": "https://www.suse.com/security/cve/CVE-2025-0377"
},
{
"category": "external",
"summary": "SUSE Bug 1236209 for CVE-2025-0377",
"url": "https://bugzilla.suse.com/1236209"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.aarch64",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.s390x",
"openSUSE Leap 16.0:helmfile-1.1.9-bp160.1.1.x86_64",
"openSUSE Leap 16.0:helmfile-bash-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-fish-completion-1.1.9-bp160.1.1.noarch",
"openSUSE Leap 16.0:helmfile-zsh-completion-1.1.9-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-30T17:00:02Z",
"details": "critical"
}
],
"title": "CVE-2025-0377"
}
]
}
OPENSUSE-SU-2025:20117-1
Vulnerability from csaf_opensuse - Published: 2025-11-27 12:27 - Updated: 2025-11-27 12:27Summary
Security update for trivy
Severity
Important
Notes
Title of the patch: Security update for trivy
Description of the patch: This update for trivy fixes the following issues:
Changes in trivy:
Update to version 0.67.2 (bsc#1250625, CVE-2025-11065, bsc#1248897, CVE-2025-58058):
* fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
* fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
* fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
* fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
* fix(vex): don't suppress vulns for packages with infinity loop (#9465)
* fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
* refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
* docs: clarify inline ignore limitations for resource-less checks (#9537)
* fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
* fix(misconf): handle tofu files in module detection (#9486)
* feat(seal): add seal support (#9370)
* docs: fix modules path and update code example (#9539)
* fix: close file descriptors and pipes on error paths (#9536)
* feat: add documentation URL for database lock errors (#9531)
* fix(db): Dowload database when missing but metadata still exists (#9393)
* feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
* fix(misconf): unmark cty values before access (#9495)
* feat(cli): change --list-all-pkgs default to true (#9510)
* fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
* refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
* refactor: remove google/wire dependency and implement manual DI (#9509)
* chore(deps): bump the aws group with 6 updates (#9481)
* chore(deps): bump the common group across 1 directory with 24 updates (#9507)
* fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
* docs: move info about `detection priority` into coverage section (#9469)
* feat(sbom): added support for CoreOS (#9448)
* fix(misconf): strip build metadata suffixes from image history (#9498)
* feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
* docs: Fix typo in terraform docs (#9492)
* feat(redhat): add os-release detection for RHEL-based images (#9458)
* ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
* refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
* fix(vuln): compare `nuget` package names in lower case (#9456)
* chore: Update release flow to include chocolatey (#9460)
* docs: document eol supportability (#9434)
* docs(report): add nuanses about secret/license scanner in summary table (#9442)
* ci: use environment variables in GitHub Actions for improved security (#9433)
* chore: bump Go to 1.24.7 (#9435)
* fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
* ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
Update to version 0.66.0 (bsc#1248937, CVE-2025-58058):
* chore(deps): bump the aws group with 7 updates (#9419)
* refactor(secret): clarify secret scanner messages (#9409)
* fix(cyclonedx): handle multiple license types (#9378)
* fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
* test: add HTTP basic authentication to git test server (#9407)
* fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
* fix(misconf): ensure module source is known (#9404)
* ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
* fix: create temp file under composite fs dir (#9387)
* chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
* refactor: switch to stable azcontainerregistry SDK package (#9319)
* chore(deps): bump the common group with 7 updates (#9382)
* refactor(misconf): migrate from custom Azure JSON parser (#9222)
* fix(repo): preserve RepoMetadata on FS cache hit (#9389)
* refactor(misconf): use atomic.Int32 (#9385)
* chore(deps): bump the aws group with 6 updates (#9383)
* docs: Fix broken link to "Built-in Checks" (#9375)
* fix(plugin): don't remove plugins when updating index.yaml file (#9358)
* fix: persistent flag option typo (#9374)
* chore(deps): bump the common group across 1 directory with 26 updates (#9347)
* fix(image): use standardized HTTP client for ECR authentication (#9322)
* refactor: export `systemFileFiltering` Post Handler (#9359)
* docs: update links to Semaphore pages (#9352)
* fix(conda): memory leak by adding closure method for `package.json` file (#9349)
* feat: add timeout handling for cache database operations (#9307)
* fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
* fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
* chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
* feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
* chore: fix some function names in comment (#9314)
* chore(deps): bump the aws group with 7 updates (#9311)
* docs: add explanation for how to use non-system certificates (#9081)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
* fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
* refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
* fix: suppress debug log for context cancellation errors (#9298)
* feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
* fix(python): impove package name normalization (#9290)
* feat(misconf): added audit config attribute (#9249)
* refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
* test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
* refactor: simplify Detect function signature (#9280)
* ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
* fix(fs): avoid shadowing errors in file.glob (#9286)
* test(misconf): move terraform scan tests to integration tests (#9271)
* test(misconf): drop gcp iam test covered by another case (#9285)
* chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
Update to version 0.65.0:
* fix(cli): ensure correct command is picked by telemetry (#9260)
* feat(flag): add schema validation for `--server` flag (#9270)
* chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
* ci: skip undefined labels in discussion triage action (#9175)
* feat(repo): add git repository metadata to reports (#9252)
* fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
* chore: add modernize tool integration for code modernization (#9251)
* fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
* chore: implement process-safe temp file cleanup (#9241)
* fix: prevent graceful shutdown message on normal exit (#9244)
* fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
* feat: add graceful shutdown with signal handling (#9242)
* chore: update template URL for brew formula (#9221)
* test: add end-to-end testing framework with image scan and proxy tests (#9231)
* refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
* ci: specify repository for `gh cache delete` in canary worklfow (#9240)
* ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
* fix(misconf): fix log bucket in schema (#9235)
* chore(deps): bump the common group across 1 directory with 24 updates (#9228)
* ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
* chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
* feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
* fix(server): add HTTP transport setup to server mode (#9217)
* chore: update the rpm download Update (#9202)
* feat(alma): add AlmaLinux 10 support (#9207)
* fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)
* fix(rootio): fix severity selection (#9181)
* fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
* fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
* fix(misconf): correctly adapt azure storage account (#9138)
* feat(misconf): add private ip google access attribute to subnetwork (#9199)
* feat(report): add CVSS vectors in sarif report (#9157)
* fix(terraform): `for_each` on a map returns a resource for every key (#9156)
* fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
* chore: migrate protoc setup from Docker to buf CLI (#9184)
* ci: delete cache after artifacts upload in canary workflow (#9177)
* refactor: remove aws flag helper message (#9080)
* ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
* ci: add auto-ready-for-review workflow (#9179)
* feat(image): add Docker context resolution (#9166)
* ci: optimize golangci-lint performance with cache-based strategy (#9173)
* feat: add HTTP request/response tracing support (#9125)
* fix(aws): update amazon linux 2 EOL date (#9176)
* chore: Update release workflow to trigger version updates (#9162)
* chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
* fix: also check `filepath` when removing duplicate packages (#9142)
* chore: add debug log to show image source location (#9163)
* docs: add section on customizing default check data (#9114)
* chore(deps): bump the common group across 1 directory with 9 updates (#9153)
* docs: partners page content updates (#9149)
* chore(license): add missed spdx exceptions: (#9147)
* docs: trivy partners page updates (#9133)
* fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
* ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
* feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
* fix(misconf): skip rewriting expr if attr is nil (#9113)
* fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
* fix(cli): Add more non-sensitive flags to telemetry (#9110)
* fix(alma): parse epochs from rpmqa file (#9101)
* fix(rootio): check full version to detect `root.io` packages (#9117)
* chore: drop FreeBSD 32-bit support (#9102)
* fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
* fix(secret): fix line numbers for multiple-line secrets (#9104)
* feat(license): observe pkg types option in license scanner (#9091)
* ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
- (CVE-2025-53547, bsc#1246151)
- Update to version 0.64.1 (bsc#1243633, CVE-2025-47291,
(bsc#1246730, CVE-2025-46569):
* fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
* fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
* fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
* fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
* docs(python): fix type with METADATA file name (#9090)
* feat: reject unsupported artifact types in remote image retrieval (#9052)
* chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
* refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
* feat(terraform): add partial evaluation for policy templates (#8967)
* feat(vuln): add Root.io support for container image scanning (#9073)
* feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
* fix(cli): add some values to the telemetry call (#9056)
* feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
* refactor: centralize HTTP transport configuration (#9058)
* test: include integration tests in linting and fix all issues (#9060)
* chore(deps): bump the common group across 1 directory with 26 updates (#9063)
* feat(java): dereference all maven settings.xml env placeholders (#9024)
* fix(misconf): reduce log noise on incompatible check (#9029)
* fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
* chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
* docs(misconf): simplify misconfiguration docs (#9030)
* fix(misconf): move disabled checks filtering after analyzer scan (#9002)
* docs: add PR review policy for maintainers (#9032)
* fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
* test: improve and extend tests for iac/adapters/arm (#9028)
* chore: bump up Go version to 1.24.4 (#9031)
* feat(cli): add version constraints to annoucements (#9023)
* fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
* feat(ubuntu): add eol date for 20.04-ESM (#8981)
* fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
* fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
* refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
* docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
* feat(misconf): add OpenTofu file extension support (#8747)
* refactor(misconf): set Trivy version by default in Rego scanner (#9001)
* docs: fix assets with versioning (#8996)
* docs: add partners page (#8988)
* chore(alpine): add EOL date for Alpine 3.22 (#8992)
* fix: don't show corrupted trivy-db warning for first run (#8991)
* Update installation.md (#8979)
* feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
* chore(k8s): update comments with deprecated command format (#8964)
* chore: fix errors and typos in docs (#8963)
* fix: Add missing version check flags (#8951)
* feat(redhat): Add EOL date for RHEL 10. (#8910)
* fix: Correctly check for semver versions for trivy version check (#8948)
* refactor(server): change custom advisory and vulnerability data types fr… (#8923)
* ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
* fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
* chore(deps): Bump trivy-checks (#8934)
* fix(julia): add `Relationship` field support (#8939)
* feat(minimos): Add support for MinimOS (#8792)
* feat(alpine): add maintainer field extraction for APK packages (#8930)
* feat(echo): Add Echo Support (#8833)
* fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
* fix(wolfi): support new APK database location (#8937)
* feat(k8s): get components from namespaced resources (#8918)
* refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
* refactor(terraform): remove result sorting from scanner (#8928)
* feat(misconf): Add support for `Minimum Trivy Version` (#8880)
* docs: improve skipping files documentation (#8749)
* feat(cli): Add available version checking (#8553)
* feat(nodejs): add a bun.lock analyzer (#8897)
* feat: terraform parser option to set current working directory (#8909)
* perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
* feat(misconf): export raw Terraform data to Rego (#8741)
* refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
* fix: check post-analyzers for StaticPaths (#8904)
* feat: add Bottlerocket OS package analyzer (#8653)
* feat(license): improve work text licenses with custom classification (#8888)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
* chore(deps): bump the common group across 1 directory with 9 updates (#8887)
* refactor(license): simplify compound license scanning (#8896)
* feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
* fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
* feat(nodejs): add bun.lock parser (#8851)
* feat(license): improve work with custom classification of licenses from config file (#8861)
* fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
* fix: julia parser panicing (#8883)
* refactor(db): change logic to detect wrong DB (#8864)
* fix(cli): don't use allow values for `--compliance` flag (#8881)
* docs(misconf): Reorganize misconfiguration scan pages (#8206)
* fix(server): add missed Relationship field for `rpc` (#8872)
* feat: add JSONC support for comments and trailing commas (#8862)
* fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
* feat(go): support license scanning in both GOPATH and vendor (#8843)
* fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
* fix: filter all files when processing files installed from package managers (#8842)
* feat(misconf): add misconfiguration location to junit template (#8793)
* docs(vuln): remove OSV for Python from data sources (#8841)
* chore: add an issue template for maintainers (#8838)
* chore: enable staticcheck (#8815)
* ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
* feat(license): scan vendor directory for license for go.mod files (#8689)
* docs(java): Update info about dev deps in gradle lock (#8830)
* chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
* fix(java): exclude dev dependencies in gradle lockfile (#8803)
* fix: octalLiteral from go-critic (#8811)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
* chore(deps): bump the common group across 1 directory with 10 updates (#8817)
* fix: use-any from revive (#8810)
* fix: more revive rules (#8814)
* docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
* fix(misconf): check if for-each is known when expanding dyn block (#8808)
* ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
- Update to version 0.62.1 (bsc#1239225, CVE-2025-22868,
bsc#1241724, CVE-2025-22872):
* chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
* fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
* feat(nodejs): add root and workspace for `yarn` packages (#8535)
* fix: unused-parameter rule from revive (#8794)
* chore(deps): Update trivy-checks (#8798)
* fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)
* fix(k8s): remove using `last-applied-configuration` (#8791)
* refactor(misconf): remove unused methods from providers (#8781)
* refactor(misconf): remove unused methods from iac types (#8782)
* fix(misconf): filter null nodes when parsing json manifest (#8785)
* fix: testifylint last issues (#8768)
* fix(misconf): perform operations on attribute safely (#8774)
* refactor(ubuntu): update time handling for fixing time (#8780)
* chore(deps): bump golangci-lint to v2.1.2 (#8766)
* feat(image): save layers metadata into report (#8394)
* feat(misconf): convert AWS managed policy to document (#8757)
* chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
* ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
* ci(helm): create a helm branch for patches from main (#8673)
* fix(terraform): hcl object expressions to return references (#8271)
* chore(terraform): option to pass in instanced logger (#8738)
* ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
* chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
* chore(deps): bump the common group across 1 directory with 23 updates (#8733)
* feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
* refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
* fix(misconf): populate context correctly for module instances (#8656)
* fix(misconf): check if metadata is not nil (#8647)
* refactor(misconf): switch to x/json (#8719)
* fix(report): clean buffer after flushing (#8725)
* ci: improve PR title validation workflow (#8720)
* refactor(flag): improve flag system architecture and extensibility (#8718)
* fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
* refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
* feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
* ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
* refactor: add hook interface for extended functionality (#8585)
* fix(misconf): add missing variable as unknown (#8683)
* docs: Update maintainer docs (#8674)
* ci(vuln): reduce github action script injection attack risk (#8610)
* fix(secret): ignore .dist-info directories during secret scanning (#8646)
* fix(server): fix redis key when trying to delete blob (#8649)
* chore(deps): bump the testcontainers group with 2 updates (#8650)
* test: use `aquasecurity` repository for test images (#8677)
* chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
* fix(k8s): skip passed misconfigs for the summary report (#8684)
* fix(k8s): correct compare artifact versions (#8682)
* chore: update Docker lib (#8681)
* refactor(misconf): remove unused terraform attribute methods (#8657)
* feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
* chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
* docs: Add info about helm charts release (#8640)
* ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
Update to version 0.61.1 (bsc#1239385, CVE-2025-22869, bsc#1240466, CVE-2025-30204):
* fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
* fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
* test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
* fix(misconf): Improve logging for unsupported checks (#8634)
* feat(k8s): add support for controllers (#8614)
* fix(debian): don't include empty licenses for `dpkgs` (#8623)
* fix(misconf): Check values wholly prior to evalution (#8604)
* chore(deps): Bump trivy-checks (#8619)
* fix(k8s): show report for `--report all` (#8613)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
* refactor: rename scanner to service (#8584)
* fix(misconf): do not skip loading documents from subdirectories (#8526)
* refactor(misconf): get a block or attribute without calling HasChild (#8586)
* fix(misconf): identify the chart file exactly by name (#8590)
* test: use table-driven tests in Helm scanner tests (#8592)
* refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
* chore(deps): bump the common group across 1 directory with 10 updates (#8566)
* fix(misconf): do not use cty.NilVal for non-nil values (#8567)
* docs(cli): improve flag value display format (#8560)
* fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
* docs: remove slack (#8565)
* fix: use `--file-patterns` flag for all post analyzers (#7365)
* docs(python): Mention pip-compile (#8484)
* feat(misconf): adapt aws_opensearch_domain (#8550)
* feat(misconf): adapt AWS::EC2::VPC (#8534)
* docs: fix a broken link (#8546)
* fix(fs): check postAnalyzers for StaticPaths (#8543)
* refactor(misconf): remove unused methods for ec2.Instance (#8536)
* feat(misconf): adapt aws_default_security_group (#8538)
* feat(fs): optimize scanning performance by direct file access for known paths (#8525)
* feat(misconf): adapt AWS::DynamoDB::Table (#8529)
* style: Fix MD syntax in self-hosting.md (#8523)
* perf(misconf): retrieve check metadata from annotations once (#8478)
* feat(misconf): Add support for aws_ami (#8499)
* fix(misconf): skip Azure CreateUiDefinition (#8503)
* refactor(misconf): use OPA v1 (#8518)
* fix(misconf): add ephemeral block type to config schema (#8513)
* perf(misconf): parse input for Rego once (#8483)
* feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
* chore: replace deprecated tenv linter with usetesting (#8504)
* fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
* chore(deps): bump the common group across 1 directory with 13 updates (#8491)
* chore: use go.mod for managing Go tools (#8493)
* ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
* fix(sbom): improve logic for binding direct dependency to parent component (#8489)
* chore(deps): remove missed replace of `trivy-db` (#8492)
* chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
* chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
* docs: add abbreviation list (#8453)
* chore(terraform): assign *terraform.Module 'parent' field (#8444)
* feat: add report summary table (#8177)
* chore(deps): bump the github-actions group with 3 updates (#8473)
* refactor(vex): improve SBOM reference handling with project standards (#8457)
* ci: update GitHub Actions cache to v4 (#8475)
* feat: add `--vuln-severity-source` flag (#8269)
* fix(os): add mapping OS aliases (#8466)
* chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
* chore(deps): Bump trivy-checks to v1.7.1 (#8467)
* refactor(report): write tables after rendering all results (#8357)
* docs: update VEX documentation index page (#8458)
* fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
* feat(misconf): render causes for Terraform (#8360)
* fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
* feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
* chore(deps): update go-rustaudit location (#8450)
* fix: update all documentation links (#8045)
* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
* chore(deps): bump the common group with 6 updates (#8411)
* fix(k8s): add missed option `PkgRelationships` (#8442)
* fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
* feat(go): fix parsing main module version for go >= 1.24 (#8433)
* refactor(misconf): make Rego scanner independent of config type (#7517)
* fix(image): disable AVD-DS-0007 for history scanning (#8366)
* fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
* chore: remove mockery (#8417)
* test(server): replace mock driver with memory cache in server tests (#8416)
* test: replace mock with memory cache and fix non-deterministic tests (#8410)
* test: replace mock with memory cache in scanner tests (#8413)
* test: use memory cache (#8403)
* fix(spdx): init `pkgFilePaths` map for all formats (#8380)
* chore(deps): bump the common group across 1 directory with 11 updates (#8381)
* docs: correct Ruby documentation (#8402)
* chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
* fix: don't use `scope` for `trivy registry login` command (#8393)
* fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
* chore(terraform): export module path on terraform modules (#8374)
* fix(terraform): apply parser options to submodule parsing (#8377)
* docs: Fix typos in documentation (#8361)
* docs: fix navigate links (#8336)
* ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
* ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
* chore: remove debug prints (#8347)
* fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
* fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
* chore(deps): bump Go to `v1.23.5` (#8341)
* fix(python): add `poetry` v2 support (#8323)
* chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
* fix(misconf): ecs include enhanced for container insights (#8326)
* fix(sbom): preserve OS packages from multiple SBOMs (#8325)
* ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
* (bsc#1237618, CVE-2025-27144)
Update to version 0.59.1:
* fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
* chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
* fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
* fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
Update to version 0.59.0:
* feat(image): return error early if total size of layers exceeds limit (#8294)
* chore(deps): Bump trivy-checks (#8310)
* chore(terraform): add accessors to underlying raw hcl values (#8306)
* fix: improve conversion of image config to Dockerfile (#8308)
* docs: replace short codes with Unicode emojis (#8296)
* feat(k8s): improve artifact selections for specific namespaces (#8248)
* chore: update code owners (#8303)
* fix(misconf): handle heredocs in dockerfile instructions (#8284)
* fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
* chore(deps): bump the aws group with 7 updates (#8299)
* chore(deps): bump the common group with 12 updates (#8301)
* chore: enable int-conversion from perfsprint (#8194)
* feat(fs): use git commit hash as cache key for clean repositories (#8278)
* fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
* chore: use require.ErrorContains when possible (#8291)
* feat(image): prevent scanning oversized container images (#8178)
* chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
* fix(fs): fix cache key generation to use UUID (#8275)
* fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
* feat: add support for registry mirrors (#8244)
* chore(deps): bump the common group across 1 directory with 29 updates (#8261)
* refactor(license): improve license expression normalization (#8257)
* feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
* feat: add a examples field to check metadata (#8068)
* chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
* ci: add workflow to restrict direct PRs to release branches (#8240)
* fix(suse): SUSE - update OSType constants and references for compatility (#8236)
* ci: fix path to main dir for canary builds (#8231)
* chore(secret): add reported issues related to secrets in junit template (#8193)
* refactor: use trivy-checks/pkg/specs package (#8226)
* ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
* fix(misconf): allow null values only for tf variables (#8112)
* feat(misconf): support for ignoring by inline comments for Helm (#8138)
* fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
* chore(alpine): add EOL date for Alpine 3.21 (#8221)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
* fix(misconf): disable git terminal prompt on tf module load (#8026)
* chore: remove aws iam related scripts (#8179)
* docs: Updated JSON schema version 2 in the trivy documentation (#8188)
* refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
* refactor: use slices package instead of custom function (#8172)
* chore(deps): bump the common group with 6 updates (#8162)
* feat(python): add support for uv dev and optional dependencies (#8134)
* feat(python): add support for poetry dev dependencies (#8152)
* fix(sbom): attach nested packages to Application (#8144)
* docs(vex): use debian minor version in examples (#8166)
* refactor: add generic Set implementation (#8149)
* chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
* fix(python): skip dev group's deps for poetry (#8106)
* fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
* chore(vex): suppress CVE-2024-45338 (#8137)
* feat(python): add support for uv (#8080)
* chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
* chore(deps): bump the common group across 1 directory with 14 updates (#8126)
* chore: bump go to 1.23.4 (#8123)
* test: set dummy value for NUGET_PACKAGES (#8107)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
* fix: wasm module test (#8099)
* fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
* chore(vex): suppress CVE-2024-45337 (#8101)
* fix(license): always trim leading and trailing spaces for licenses (#8095)
* fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
* fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
* fix: enable err-error and errorf rules from perfsprint linter (#7859)
* chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
* perf: avoid heap allocation in applier findPackage (#7883)
* fix: Updated twitter icon (#7772)
* docs(k8s): add a note about multi-container pods (#7815)
* feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
* fix(oracle): add architectures support for advisories (#4809)
* fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
* feat(misconf): generate placeholders for random provider resources (#8051)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
* fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
* feat(nodejs): respect peer dependencies for dependency tree (#7989)
* ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
* fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
* chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
* fix(misconf): use log instead of fmt for logging (#8033)
* docs: add commercial content (#8030)
- Update to version 0.58.2 (
bsc#1234512, CVE-2024-45337,
bsc#1235265, CVE-2024-45338,
bsc#1232948, CVE-2024-51744):
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
* fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
* fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
* fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
* fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
* fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
* fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
* fix(misconf): wrap AWS EnvVar to iac types (#7407)
* chore(deps): Upgrade trivy-checks (#8018)
* refactor(misconf): Remove unused options (#7896)
* docs: add terminology page to explain Trivy concepts (#7996)
* feat: add `workspaceRelationship` (#7889)
* refactor(sbom): simplify relationship generation (#7985)
* chore: remove Go checks (#7907)
* docs: improve databases documentation (#7732)
* refactor: remove support for custom Terraform checks (#7901)
* docs: fix dead links (#7998)
* docs: drop AWS account scanning (#7997)
* fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
* fix(cli): Handle empty ignore files more gracefully (#7962)
* fix(misconf): load full Terraform module (#7925)
* fix(misconf): properly resolve local Terraform cache (#7983)
* refactor(k8s): add v prefix for Go packages (#7839)
* test: replace Go checks with Rego (#7867)
* feat(misconf): log causes of HCL file parsing errors (#7634)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
* chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
* chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
* chore: downgrade the failed block expand message to debug (#7964)
* fix(misconf): do not erase variable type for child modules (#7941)
* feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
* feat(go): construct dependencies in the parser (#7973)
* feat: add cvss v4 score and vector in scan response (#7968)
* docs: add `overview` page for `others` (#7972)
* fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
* feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
* chore(deps): bump the common group with 4 updates (#7949)
* feat(oracle): add `flavors` support (#7858)
* fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
* chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
* fix(k8s): check all results for vulnerabilities (#7946)
* ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
* feat(secret): Add built-in secrets rules for Private Packagist (#7826)
* docs: Fix broken links (#7900)
* docs: fix mistakes/typos (#7942)
* feat: Update registry fallbacks (#7679)
* fix(alpine): add `UID` for removed packages (#7887)
* chore(deps): bump the aws group with 6 updates (#7902)
* chore(deps): bump the common group with 6 updates (#7904)
* fix(debian): infinite loop (#7928)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
* docs: add note about temporary podman socket (#7921)
* docs: combine trivy.dev into trivy docs (#7884)
* test: change branch in spdx schema link to check in integration tests (#7935)
* docs: add Headlamp to the Trivy Ecosystem page (#7916)
* fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
* chore(k8s): enhance k8s scan log (#6997)
* fix(terraform): set null value as fallback for missing variables (#7669)
* fix(misconf): handle null properties in CloudFormation templates (#7813)
* fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
* chore(deps): bump the common group across 1 directory with 20 updates (#7876)
* chore: bump containerd to v2.0.0 (#7875)
* fix: Improve version comparisons when build identifiers are present (#7873)
* feat(k8s): add default commands for unknown platform (#7863)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
* refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
* test: save `containerd` image into archive and use in tests (#7816)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
* chore: bump golangci-lint to v1.61.0 (#7853)
Update to version 0.57.1:
* feat: Update registry fallbacks [backport: release/v0.57] (#7944)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
* test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
* release: v0.57.0 [main] (#7710)
* chore: lint `errors.Join` (#7845)
* feat(db): append errors (#7843)
* docs(java): add info about supported scopes (#7842)
* docs: add example of creating whitelist of checks (#7821)
* chore(deps): Bump trivy-checks (#7819)
* fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
* fix(k8s): skip resources without misconfigs (#7797)
* fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
* fix(cli): add config name to skip-policy-update alias (#7820)
* fix(helm): properly handle multiple archived dependencies (#7782)
* refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
* fix(k8s)!: support k8s multi container (#7444)
* fix(k8s): support kubernetes v1.31 (#7810)
* docs: add Windows install instructions (#7800)
* ci(helm): auto public Helm chart after PR merged (#7526)
* feat: add end of life date for Ubuntu 24.10 (#7787)
* feat(report): update gitlab template to populate operating_system value (#7735)
* feat(misconf): Show misconfig ID in output (#7762)
* feat(misconf): export unresolvable field of IaC types to Rego (#7765)
* refactor(k8s): scan config files as a folder (#7690)
* fix(license): fix license normalization for Universal Permissive License (#7766)
* fix: enable usestdlibvars linter (#7770)
* fix(misconf): properly expand dynamic blocks (#7612)
* feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
* fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
* refactor(misconf): simplify k8s scanner (#7717)
* feat(parser): ignore white space in pom.xml files (#7747)
* test: use forked images (#7755)
* fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
* fix(misconf): check if property is not nil before conversion (#7578)
* fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
* feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
* test: define constants for test images (#7739)
* docs: add note about disabled DS016 check (#7724)
* feat(misconf): public network support for Azure Storage Account (#7601)
* feat(cli): rename `trivy auth` to `trivy registry` (#7727)
* docs: apt-transport-https is a transitional package (#7678)
* refactor(misconf): introduce generic scanner (#7515)
* fix(cli): `clean --all` deletes only relevant dirs (#7704)
* feat(cli): add `trivy auth` (#7664)
* fix(sbom): add options for DBs in private registries (#7660)
* docs(report): fix reporting doc format (#7671)
* fix(repo): `git clone` output to Stderr (#7561)
* fix(redhat): include arch in PURL qualifiers (#7654)
* fix(report): Fix invalid URI in SARIF report (#7645)
* docs(report): Improve SARIF reporting doc (#7655)
* fix(db): fix javadb downloading error handling (#7642)
* feat(cli): error out when ignore file cannot be found (#7624)
Update to version 0.56.2:
* fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
* fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817):
Patchnames: openSUSE-Leap-16.0-packagehub-33
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.2 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
67 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for trivy fixes the following issues:\n\nChanges in trivy:\n\nUpdate to version 0.67.2 (bsc#1250625, CVE-2025-11065, bsc#1248897, CVE-2025-58058):\n\n * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)\n * fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)\n * fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)\n * fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)\n * fix(vex): don\u0027t use reused BOM [backport: release/v0.67] (#9612)\n * fix(vex): don\u0027t suppress vulns for packages with infinity loop (#9465)\n * fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)\n * refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)\n * docs: clarify inline ignore limitations for resource-less checks (#9537)\n * fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)\n * fix(misconf): handle tofu files in module detection (#9486)\n * feat(seal): add seal support (#9370)\n * docs: fix modules path and update code example (#9539)\n * fix: close file descriptors and pipes on error paths (#9536)\n * feat: add documentation URL for database lock errors (#9531)\n * fix(db): Dowload database when missing but metadata still exists (#9393)\n * feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)\n * fix(misconf): unmark cty values before access (#9495)\n * feat(cli): change --list-all-pkgs default to true (#9510)\n * fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)\n * refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)\n * refactor: remove google/wire dependency and implement manual DI (#9509)\n * chore(deps): bump the aws group with 6 updates (#9481)\n * chore(deps): bump the common group across 1 directory with 24 updates (#9507)\n * fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)\n * docs: move info about `detection priority` into coverage section (#9469)\n * feat(sbom): added support for CoreOS (#9448)\n * fix(misconf): strip build metadata suffixes from image history (#9498)\n * feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)\n * docs: Fix typo in terraform docs (#9492)\n * feat(redhat): add os-release detection for RHEL-based images (#9458)\n * ci(deps): add 3-day cooldown period for Dependabot updates (#9475)\n * refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)\n * fix(vuln): compare `nuget` package names in lower case (#9456)\n * chore: Update release flow to include chocolatey (#9460)\n * docs: document eol supportability (#9434)\n * docs(report): add nuanses about secret/license scanner in summary table (#9442)\n * ci: use environment variables in GitHub Actions for improved security (#9433)\n * chore: bump Go to 1.24.7 (#9435)\n * fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)\n * ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)\n\nUpdate to version 0.66.0 (bsc#1248937, CVE-2025-58058):\n\n * chore(deps): bump the aws group with 7 updates (#9419)\n * refactor(secret): clarify secret scanner messages (#9409)\n * fix(cyclonedx): handle multiple license types (#9378)\n * fix(repo): sanitize git repo URL before inserting into report metadata (#9391)\n * test: add HTTP basic authentication to git test server (#9407)\n * fix(sbom): add support for `file` component type of `CycloneDX` (#9372)\n * fix(misconf): ensure module source is known (#9404)\n * ci: migrate GitHub Actions from version tags to SHA pinning (#9405)\n * fix: create temp file under composite fs dir (#9387)\n * chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)\n * refactor: switch to stable azcontainerregistry SDK package (#9319)\n * chore(deps): bump the common group with 7 updates (#9382)\n * refactor(misconf): migrate from custom Azure JSON parser (#9222)\n * fix(repo): preserve RepoMetadata on FS cache hit (#9389)\n * refactor(misconf): use atomic.Int32 (#9385)\n * chore(deps): bump the aws group with 6 updates (#9383)\n * docs: Fix broken link to \"Built-in Checks\" (#9375)\n * fix(plugin): don\u0027t remove plugins when updating index.yaml file (#9358)\n * fix: persistent flag option typo (#9374)\n * chore(deps): bump the common group across 1 directory with 26 updates (#9347)\n * fix(image): use standardized HTTP client for ECR authentication (#9322)\n * refactor: export `systemFileFiltering` Post Handler (#9359)\n * docs: update links to Semaphore pages (#9352)\n * fix(conda): memory leak by adding closure method for `package.json` file (#9349)\n * feat: add timeout handling for cache database operations (#9307)\n * fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)\n * fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)\n * chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)\n * feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)\n * chore: fix some function names in comment (#9314)\n * chore(deps): bump the aws group with 7 updates (#9311)\n * docs: add explanation for how to use non-system certificates (#9081)\n * chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)\n * fix(misconf): preserve original paths of remote submodules from .terraform (#9294)\n * refactor(terraform): make Scan method of Terraform plan scanner private (#9272)\n * fix: suppress debug log for context cancellation errors (#9298)\n * feat(secret): implement streaming secret scanner with byte offset tracking (#9264)\n * fix(python): impove package name normalization (#9290)\n * feat(misconf): added audit config attribute (#9249)\n * refactor(misconf): decouple input fs and track extracted files with fs references (#9281)\n * test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)\n * refactor: simplify Detect function signature (#9280)\n * ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)\n * fix(fs): avoid shadowing errors in file.glob (#9286)\n * test(misconf): move terraform scan tests to integration tests (#9271)\n * test(misconf): drop gcp iam test covered by another case (#9285)\n * chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)\n\nUpdate to version 0.65.0:\n\n * fix(cli): ensure correct command is picked by telemetry (#9260)\n * feat(flag): add schema validation for `--server` flag (#9270)\n * chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)\n * ci: skip undefined labels in discussion triage action (#9175)\n * feat(repo): add git repository metadata to reports (#9252)\n * fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)\n * chore: add modernize tool integration for code modernization (#9251)\n * fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)\n * chore: implement process-safe temp file cleanup (#9241)\n * fix: prevent graceful shutdown message on normal exit (#9244)\n * fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)\n * feat: add graceful shutdown with signal handling (#9242)\n * chore: update template URL for brew formula (#9221)\n * test: add end-to-end testing framework with image scan and proxy tests (#9231)\n * refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)\n * ci: specify repository for `gh cache delete` in canary worklfow (#9240)\n * ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)\n * fix(misconf): fix log bucket in schema (#9235)\n * chore(deps): bump the common group across 1 directory with 24 updates (#9228)\n * ci: move runner.os context from job-level env to step-level in canary workflow (#9233)\n * chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)\n * feat(misconf): added logging and versioning to the gcp storage bucket (#9226)\n * fix(server): add HTTP transport setup to server mode (#9217)\n * chore: update the rpm download Update (#9202)\n * feat(alma): add AlmaLinux 10 support (#9207)\n * fix(nodejs): don\u0027t use prerelease logic for compare npm constraints (#9208)\n * fix(rootio): fix severity selection (#9181)\n * fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)\n * fix(cli): panic: attempt to get os.Args[1] when len(os.Args) \u003c 2 (#9206)\n * fix(misconf): correctly adapt azure storage account (#9138)\n * feat(misconf): add private ip google access attribute to subnetwork (#9199)\n * feat(report): add CVSS vectors in sarif report (#9157)\n * fix(terraform): `for_each` on a map returns a resource for every key (#9156)\n * fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)\n * chore: migrate protoc setup from Docker to buf CLI (#9184)\n * ci: delete cache after artifacts upload in canary workflow (#9177)\n * refactor: remove aws flag helper message (#9080)\n * ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)\n * ci: add auto-ready-for-review workflow (#9179)\n * feat(image): add Docker context resolution (#9166)\n * ci: optimize golangci-lint performance with cache-based strategy (#9173)\n * feat: add HTTP request/response tracing support (#9125)\n * fix(aws): update amazon linux 2 EOL date (#9176)\n * chore: Update release workflow to trigger version updates (#9162)\n * chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)\n * fix: also check `filepath` when removing duplicate packages (#9142)\n * chore: add debug log to show image source location (#9163)\n * docs: add section on customizing default check data (#9114)\n * chore(deps): bump the common group across 1 directory with 9 updates (#9153)\n * docs: partners page content updates (#9149)\n * chore(license): add missed spdx exceptions: (#9147)\n * docs: trivy partners page updates (#9133)\n * fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)\n * ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)\n * feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)\n * fix(misconf): skip rewriting expr if attr is nil (#9113)\n * fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)\n * fix(cli): Add more non-sensitive flags to telemetry (#9110)\n * fix(alma): parse epochs from rpmqa file (#9101)\n * fix(rootio): check full version to detect `root.io` packages (#9117)\n * chore: drop FreeBSD 32-bit support (#9102)\n * fix(sbom): use correct field for licenses in CycloneDX reports (#9057)\n * fix(secret): fix line numbers for multiple-line secrets (#9104)\n * feat(license): observe pkg types option in license scanner (#9091)\n * ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)\n- (CVE-2025-53547, bsc#1246151)\n\n- Update to version 0.64.1 (bsc#1243633, CVE-2025-47291,\n (bsc#1246730, CVE-2025-46569):\n\n * fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)\n * fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)\n * fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)\n * fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)\n * docs(python): fix type with METADATA file name (#9090)\n * feat: reject unsupported artifact types in remote image retrieval (#9052)\n * chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)\n * refactor(misconf): rewrite Rego module filtering using functional filters (#9061)\n * feat(terraform): add partial evaluation for policy templates (#8967)\n * feat(vuln): add Root.io support for container image scanning (#9073)\n * feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)\n * fix(cli): add some values to the telemetry call (#9056)\n * feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)\n * refactor: centralize HTTP transport configuration (#9058)\n * test: include integration tests in linting and fix all issues (#9060)\n * chore(deps): bump the common group across 1 directory with 26 updates (#9063)\n * feat(java): dereference all maven settings.xml env placeholders (#9024)\n * fix(misconf): reduce log noise on incompatible check (#9029)\n * fix(misconf): .Config.User always takes precedence over USER in .History (#9050)\n * chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)\n * docs(misconf): simplify misconfiguration docs (#9030)\n * fix(misconf): move disabled checks filtering after analyzer scan (#9002)\n * docs: add PR review policy for maintainers (#9032)\n * fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)\n * test: improve and extend tests for iac/adapters/arm (#9028)\n * chore: bump up Go version to 1.24.4 (#9031)\n * feat(cli): add version constraints to annoucements (#9023)\n * fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)\n * feat(ubuntu): add eol date for 20.04-ESM (#8981)\n * fix(report): don\u0027t panic when report contains vulns, but doesn\u0027t contain packages for `table` format (#8549)\n * fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)\n * refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)\n * docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)\n * feat(misconf): add OpenTofu file extension support (#8747)\n * refactor(misconf): set Trivy version by default in Rego scanner (#9001)\n * docs: fix assets with versioning (#8996)\n * docs: add partners page (#8988)\n * chore(alpine): add EOL date for Alpine 3.22 (#8992)\n * fix: don\u0027t show corrupted trivy-db warning for first run (#8991)\n * Update installation.md (#8979)\n * feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)\n * chore(k8s): update comments with deprecated command format (#8964)\n * chore: fix errors and typos in docs (#8963)\n * fix: Add missing version check flags (#8951)\n * feat(redhat): Add EOL date for RHEL 10. (#8910)\n * fix: Correctly check for semver versions for trivy version check (#8948)\n * refactor(server): change custom advisory and vulnerability data types fr\u2026 (#8923)\n * ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)\n * fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)\n * chore(deps): Bump trivy-checks (#8934)\n * fix(julia): add `Relationship` field support (#8939)\n * feat(minimos): Add support for MinimOS (#8792)\n * feat(alpine): add maintainer field extraction for APK packages (#8930)\n * feat(echo): Add Echo Support (#8833)\n * fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)\n * fix(wolfi): support new APK database location (#8937)\n * feat(k8s): get components from namespaced resources (#8918)\n * refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)\n * refactor(terraform): remove result sorting from scanner (#8928)\n * feat(misconf): Add support for `Minimum Trivy Version` (#8880)\n * docs: improve skipping files documentation (#8749)\n * feat(cli): Add available version checking (#8553)\n * feat(nodejs): add a bun.lock analyzer (#8897)\n * feat: terraform parser option to set current working directory (#8909)\n * perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)\n * feat(misconf): export raw Terraform data to Rego (#8741)\n * refactor(terraform): simplify AllReferences method signature in Attribute (#8906)\n * fix: check post-analyzers for StaticPaths (#8904)\n * feat: add Bottlerocket OS package analyzer (#8653)\n * feat(license): improve work text licenses with custom classification (#8888)\n * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)\n * chore(deps): bump the common group across 1 directory with 9 updates (#8887)\n * refactor(license): simplify compound license scanning (#8896)\n * feat(license): Support compound licenses (licenses using SPDX operators) (#8816)\n * fix(k8s): use in-memory cache backend during misconfig scanning (#8873)\n * feat(nodejs): add bun.lock parser (#8851)\n * feat(license): improve work with custom classification of licenses from config file (#8861)\n * fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)\n * fix: julia parser panicing (#8883)\n * refactor(db): change logic to detect wrong DB (#8864)\n * fix(cli): don\u0027t use allow values for `--compliance` flag (#8881)\n * docs(misconf): Reorganize misconfiguration scan pages (#8206)\n * fix(server): add missed Relationship field for `rpc` (#8872)\n * feat: add JSONC support for comments and trailing commas (#8862)\n * fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)\n * feat(go): support license scanning in both GOPATH and vendor (#8843)\n * fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)\n * fix: filter all files when processing files installed from package managers (#8842)\n * feat(misconf): add misconfiguration location to junit template (#8793)\n * docs(vuln): remove OSV for Python from data sources (#8841)\n * chore: add an issue template for maintainers (#8838)\n * chore: enable staticcheck (#8815)\n * ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)\n * feat(license): scan vendor directory for license for go.mod files (#8689)\n * docs(java): Update info about dev deps in gradle lock (#8830)\n * chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)\n * fix(java): exclude dev dependencies in gradle lockfile (#8803)\n * fix: octalLiteral from go-critic (#8811)\n * fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)\n * chore(deps): bump the common group across 1 directory with 10 updates (#8817)\n * fix: use-any from revive (#8810)\n * fix: more revive rules (#8814)\n * docs: change in java.md: fix the Trity -to-\u003e Trivy typo (#8813)\n * fix(misconf): check if for-each is known when expanding dyn block (#8808)\n * ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)\n\n- Update to version 0.62.1 (bsc#1239225, CVE-2025-22868,\n bsc#1241724, CVE-2025-22872):\n\n * chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)\n * fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)\n * fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)\n * feat(nodejs): add root and workspace for `yarn` packages (#8535)\n * fix: unused-parameter rule from revive (#8794)\n * chore(deps): Update trivy-checks (#8798)\n * fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)\n * fix(k8s): remove using `last-applied-configuration` (#8791)\n * refactor(misconf): remove unused methods from providers (#8781)\n * refactor(misconf): remove unused methods from iac types (#8782)\n * fix(misconf): filter null nodes when parsing json manifest (#8785)\n * fix: testifylint last issues (#8768)\n * fix(misconf): perform operations on attribute safely (#8774)\n * refactor(ubuntu): update time handling for fixing time (#8780)\n * chore(deps): bump golangci-lint to v2.1.2 (#8766)\n * feat(image): save layers metadata into report (#8394)\n * feat(misconf): convert AWS managed policy to document (#8757)\n * chore(deps): bump the docker group across 1 directory with 3 updates (#8762)\n * ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)\n * ci(helm): create a helm branch for patches from main (#8673)\n * fix(terraform): hcl object expressions to return references (#8271)\n * chore(terraform): option to pass in instanced logger (#8738)\n * ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)\n * chore(terraform): remove os.OpenPath call from terraform file functions (#8737)\n * chore(deps): bump the common group across 1 directory with 23 updates (#8733)\n * feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)\n * refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)\n * fix(misconf): populate context correctly for module instances (#8656)\n * fix(misconf): check if metadata is not nil (#8647)\n * refactor(misconf): switch to x/json (#8719)\n * fix(report): clean buffer after flushing (#8725)\n * ci: improve PR title validation workflow (#8720)\n * refactor(flag): improve flag system architecture and extensibility (#8718)\n * fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)\n * refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)\n * feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)\n * ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)\n * refactor: add hook interface for extended functionality (#8585)\n * fix(misconf): add missing variable as unknown (#8683)\n * docs: Update maintainer docs (#8674)\n * ci(vuln): reduce github action script injection attack risk (#8610)\n * fix(secret): ignore .dist-info directories during secret scanning (#8646)\n * fix(server): fix redis key when trying to delete blob (#8649)\n * chore(deps): bump the testcontainers group with 2 updates (#8650)\n * test: use `aquasecurity` repository for test images (#8677)\n * chore(deps): bump the aws group across 1 directory with 5 updates (#8652)\n * fix(k8s): skip passed misconfigs for the summary report (#8684)\n * fix(k8s): correct compare artifact versions (#8682)\n * chore: update Docker lib (#8681)\n * refactor(misconf): remove unused terraform attribute methods (#8657)\n * feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)\n * chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)\n * docs: Add info about helm charts release (#8640)\n * ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)\n\nUpdate to version 0.61.1 (bsc#1239385, CVE-2025-22869, bsc#1240466, CVE-2025-30204):\n\n * fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)\n * fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)\n * test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)\n * fix(misconf): Improve logging for unsupported checks (#8634)\n * feat(k8s): add support for controllers (#8614)\n * fix(debian): don\u0027t include empty licenses for `dpkgs` (#8623)\n * fix(misconf): Check values wholly prior to evalution (#8604)\n * chore(deps): Bump trivy-checks (#8619)\n * fix(k8s): show report for `--report all` (#8613)\n * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)\n * refactor: rename scanner to service (#8584)\n * fix(misconf): do not skip loading documents from subdirectories (#8526)\n * refactor(misconf): get a block or attribute without calling HasChild (#8586)\n * fix(misconf): identify the chart file exactly by name (#8590)\n * test: use table-driven tests in Helm scanner tests (#8592)\n * refactor(misconf): Simplify misconfig checks bundle parsing (#8533)\n * chore(deps): bump the common group across 1 directory with 10 updates (#8566)\n * fix(misconf): do not use cty.NilVal for non-nil values (#8567)\n * docs(cli): improve flag value display format (#8560)\n * fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)\n * docs: remove slack (#8565)\n * fix: use `--file-patterns` flag for all post analyzers (#7365)\n * docs(python): Mention pip-compile (#8484)\n * feat(misconf): adapt aws_opensearch_domain (#8550)\n * feat(misconf): adapt AWS::EC2::VPC (#8534)\n * docs: fix a broken link (#8546)\n * fix(fs): check postAnalyzers for StaticPaths (#8543)\n * refactor(misconf): remove unused methods for ec2.Instance (#8536)\n * feat(misconf): adapt aws_default_security_group (#8538)\n * feat(fs): optimize scanning performance by direct file access for known paths (#8525)\n * feat(misconf): adapt AWS::DynamoDB::Table (#8529)\n * style: Fix MD syntax in self-hosting.md (#8523)\n * perf(misconf): retrieve check metadata from annotations once (#8478)\n * feat(misconf): Add support for aws_ami (#8499)\n * fix(misconf): skip Azure CreateUiDefinition (#8503)\n * refactor(misconf): use OPA v1 (#8518)\n * fix(misconf): add ephemeral block type to config schema (#8513)\n * perf(misconf): parse input for Rego once (#8483)\n * feat: replace TinyGo with standard Go for WebAssembly modules (#8496)\n * chore: replace deprecated tenv linter with usetesting (#8504)\n * fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)\n * chore(deps): bump the common group across 1 directory with 13 updates (#8491)\n * chore: use go.mod for managing Go tools (#8493)\n * ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)\n * fix(sbom): improve logic for binding direct dependency to parent component (#8489)\n * chore(deps): remove missed replace of `trivy-db` (#8492)\n * chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)\n * chore(deps): update Go to 1.24 and switch to go-version-file (#8388)\n * docs: add abbreviation list (#8453)\n * chore(terraform): assign *terraform.Module \u0027parent\u0027 field (#8444)\n * feat: add report summary table (#8177)\n * chore(deps): bump the github-actions group with 3 updates (#8473)\n * refactor(vex): improve SBOM reference handling with project standards (#8457)\n * ci: update GitHub Actions cache to v4 (#8475)\n * feat: add `--vuln-severity-source` flag (#8269)\n * fix(os): add mapping OS aliases (#8466)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#8468)\n * chore(deps): Bump trivy-checks to v1.7.1 (#8467)\n * refactor(report): write tables after rendering all results (#8357)\n * docs: update VEX documentation index page (#8458)\n * fix(db): fix case when 2 trivy-db were copied at the same time (#8452)\n * feat(misconf): render causes for Terraform (#8360)\n * fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)\n * feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)\n * chore(deps): update go-rustaudit location (#8450)\n * fix: update all documentation links (#8045)\n * chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)\n * chore(deps): bump the common group with 6 updates (#8411)\n * fix(k8s): add missed option `PkgRelationships` (#8442)\n * fix(sbom): add SBOM file\u0027s filePath as Application FilePath if we can\u0027t detect its path (#8346)\n * feat(go): fix parsing main module version for go \u003e= 1.24 (#8433)\n * refactor(misconf): make Rego scanner independent of config type (#7517)\n * fix(image): disable AVD-DS-0007 for history scanning (#8366)\n * fix(server): secrets inspectation for the config analyzer in client server mode (#8418)\n * chore: remove mockery (#8417)\n * test(server): replace mock driver with memory cache in server tests (#8416)\n * test: replace mock with memory cache and fix non-deterministic tests (#8410)\n * test: replace mock with memory cache in scanner tests (#8413)\n * test: use memory cache (#8403)\n * fix(spdx): init `pkgFilePaths` map for all formats (#8380)\n * chore(deps): bump the common group across 1 directory with 11 updates (#8381)\n * docs: correct Ruby documentation (#8402)\n * chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)\n * fix: don\u0027t use `scope` for `trivy registry login` command (#8393)\n * fix(go): merge nested flags into string for ldflags for Go binaries (#8368)\n * chore(terraform): export module path on terraform modules (#8374)\n * fix(terraform): apply parser options to submodule parsing (#8377)\n * docs: Fix typos in documentation (#8361)\n * docs: fix navigate links (#8336)\n * ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)\n * ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)\n * chore: remove debug prints (#8347)\n * fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)\n * fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)\n * chore(deps): bump Go to `v1.23.5` (#8341)\n * fix(python): add `poetry` v2 support (#8323)\n * chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)\n * fix(misconf): ecs include enhanced for container insights (#8326)\n * fix(sbom): preserve OS packages from multiple SBOMs (#8325)\n * ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)\n * (bsc#1237618, CVE-2025-27144)\n\nUpdate to version 0.59.1:\n\n * fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)\n * chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)\n * fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)\n * fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)\n\nUpdate to version 0.59.0:\n\n * feat(image): return error early if total size of layers exceeds limit (#8294)\n * chore(deps): Bump trivy-checks (#8310)\n * chore(terraform): add accessors to underlying raw hcl values (#8306)\n * fix: improve conversion of image config to Dockerfile (#8308)\n * docs: replace short codes with Unicode emojis (#8296)\n * feat(k8s): improve artifact selections for specific namespaces (#8248)\n * chore: update code owners (#8303)\n * fix(misconf): handle heredocs in dockerfile instructions (#8284)\n * fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)\n * chore(deps): bump the aws group with 7 updates (#8299)\n * chore(deps): bump the common group with 12 updates (#8301)\n * chore: enable int-conversion from perfsprint (#8194)\n * feat(fs): use git commit hash as cache key for clean repositories (#8278)\n * fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)\n * chore: use require.ErrorContains when possible (#8291)\n * feat(image): prevent scanning oversized container images (#8178)\n * chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)\n * fix(fs): fix cache key generation to use UUID (#8275)\n * fix(misconf): correctly handle all YAML tags in K8S templates (#8259)\n * feat: add support for registry mirrors (#8244)\n * chore(deps): bump the common group across 1 directory with 29 updates (#8261)\n * refactor(license): improve license expression normalization (#8257)\n * feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)\n * feat: add a examples field to check metadata (#8068)\n * chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)\n * ci: add workflow to restrict direct PRs to release branches (#8240)\n * fix(suse): SUSE - update OSType constants and references for compatility (#8236)\n * ci: fix path to main dir for canary builds (#8231)\n * chore(secret): add reported issues related to secrets in junit template (#8193)\n * refactor: use trivy-checks/pkg/specs package (#8226)\n * ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)\n * fix(misconf): allow null values only for tf variables (#8112)\n * feat(misconf): support for ignoring by inline comments for Helm (#8138)\n * fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)\n * chore(alpine): add EOL date for Alpine 3.21 (#8221)\n * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)\n * fix(misconf): disable git terminal prompt on tf module load (#8026)\n * chore: remove aws iam related scripts (#8179)\n * docs: Updated JSON schema version 2 in the trivy documentation (#8188)\n * refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)\n * refactor: use slices package instead of custom function (#8172)\n * chore(deps): bump the common group with 6 updates (#8162)\n * feat(python): add support for uv dev and optional dependencies (#8134)\n * feat(python): add support for poetry dev dependencies (#8152)\n * fix(sbom): attach nested packages to Application (#8144)\n * docs(vex): use debian minor version in examples (#8166)\n * refactor: add generic Set implementation (#8149)\n * chore(deps): bump the aws group across 1 directory with 6 updates (#8163)\n * fix(python): skip dev group\u0027s deps for poetry (#8106)\n * fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)\n * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)\n * chore(vex): suppress CVE-2024-45338 (#8137)\n * feat(python): add support for uv (#8080)\n * chore(deps): bump the docker group across 1 directory with 3 updates (#8127)\n * chore(deps): bump the common group across 1 directory with 14 updates (#8126)\n * chore: bump go to 1.23.4 (#8123)\n * test: set dummy value for NUGET_PACKAGES (#8107)\n * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)\n * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)\n * fix: wasm module test (#8099)\n * fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)\n * chore(vex): suppress CVE-2024-45337 (#8101)\n * fix(license): always trim leading and trailing spaces for licenses (#8095)\n * fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)\n * fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)\n * fix: enable err-error and errorf rules from perfsprint linter (#7859)\n * chore(deps): bump the aws group across 1 directory with 6 updates (#8074)\n * perf: avoid heap allocation in applier findPackage (#7883)\n * fix: Updated twitter icon (#7772)\n * docs(k8s): add a note about multi-container pods (#7815)\n * feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)\n * fix(oracle): add architectures support for advisories (#4809)\n * fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)\n * feat(misconf): generate placeholders for random provider resources (#8051)\n * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)\n * fix(flag): skip hidden flags for `--generate-default-config` command (#8046)\n * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)\n * feat(nodejs): respect peer dependencies for dependency tree (#7989)\n * ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)\n * fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)\n * chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)\n * fix(misconf): use log instead of fmt for logging (#8033)\n * docs: add commercial content (#8030)\n\n- Update to version 0.58.2 (\n bsc#1234512, CVE-2024-45337,\n bsc#1235265, CVE-2024-45338,\n bsc#1232948, CVE-2024-51744):\n\n * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)\n * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)\n * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)\n * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)\n * fix(python): skip dev group\u0027s deps for poetry [backport: release/v0.58] (#8158)\n * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)\n * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)\n * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)\n * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)\n * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)\n * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)\n * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)\n * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)\n * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)\n * fix(misconf): wrap AWS EnvVar to iac types (#7407)\n * chore(deps): Upgrade trivy-checks (#8018)\n * refactor(misconf): Remove unused options (#7896)\n * docs: add terminology page to explain Trivy concepts (#7996)\n * feat: add `workspaceRelationship` (#7889)\n * refactor(sbom): simplify relationship generation (#7985)\n * chore: remove Go checks (#7907)\n * docs: improve databases documentation (#7732)\n * refactor: remove support for custom Terraform checks (#7901)\n * docs: fix dead links (#7998)\n * docs: drop AWS account scanning (#7997)\n * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)\n * fix(cli): Handle empty ignore files more gracefully (#7962)\n * fix(misconf): load full Terraform module (#7925)\n * fix(misconf): properly resolve local Terraform cache (#7983)\n * refactor(k8s): add v prefix for Go packages (#7839)\n * test: replace Go checks with Rego (#7867)\n * feat(misconf): log causes of HCL file parsing errors (#7634)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)\n * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)\n * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)\n * chore: downgrade the failed block expand message to debug (#7964)\n * fix(misconf): do not erase variable type for child modules (#7941)\n * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)\n * feat(go): construct dependencies in the parser (#7973)\n * feat: add cvss v4 score and vector in scan response (#7968)\n * docs: add `overview` page for `others` (#7972)\n * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)\n * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)\n * chore(deps): bump the common group with 4 updates (#7949)\n * feat(oracle): add `flavors` support (#7858)\n * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)\n * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)\n * fix(k8s): check all results for vulnerabilities (#7946)\n * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)\n * feat(secret): Add built-in secrets rules for Private Packagist (#7826)\n * docs: Fix broken links (#7900)\n * docs: fix mistakes/typos (#7942)\n * feat: Update registry fallbacks (#7679)\n * fix(alpine): add `UID` for removed packages (#7887)\n * chore(deps): bump the aws group with 6 updates (#7902)\n * chore(deps): bump the common group with 6 updates (#7904)\n * fix(debian): infinite loop (#7928)\n * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)\n * docs: add note about temporary podman socket (#7921)\n * docs: combine trivy.dev into trivy docs (#7884)\n * test: change branch in spdx schema link to check in integration tests (#7935)\n * docs: add Headlamp to the Trivy Ecosystem page (#7916)\n * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)\n * chore(k8s): enhance k8s scan log (#6997)\n * fix(terraform): set null value as fallback for missing variables (#7669)\n * fix(misconf): handle null properties in CloudFormation templates (#7813)\n * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)\n * chore(deps): bump the common group across 1 directory with 20 updates (#7876)\n * chore: bump containerd to v2.0.0 (#7875)\n * fix: Improve version comparisons when build identifiers are present (#7873)\n * feat(k8s): add default commands for unknown platform (#7863)\n * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)\n * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)\n * test: save `containerd` image into archive and use in tests (#7816)\n * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)\n * chore: bump golangci-lint to v1.61.0 (#7853)\n\nUpdate to version 0.57.1:\n\n * feat: Update registry fallbacks [backport: release/v0.57] (#7944)\n * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)\n * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)\n * release: v0.57.0 [main] (#7710)\n * chore: lint `errors.Join` (#7845)\n * feat(db): append errors (#7843)\n * docs(java): add info about supported scopes (#7842)\n * docs: add example of creating whitelist of checks (#7821)\n * chore(deps): Bump trivy-checks (#7819)\n * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)\n * fix(k8s): skip resources without misconfigs (#7797)\n * fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)\n * fix(cli): add config name to skip-policy-update alias (#7820)\n * fix(helm): properly handle multiple archived dependencies (#7782)\n * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)\n * fix(k8s)!: support k8s multi container (#7444)\n * fix(k8s): support kubernetes v1.31 (#7810)\n * docs: add Windows install instructions (#7800)\n * ci(helm): auto public Helm chart after PR merged (#7526)\n * feat: add end of life date for Ubuntu 24.10 (#7787)\n * feat(report): update gitlab template to populate operating_system value (#7735)\n * feat(misconf): Show misconfig ID in output (#7762)\n * feat(misconf): export unresolvable field of IaC types to Rego (#7765)\n * refactor(k8s): scan config files as a folder (#7690)\n * fix(license): fix license normalization for Universal Permissive License (#7766)\n * fix: enable usestdlibvars linter (#7770)\n * fix(misconf): properly expand dynamic blocks (#7612)\n * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)\n * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)\n * refactor(misconf): simplify k8s scanner (#7717)\n * feat(parser): ignore white space in pom.xml files (#7747)\n * test: use forked images (#7755)\n * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)\n * fix(misconf): check if property is not nil before conversion (#7578)\n * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)\n * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)\n * test: define constants for test images (#7739)\n * docs: add note about disabled DS016 check (#7724)\n * feat(misconf): public network support for Azure Storage Account (#7601)\n * feat(cli): rename `trivy auth` to `trivy registry` (#7727)\n * docs: apt-transport-https is a transitional package (#7678)\n * refactor(misconf): introduce generic scanner (#7515)\n * fix(cli): `clean --all` deletes only relevant dirs (#7704)\n * feat(cli): add `trivy auth` (#7664)\n * fix(sbom): add options for DBs in private registries (#7660)\n * docs(report): fix reporting doc format (#7671)\n * fix(repo): `git clone` output to Stderr (#7561)\n * fix(redhat): include arch in PURL qualifiers (#7654)\n * fix(report): Fix invalid URI in SARIF report (#7645)\n * docs(report): Improve SARIF reporting doc (#7655)\n * fix(db): fix javadb downloading error handling (#7642)\n * feat(cli): error out when ignore file cannot be found (#7624)\n\nUpdate to version 0.56.2:\n\n * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)\n * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)\n\n- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817):\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-33",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20117-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1227010",
"url": "https://bugzilla.suse.com/1227010"
},
{
"category": "self",
"summary": "SUSE Bug 1232948",
"url": "https://bugzilla.suse.com/1232948"
},
{
"category": "self",
"summary": "SUSE Bug 1234512",
"url": "https://bugzilla.suse.com/1234512"
},
{
"category": "self",
"summary": "SUSE Bug 1235265",
"url": "https://bugzilla.suse.com/1235265"
},
{
"category": "self",
"summary": "SUSE Bug 1237618",
"url": "https://bugzilla.suse.com/1237618"
},
{
"category": "self",
"summary": "SUSE Bug 1239225",
"url": "https://bugzilla.suse.com/1239225"
},
{
"category": "self",
"summary": "SUSE Bug 1239385",
"url": "https://bugzilla.suse.com/1239385"
},
{
"category": "self",
"summary": "SUSE Bug 1240466",
"url": "https://bugzilla.suse.com/1240466"
},
{
"category": "self",
"summary": "SUSE Bug 1241724",
"url": "https://bugzilla.suse.com/1241724"
},
{
"category": "self",
"summary": "SUSE Bug 1243633",
"url": "https://bugzilla.suse.com/1243633"
},
{
"category": "self",
"summary": "SUSE Bug 1246151",
"url": "https://bugzilla.suse.com/1246151"
},
{
"category": "self",
"summary": "SUSE Bug 1246730",
"url": "https://bugzilla.suse.com/1246730"
},
{
"category": "self",
"summary": "SUSE Bug 1248897",
"url": "https://bugzilla.suse.com/1248897"
},
{
"category": "self",
"summary": "SUSE Bug 1248937",
"url": "https://bugzilla.suse.com/1248937"
},
{
"category": "self",
"summary": "SUSE Bug 1250625",
"url": "https://bugzilla.suse.com/1250625"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-3817 page",
"url": "https://www.suse.com/security/cve/CVE-2024-3817/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-51744 page",
"url": "https://www.suse.com/security/cve/CVE-2024-51744/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11065 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11065/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21613 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21613/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21614 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21614/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30204 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30204/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46569 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46569/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47291 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47291/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-53547 page",
"url": "https://www.suse.com/security/cve/CVE-2025-53547/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2025-11-27T12:27:44Z",
"generator": {
"date": "2025-11-27T12:27:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20117-1",
"initial_release_date": "2025-11-27T12:27:44Z",
"revision_history": [
{
"date": "2025-11-27T12:27:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.66.0-bp160.1.1.aarch64",
"product": {
"name": "trivy-0.66.0-bp160.1.1.aarch64",
"product_id": "trivy-0.66.0-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.66.0-bp160.1.1.ppc64le",
"product": {
"name": "trivy-0.66.0-bp160.1.1.ppc64le",
"product_id": "trivy-0.66.0-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.66.0-bp160.1.1.s390x",
"product": {
"name": "trivy-0.66.0-bp160.1.1.s390x",
"product_id": "trivy-0.66.0-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.66.0-bp160.1.1.x86_64",
"product": {
"name": "trivy-0.66.0-bp160.1.1.x86_64",
"product_id": "trivy-0.66.0-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.66.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64"
},
"product_reference": "trivy-0.66.0-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.66.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le"
},
"product_reference": "trivy-0.66.0-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.66.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x"
},
"product_reference": "trivy-0.66.0-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.66.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
},
"product_reference": "trivy-0.66.0-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-3817",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-3817"
}
],
"notes": [
{
"category": "general",
"text": "HashiCorp\u0027s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-3817",
"url": "https://www.suse.com/security/cve/CVE-2024-3817"
},
{
"category": "external",
"summary": "SUSE Bug 1226999 for CVE-2024-3817",
"url": "https://bugzilla.suse.com/1226999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "critical"
}
],
"title": "CVE-2024-3817"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2024-51744",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-51744"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-51744",
"url": "https://www.suse.com/security/cve/CVE-2024-51744"
},
{
"category": "external",
"summary": "SUSE Bug 1232936 for CVE-2024-51744",
"url": "https://bugzilla.suse.com/1232936"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2024-51744"
},
{
"cve": "CVE-2025-11065",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11065"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11065",
"url": "https://www.suse.com/security/cve/CVE-2025-11065"
},
{
"category": "external",
"summary": "SUSE Bug 1250608 for CVE-2025-11065",
"url": "https://bugzilla.suse.com/1250608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-11065"
},
{
"cve": "CVE-2025-21613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21613"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21613",
"url": "https://www.suse.com/security/cve/CVE-2025-21613"
},
{
"category": "external",
"summary": "SUSE Bug 1235572 for CVE-2025-21613",
"url": "https://bugzilla.suse.com/1235572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-21613"
},
{
"cve": "CVE-2025-21614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21614",
"url": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-21614"
},
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
},
{
"cve": "CVE-2025-30204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30204"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30204",
"url": "https://www.suse.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "SUSE Bug 1240441 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240441"
},
{
"category": "external",
"summary": "SUSE Bug 1240442 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-30204"
},
{
"cve": "CVE-2025-46569",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46569"
}
],
"notes": [
{
"category": "general",
"text": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u0027s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46569",
"url": "https://www.suse.com/security/cve/CVE-2025-46569"
},
{
"category": "external",
"summary": "SUSE Bug 1246710 for CVE-2025-46569",
"url": "https://bugzilla.suse.com/1246710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-46569"
},
{
"cve": "CVE-2025-47291",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47291"
}
],
"notes": [
{
"category": "general",
"text": "containerd is an open-source container runtime. A bug was found in the containerd\u0027s CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn\u0027t put usernamespaced containers under the Kubernetes\u0027 cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47291",
"url": "https://www.suse.com/security/cve/CVE-2025-47291"
},
{
"category": "external",
"summary": "SUSE Bug 1243632 for CVE-2025-47291",
"url": "https://bugzilla.suse.com/1243632"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-47291"
},
{
"cve": "CVE-2025-53547",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-53547"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-53547",
"url": "https://www.suse.com/security/cve/CVE-2025-53547"
},
{
"category": "external",
"summary": "SUSE Bug 1246150 for CVE-2025-53547",
"url": "https://bugzilla.suse.com/1246150"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "important"
}
],
"title": "CVE-2025-53547"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:trivy-0.66.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T12:27:44Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
OPENSUSE-SU-2025:20160-1
Vulnerability from csaf_opensuse - Published: 2025-12-12 13:20 - Updated: 2025-12-12 13:20Summary
Security update for hauler
Severity
Important
Notes
Title of the patch: Security update for hauler
Description of the patch: This update for hauler fixes the following issues:
- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,
bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,
bsc#1248937, CVE-2025-58058):
* bump github.com/containerd/containerd (#474)
* another fix to tests for new tests (#472)
* fixed typo in testdata (#471)
* fixed/cleaned new tests (#470)
* trying a new way for hauler testing (#467)
* update for cosign v3 verify (#469)
* added digests view to info (#465)
* bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)
* update oras-go to v1.2.7 for security patches (#464)
* update cosign to v3.0.2+hauler.1 (#463)
* fixed homebrew directory deprecation (#462)
* add registry logout command (#460)
- Update to version 1.3.0:
* bump the go_modules group across 1 directory with 2 updates (#455)
* upgraded versions/dependencies/deprecations (#454)
* allow loading of docker tarballs (#452)
* bump the go_modules group across 1 directory with 2 updates (#449)
- update to 1.2.5 (bsc#1246722, CVE-2025-46569):
* Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in
the go_modules group across 1 directory (CVE-2025-46569)
* deprecate auth from hauler store copy
* Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the
go_modules group across 1 directory
* Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0
in the go_modules group across 1 directory
* upgraded go and dependencies versions
- Update to version 1.2.5:
* upgraded go and dependencies versions (#444)
* Bump github.com/go-viper/mapstructure/v2 (#442)
* bump github.com/cloudflare/circl (#441)
* deprecate auth from hauler store copy (#440)
* Bump github.com/open-policy-agent/opa (#438)
- update to 1.2.4 (CVE-2025-22872, bsc#1241804):
* Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules
group across 1 directory
* minor tests updates
- Update to version 1.2.3:
* formatting and flag text updates
* add keyless signature verification (#434)
* bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)
* add --only flag to hauler store copy (for images) (#429)
* fix tlog verification error/warning output (#428)
- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):
* cleanup new tlog flag typos and add shorthand (#426)
* default public transparency log verification to false to be airgap friendly but allow override (#425)
* bump github.com/golang-jwt/jwt/v4 (#423)
* bump the go_modules group across 1 directory with 2 updates (#422)
* bump github.com/go-jose/go-jose/v3 (#417)
* bump github.com/go-jose/go-jose/v4 (#415)
* clear default manifest name if product flag used with sync (#412)
* updates for v1.2.0 (#408)
* fixed remote code (#407)
* added remote file fetch to load (#406)
* added remote and multiple file fetch to sync (#405)
* updated save flag and related logs (#404)
* updated load flag and related logs [breaking change] (#403)
* updated sync flag and related logs [breaking change] (#402)
* upgraded api update to v1/updated dependencies (#400)
* fixed consts for oci declarations (#398)
* fix for correctly grabbing platform post cosign 2.4 updates (#393)
* use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)
* Bump the go_modules group across 1 directory with 2 updates (#385)
* replace mholt/archiver with mholt/archives (#384)
* forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)
* cleaned up registry and improved logging (#378)
* Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)
- bump net/html dependencies (bsc#1235332, CVE-2024-45338)
- Update to version 1.1.1:
* fixed cli desc for store env var (#374)
* updated versions for go/k8s/helm (#373)
* updated version flag to internal/flags (#369)
* renamed incorrectly named consts (#371)
* added store env var (#370)
* adding ignore errors and retries for continue on error/fail on error (#368)
* updated/fixed hauler directory (#354)
* standardize consts (#353)
* removed cachedir code (#355)
* removed k3s code (#352)
* updated dependencies for go, helm, and k8s (#351)
* [feature] build with boring crypto where available (#344)
* updated workflow to goreleaser builds (#341)
* added timeout to goreleaser workflow (#340)
* trying new workflow build processes (#337)
* improved workflow performance (#336)
* have extract use proper ref (#335)
* yet another workflow goreleaser fix (#334)
* even more workflow fixes (#333)
* added more fixes to github workflow (#332)
* fixed typo in hauler store save (#331)
* updates to fix build processes (#330)
* added integration tests for non hauler tarballs (#325)
* bump: golang >= 1.23.1 (#328)
* add platform flag to store save (#329)
* Update feature_request.md
* updated/standardize command descriptions (#313)
* use new annotation for 'store save' manifest.json (#324)
* enable docker load for hauler tarballs (#320)
* bump to cosign v2.2.3-carbide.3 for new annotation (#322)
* continue on error when adding images to store (#317)
* Update README.md (#318)
* fixed completion commands (#312)
* github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311)
* pages: enable go install hauler.dev/go/hauler (#310)
* Create CNAME
* pages: initial workflow (#309)
* testing and linting updates (#305)
* feat-273: TLS Flags (#303)
* added list-repos flag (#298)
* fixed hauler login typo (#299)
* updated cobra function for shell completion (#304)
* updated install.sh to remove github api (#293)
* fix image ref keys getting squashed when containing sigs/atts (#291)
* fix missing versin info in release build (#283)
* bump github.com/docker/docker in the go_modules group across 1 directory (#281)
* updated install script (`install.sh`) (#280)
* fix digest images being lost on load of hauls (Signed). (#259)
* feat: add readonly flag (#277)
* fixed makefile for goreleaser v2 changes (#278)
* updated goreleaser versioning defaults (#279)
* update feature_request.md (#274)
* updated old references
* updated actions workflow user
* added dockerhub to github actions workflow
* removed helm chart
* added debug container and workflow
* updated products flag description
* updated chart for release
* fixed workflow errors/warnings
* fixed permissions on testdata
* updated chart versions (will need to update again)
* last bit of fixes to workflow
* updated unit test workflow
* updated goreleaser deprecations
* added helm chart release job
* updated github template names
* updated imports (and go fmt)
* formatted gitignore to match dockerignore
* formatted all code (go fmt)
* updated chart tests for new features
* Adding the timeout flag for fileserver command
* Configure chart commands to use helm clients for OCI and private registry support
* Added some documentation text to sync command
* Bump golang.org/x/net from 0.17.0 to 0.23.0
* fix for dup digest smashing in cosign
* removed vagrant scripts
* last bit of updates and formatting of chart
* updated hauler testdata
* adding functionality and cleaning up
* added initial helm chart
* removed tag in release workflow
* updated/fixed image ref in release workflow
* updated/fixed platforms in release workflow
* updated/cleaned github actions (#222)
* Make Product Registry configurable (#194)
* updated fileserver directory name (#219)
* fix logging for files
* add extra info for the tempdir override flag
* tempdir override flag for load
* deprecate the cache flag instead of remove
* switch to using bci-golang as builder image
* fix: ensure /tmp for hauler store load
* added the copy back for now
* remove copy at the image sync not needed with cosign update
* removed misleading cache flag
* better logging when adding to store
* update to v2.2.3 of our cosign fork
* add: dockerignore
* add: Dockerfile
* Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
* Bump github.com/docker/docker
* updated and added new logos
* updated github files
Patchnames: openSUSE-Leap-16.0-packagehub-54
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.3 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for hauler",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for hauler fixes the following issues:\n\n- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911,\n bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190,\n bsc#1248937, CVE-2025-58058):\n * bump github.com/containerd/containerd (#474)\n * another fix to tests for new tests (#472)\n * fixed typo in testdata (#471)\n * fixed/cleaned new tests (#470)\n * trying a new way for hauler testing (#467)\n * update for cosign v3 verify (#469)\n * added digests view to info (#465)\n * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457)\n * update oras-go to v1.2.7 for security patches (#464)\n * update cosign to v3.0.2+hauler.1 (#463)\n * fixed homebrew directory deprecation (#462)\n * add registry logout command (#460)\n\n- Update to version 1.3.0:\n * bump the go_modules group across 1 directory with 2 updates (#455)\n * upgraded versions/dependencies/deprecations (#454)\n * allow loading of docker tarballs (#452)\n * bump the go_modules group across 1 directory with 2 updates (#449)\n\n- update to 1.2.5 (bsc#1246722, CVE-2025-46569):\n * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in\n the go_modules group across 1 directory (CVE-2025-46569)\n * deprecate auth from hauler store copy\n * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the\n go_modules group across 1 directory\n * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0\n in the go_modules group across 1 directory\n * upgraded go and dependencies versions\n\n- Update to version 1.2.5:\n * upgraded go and dependencies versions (#444)\n * Bump github.com/go-viper/mapstructure/v2 (#442)\n * bump github.com/cloudflare/circl (#441)\n * deprecate auth from hauler store copy (#440)\n * Bump github.com/open-policy-agent/opa (#438)\n\n- update to 1.2.4 (CVE-2025-22872, bsc#1241804):\n * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules\n group across 1 directory\n * minor tests updates\n\n- Update to version 1.2.3:\n * formatting and flag text updates\n * add keyless signature verification (#434)\n * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430)\n * add --only flag to hauler store copy (for images) (#429)\n * fix tlog verification error/warning output (#428)\n\n- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406):\n * cleanup new tlog flag typos and add shorthand (#426)\n * default public transparency log verification to false to be airgap friendly but allow override (#425)\n * bump github.com/golang-jwt/jwt/v4 (#423)\n * bump the go_modules group across 1 directory with 2 updates (#422)\n * bump github.com/go-jose/go-jose/v3 (#417)\n * bump github.com/go-jose/go-jose/v4 (#415)\n * clear default manifest name if product flag used with sync (#412)\n * updates for v1.2.0 (#408)\n * fixed remote code (#407)\n * added remote file fetch to load (#406)\n * added remote and multiple file fetch to sync (#405)\n * updated save flag and related logs (#404)\n * updated load flag and related logs [breaking change] (#403)\n * updated sync flag and related logs [breaking change] (#402)\n * upgraded api update to v1/updated dependencies (#400)\n * fixed consts for oci declarations (#398)\n * fix for correctly grabbing platform post cosign 2.4 updates (#393)\n * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390)\n * Bump the go_modules group across 1 directory with 2 updates (#385)\n * replace mholt/archiver with mholt/archives (#384)\n * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383)\n * cleaned up registry and improved logging (#378)\n * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377)\n- bump net/html dependencies (bsc#1235332, CVE-2024-45338)\n\n- Update to version 1.1.1:\n * fixed cli desc for store env var (#374)\n * updated versions for go/k8s/helm (#373)\n * updated version flag to internal/flags (#369)\n * renamed incorrectly named consts (#371)\n * added store env var (#370)\n * adding ignore errors and retries for continue on error/fail on error (#368)\n * updated/fixed hauler directory (#354)\n * standardize consts (#353)\n * removed cachedir code (#355)\n * removed k3s code (#352)\n * updated dependencies for go, helm, and k8s (#351)\n * [feature] build with boring crypto where available (#344)\n * updated workflow to goreleaser builds (#341)\n * added timeout to goreleaser workflow (#340)\n * trying new workflow build processes (#337)\n * improved workflow performance (#336)\n * have extract use proper ref (#335)\n * yet another workflow goreleaser fix (#334)\n * even more workflow fixes (#333)\n * added more fixes to github workflow (#332)\n * fixed typo in hauler store save (#331)\n * updates to fix build processes (#330)\n * added integration tests for non hauler tarballs (#325)\n * bump: golang \u003e= 1.23.1 (#328)\n * add platform flag to store save (#329)\n * Update feature_request.md\n * updated/standardize command descriptions (#313)\n * use new annotation for \u0027store save\u0027 manifest.json (#324)\n * enable docker load for hauler tarballs (#320)\n * bump to cosign v2.2.3-carbide.3 for new annotation (#322)\n * continue on error when adding images to store (#317)\n * Update README.md (#318)\n * fixed completion commands (#312)\n * github.com/rancherfederal/hauler =\u003e hauler.dev/go/hauler (#311)\n * pages: enable go install hauler.dev/go/hauler (#310)\n * Create CNAME\n * pages: initial workflow (#309)\n * testing and linting updates (#305)\n * feat-273: TLS Flags (#303)\n * added list-repos flag (#298)\n * fixed hauler login typo (#299)\n * updated cobra function for shell completion (#304)\n * updated install.sh to remove github api (#293)\n * fix image ref keys getting squashed when containing sigs/atts (#291)\n * fix missing versin info in release build (#283)\n * bump github.com/docker/docker in the go_modules group across 1 directory (#281)\n * updated install script (`install.sh`) (#280)\n * fix digest images being lost on load of hauls (Signed). (#259)\n * feat: add readonly flag (#277)\n * fixed makefile for goreleaser v2 changes (#278)\n * updated goreleaser versioning defaults (#279)\n * update feature_request.md (#274)\n * updated old references\n * updated actions workflow user\n * added dockerhub to github actions workflow\n * removed helm chart\n * added debug container and workflow\n * updated products flag description\n * updated chart for release\n * fixed workflow errors/warnings\n * fixed permissions on testdata\n * updated chart versions (will need to update again)\n * last bit of fixes to workflow\n * updated unit test workflow\n * updated goreleaser deprecations\n * added helm chart release job\n * updated github template names\n * updated imports (and go fmt)\n * formatted gitignore to match dockerignore\n * formatted all code (go fmt)\n * updated chart tests for new features\n * Adding the timeout flag for fileserver command\n * Configure chart commands to use helm clients for OCI and private registry support\n * Added some documentation text to sync command\n * Bump golang.org/x/net from 0.17.0 to 0.23.0\n * fix for dup digest smashing in cosign\n * removed vagrant scripts\n * last bit of updates and formatting of chart\n * updated hauler testdata\n * adding functionality and cleaning up\n * added initial helm chart\n * removed tag in release workflow\n * updated/fixed image ref in release workflow\n * updated/fixed platforms in release workflow\n * updated/cleaned github actions (#222)\n * Make Product Registry configurable (#194)\n * updated fileserver directory name (#219)\n * fix logging for files\n * add extra info for the tempdir override flag\n * tempdir override flag for load\n * deprecate the cache flag instead of remove\n * switch to using bci-golang as builder image\n * fix: ensure /tmp for hauler store load\n * added the copy back for now\n * remove copy at the image sync not needed with cosign update\n * removed misleading cache flag\n * better logging when adding to store\n * update to v2.2.3 of our cosign fork\n * add: dockerignore\n * add: Dockerfile\n * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0\n * Bump github.com/docker/docker\n * updated and added new logos\n * updated github files\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-54",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20160-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1235332",
"url": "https://bugzilla.suse.com/1235332"
},
{
"category": "self",
"summary": "SUSE Bug 1241184",
"url": "https://bugzilla.suse.com/1241184"
},
{
"category": "self",
"summary": "SUSE Bug 1241804",
"url": "https://bugzilla.suse.com/1241804"
},
{
"category": "self",
"summary": "SUSE Bug 1246722",
"url": "https://bugzilla.suse.com/1246722"
},
{
"category": "self",
"summary": "SUSE Bug 1248937",
"url": "https://bugzilla.suse.com/1248937"
},
{
"category": "self",
"summary": "SUSE Bug 1251516",
"url": "https://bugzilla.suse.com/1251516"
},
{
"category": "self",
"summary": "SUSE Bug 1251651",
"url": "https://bugzilla.suse.com/1251651"
},
{
"category": "self",
"summary": "SUSE Bug 1251891",
"url": "https://bugzilla.suse.com/1251891"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-0406 page",
"url": "https://www.suse.com/security/cve/CVE-2024-0406/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-11579 page",
"url": "https://www.suse.com/security/cve/CVE-2025-11579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46569 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46569/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for hauler",
"tracking": {
"current_release_date": "2025-12-12T13:20:11Z",
"generator": {
"date": "2025-12-12T13:20:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20160-1",
"initial_release_date": "2025-12-12T13:20:11Z",
"revision_history": [
{
"date": "2025-12-12T13:20:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.aarch64",
"product_id": "hauler-1.3.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product": {
"name": "hauler-1.3.1-bp160.1.1.x86_64",
"product_id": "hauler-1.3.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "hauler-1.3.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
},
"product_reference": "hauler-1.3.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-0406",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-0406"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user\u0027s or application\u0027s privileges using the library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-0406",
"url": "https://www.suse.com/security/cve/CVE-2024-0406"
},
{
"category": "external",
"summary": "SUSE Bug 1241181 for CVE-2024-0406",
"url": "https://bugzilla.suse.com/1241181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2024-0406"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-11579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-11579"
}
],
"notes": [
{
"category": "general",
"text": "github.com/nwaples/rardecode versions \u003c=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-11579",
"url": "https://www.suse.com/security/cve/CVE-2025-11579"
},
{
"category": "external",
"summary": "SUSE Bug 1251871 for CVE-2025-11579",
"url": "https://bugzilla.suse.com/1251871"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-11579"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-46569",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46569"
}
],
"notes": [
{
"category": "general",
"text": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA\u0027s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46569",
"url": "https://www.suse.com/security/cve/CVE-2025-46569"
},
{
"category": "external",
"summary": "SUSE Bug 1246710 for CVE-2025-46569",
"url": "https://bugzilla.suse.com/1246710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "important"
}
],
"title": "CVE-2025-46569"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
OPENSUSE-SU-2026:20279-1
Vulnerability from csaf_opensuse - Published: 2026-02-26 16:03 - Updated: 2026-02-26 16:03Summary
Security update for containerized-data-importer
Severity
Important
Notes
Title of the patch: Security update for containerized-data-importer
Description of the patch: This update for containerized-data-importer fixes the following issues:
Update to version 1.64.0.
Security issues fixed:
- CVE-2024-28180: improper handling of highly compressed data (bsc#1235204).
- CVE-2024-45338: denial of service due to non-linear parsing of case-insensitive content (bsc#1235365).
- CVE-2025-22868: unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239205).
Patchnames: openSUSE-Leap-16.0-317
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerized-data-importer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerized-data-importer fixes the following issues:\n\nUpdate to version 1.64.0.\n\nSecurity issues fixed:\n\n- CVE-2024-28180: improper handling of highly compressed data (bsc#1235204).\n- CVE-2024-45338: denial of service due to non-linear parsing of case-insensitive content (bsc#1235365).\n- CVE-2025-22868: unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239205).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-317",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20279-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1235204",
"url": "https://bugzilla.suse.com/1235204"
},
{
"category": "self",
"summary": "SUSE Bug 1235365",
"url": "https://bugzilla.suse.com/1235365"
},
{
"category": "self",
"summary": "SUSE Bug 1239205",
"url": "https://bugzilla.suse.com/1239205"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28180 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28180/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22868 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22868/"
}
],
"title": "Security update for containerized-data-importer",
"tracking": {
"current_release_date": "2026-02-26T16:03:48Z",
"generator": {
"date": "2026-02-26T16:03:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20279-1",
"initial_release_date": "2026-02-26T16:03:48Z",
"revision_history": [
{
"date": "2026-02-26T16:03:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-api-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-controller-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-importer-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-operator-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"product": {
"name": "containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"product_id": "containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64",
"product": {
"name": "obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64",
"product_id": "obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-api-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-controller-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-importer-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-operator-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64"
},
"product_reference": "containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
},
"product_reference": "obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-28180",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28180"
}
],
"notes": [
{
"category": "general",
"text": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28180",
"url": "https://www.suse.com/security/cve/CVE-2024-28180"
},
{
"category": "external",
"summary": "SUSE Bug 1234984 for CVE-2024-28180",
"url": "https://bugzilla.suse.com/1234984"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-26T16:03:48Z",
"details": "moderate"
}
],
"title": "CVE-2024-28180"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-26T16:03:48Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22868",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22868"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22868",
"url": "https://www.suse.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "SUSE Bug 1239185 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239185"
},
{
"category": "external",
"summary": "SUSE Bug 1239186 for CVE-2025-22868",
"url": "https://bugzilla.suse.com/1239186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:containerized-data-importer-api-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-cloner-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-controller-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-importer-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-manifests-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-operator-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadproxy-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:containerized-data-importer-uploadserver-1.64.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-cdi_containers_meta-1.64.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-26T16:03:48Z",
"details": "important"
}
],
"title": "CVE-2025-22868"
}
]
}
OPENSUSE-SU-2026:20620-1
Vulnerability from csaf_opensuse - Published: 2026-04-23 16:22 - Updated: 2026-04-23 16:22Summary
Security update for rclone
Severity
Critical
Notes
Title of the patch: Security update for rclone
Description of the patch: This update for rclone fixes the following issues:
Changes in rclone:
- Update to version 1.73.5:
* Version v1.73.5
* operations: add AuthRequired to operations/fsinfo to prevent backend creation CVE-2026-41179
* rc: snapshot NoAuth at startup to prevent runtime auth bypass CVE-2026-41176
* rc: add AuthRequired to options/set to prevent auth bypass CVE-2026-41176
* s3: fix empty delimiter parameter rejected by Archiware P5 server
* azureblob/auth: add Microsoft Partner Network User-Agent prefix
* drime: fix User.EntryPermissions JSON unmarshalling
* filter: fix debug logs that fire before logger is configured - fixes #9291
* s3: fix TencentCOS CDN endpoint failing on bucket check
* iclouddrive: fix 'directory not found' error when the directory contains accent marks
* Start v1.73.5-DEV development
- Update to version 1.73.4:
* Version v1.73.4
* Update to go 1.25.9 to fix multiple CVEs
* build: fix Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
* docs: fix markdown issues in mount docs
* docs: fix header level for metadata option
* fix(docs): Fix link to not be language specific
* filen: update SDK version
* build(deps): bump golang.org/x/image from 0.36.0 to 0.38.0
* docs: note macOS 10.15 (Catalina) support with version v1.70.3
* Start v1.73.4-DEV development
- Update to version 1.73.3: (CVE-2026-33186 GHSA-6g7g-w4f8-9c9x)
* Version v1.73.3
* build(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2
* docs/jottacloud: fix broken link
* docs: clarify Filen password change requires updating both password and API key in rclone config
* docs: note that Filen API key changes on password change
* build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3
* s3: add multi tenant support for Cubbit
* lib/rest: fix URLPathEscapeAll breaking WebDAV servers (eg nzbdav) with strict path matching
* list: fix nil pointer panic in Sorter when temp file creation fails
* docs: update RELEASE procedure to avoid mistakes
* docs: added text to the label showing version-introduced info
* Start v1.73.3-DEV development
* docs: update sponsors
- Update to version 1.73.2:
* Version v1.73.2
* Update to go 1.25.8 to fix multiple CVEs
* build: update to golang.org/x/net v0.51.0 to fix CVE-2026-27141 #9220
* docs: fix new drive flag typo in changelog
* webdav: add missing headers for CORS
* docs: Document unsupported S3 object keys with double slashes
* docs: note that --use-server-modtime only works on some backends
* internxt: fix Entry doesn't belong in directory errors on windows
* drime: fix chunk-uploaded files ignoring workspace ID
* docs: Fix headers hierarchy for mount.md
* webdav: escape reserved characters in URL path segments
* bisync: add group Sync to the bisync command
* archive: extract: strip "./" prefix from tar entry paths
* docs: add instructions on how to update Go version
* buid: update github.com/cloudflare/circl to v1.6.3 to fix CVE-2026-1229
* Start v1.73.2-DEV development
- Update to version 1.73.1:
* Version v1.73.1
* build: fix build using go 1.26.0 instead of go 1.25.7
* fs/march: fix runtime: program exceeds 10000-thread limit
* accounting: fix missing server side stats from core/stats rc
* pacer: re-read the sleep time as it may be stale
* pacer: fix deadlock between pacer token and --max-connections
* build: fix CVE-2025-68121 by updating go to 1.25.7 or later - fixes #9167
* drime: fix files and directories being created in the default workspace
* docs: update sponsors
* copyurl: Extend copyurl docs with an example of CSV FILENAMEs starting with a path.
* internxt: implement re-login under refresh logic, improve retry logic - fixes #9174
* docs: add ExchangeRate-API as a sponsor
* build: bump github.com/go-chi/chi/v5 from 5.2.3 to 5.2.5 to fix GO-2026-4316
* Set list_version to 2 for FileLu S3 configuration
* filelu: add multipart upload support with configurable cutoff
* filelu: add multipart init response type
* filelu: add comment for response body wrapping
* filelu: avoid buffering entire file in memory
* docs: update sponsor logos
* filen: fix potential panic in case of error during upload
* filen: fix 32 bit targets not being able to list directories Fixes #9142
* Start v1.73.1-DEV development
- Update to version 1.73.0:
* Version v1.73.0
* drive: fix crash when trying to creating shortcut to a Google doc
* azureblob,azurefiles: factor the common auth into a library
* test: allow backends to return fs.ErrorCantListRoot to skip Root tests
* build: add privatebeta Makefile target
* docs: add Internxt as a sponsor
* internxt: remove use of CVE laden github.com/disintegration/imaging
* docs: fix Internxt docs after merge
* docs: update making a new backend docs
* docs: build overview page from the backend data
* docs: add tiering to the documentation - fixes #8873
* docs: add data about each backend in YAML format
* docs: add bin/manage_backends.py for managing the backend data files
* internxt: use rclone's http.Client to enable more features
* internxt: fix lint problems
* Add StarHack to contributors
* Add lullius to contributors
* Add jzunigax2 to contributors
* internxt: add Internxt backend - fixes #7610
* drive: add --drive-metadata-force-expansive-access flag - Fixes #8980
* test_all: allow drime more time to complete
* onedrive: fix permissions on onedrive Personal
* onedrive: fix require sign in for Onedrive Personal
* onedrive: Onedrive Personal no longer supports description
* onedrive: fix setting modification time on directories for onedrive Personal
* onedrive: fix cancelling multipart upload
* docs: fix WinFsp link in mount documentation
* cmount: make work under OpenBSD - fixes #1727
* vfs: make mount tests run on OpenBSD
* docs: improve alignment of icons
* protondrive: update to use forks of upstream modules
* Add hyusap to contributors
* Add Nick Owens to contributors
* Add Mikel Olasagasti Uranga to contributors
* docs: fix googlephotos custom client_id instructions
* cmount: fix OpenBSD mount support.
* fs: fix bwlimit: correctly report minutes
* fs: fix bwlimit: use %d instead of %q for ints
* mega: reverts TLS workaround
* docs: fix formatting
* docs: add faq entry about re-enabling old TLS ciphers
* Add Marc-Philip to contributors
* Add yy to contributors
* filen: swap to blake3 hashes
* docs: fix echo command syntax for password input
* docs: fix typos in comments and messages
* docs: fix use of removed rem macro
* uptobox: remove backend as service is no longer available
* rc: add operations/hashsumfile to sum a single file only
* docs: update sponsor link
* filen: add Filen backend - Fixes #6728
* sftp: fix proxy initialisation
* fstest: skip Copy mutation test with --sftp-copy-is-hardlink
* fstest: Make Copy mutation test work properly
* Add Qingwei Li to contributors
* Add Nicolas Dessart to contributors
* log: fix systemd adding extra newline - fixes #9086
* oracleobjectstorage, sftp: eliminate unnecessary heap allocation
* sftp,ftp: add http proxy authentication support
* Add Drime backend
* lib/rest: add opts.MultipartContentType to explicitly set Content-Type of attachements
* dircache: allow empty string as root parent id
* docs: update sponsors
* s3: add provider Bizfly Cloud Simple Storage
* docs: update sponsor logos
* Add sys6101 to contributors
* Add darkdragon-001 to contributors
* Add vupn0712 to contributors
* docs: add cloudinary to readme
* docs: fix headers hierarchy in mount docs
* s3: fix Copy ignoring storage class
* serve s3: make errors in --s3-auth-key fatal - fixes #9044
* Add masrlinu to contributors
* pcloud: add support for real-time updates in mount
* memory: add --memory-discard flag for speed testing - fixes #9037
* Add vyv03354 to contributors
* shade: Fix VFS test issues
* docs: mention use of ListR feature in ls docs
* build: bump actions/download-artifact from 6 to 7
* build: bump actions/upload-artifact from 5 to 6
* build: bump actions/cache from 4 to 5
* docs: reflects the fact that pCloud supports ListR
* S3: Linode: updated endpoints to use ISO 3166-1 alpha-2 standard
* sync: fix error propagation in tests (#9025)
* Changelog updates from Version v1.72.1
* s3: add more regions for Selectel
* Add jhasse-shade to contributors
* Add Shade backend
* log: fix backtrace not going to the --log-file #9014
* build: fix lint warning after linter upgrade
* Add Jonas Tingeborn to contributors
* Add Tingsong Xu to contributors
* configfile: add piped config support - fixes #9012
* fs/log: fix PID not included in JSON log output
* build: adjust lint rules to exclude new errors from linter update
* proxy: fix error handling in tests spotted by the linter
* Add Johannes Rothe to contributors
* Add Leo to contributors
* Add Vladislav Tropnikov to contributors
* Add Cliff Frey to contributors
* Add vicerace to contributors
* b2: Fix listing root buckets with unrestricted API key
* googlecloudstorage: improve endpoint parameter docs
* serve webdav: implement download-directory-as-zip
* s3: The ability to specify an IAM role for cross-account interaction
* azureblob: add metadata and tags support across upload and copy paths
* refactor: use strings.Cut to simplify code
* docs: note where a provider has an S3 compatible alternative
* Add Shade as sponsor
* Add Duncan Smart to contributors
* Add Diana to contributors
* docs: Clarify OAuth scopes for readonly Google Drive access
* b2: support authentication with new bucket restricted application keys
* docs: update sponsor logos
* docs: fix lint error in changelog
* Start v1.73.0-DEV development
- Update to version 1.72.1:
* Version v1.72.1
* s3: add more regions for Selectel
* log: fix backtrace not going to the --log-file #9014
* build: fix lint warning after linter upgrade
* configfile: add piped config support - fixes #9012
* fs/log: fix PID not included in JSON log output
* build: adjust lint rules to exclude new errors from linter update
* proxy: fix error handling in tests spotted by the linter
* googlecloudstorage: improve endpoint parameter docs
* docs: note where a provider has an S3 compatible alternative
* Add Shade as sponsor
* docs: Clarify OAuth scopes for readonly Google Drive access
* docs: update sponsor logos
* docs: fix lint error in changelog
* Start v1.72.1-DEV development
- Update to version 1.72.0:
* Version v1.72.0
* rc: fix formatting in job/batch
* test speed: fix formatting of help
* docs: update sponsor logos
* build: bump actions/checkout from 5 to 6
* s3: add multi-part-upload support for If-Match and If-None-Match
* rc: config/unlock: rename parameter to `configPassword` accept old as well
* rc: correct names of parameters in job/list output
* Add Nikolay Kiryanov to contributors
* rc: add `executeId` to job statuses - fixes #8972
* build: bump golang.org/x/crypto from 0.43.0 to 0.45.0 to fix CVE-2025-58181
* s3: fix single file copying behavior with low permission - Fixes #8975
* docs: onedrive: note how to backup up any user's data
* Add Dominik Sander to contributors
* Add jijamik to contributors
* box: allow to configure with config file contents
* http: add basic metadata and provide it via serve
* ftp: fix transfers from servers that return 250 ok messages
* b2: allow individual old versions to be deleted with --b2-versions - fixes #1626
* build: fix tls: failed to verify certificate: x509: negative serial number
* Add Sean Turner to contributors
* s3: add support for --upload-header If-Match and If-None-Match
* fix: comment typos
* dropbox: fix error moving just created objects - fixes #8881
* s3: add --s3-use-data-integrity-protections to fix BadDigest error in Alibaba, Tencent
* rc: make sure fatal errors don't crash rclone - fixes #8955
* pacer: factor call stack searching into its own package
* rc: add osVersion, osKernel and osArch to core/version
* build: update all dependencies
* build(deps): bump golangci/golangci-lint-action from 8 to 9
* webdav: fix out of memory with sharepoint-ntlm when uploading large file
* testserver: fix owncloud test server startup
* Add aliaj1 to contributors
* ulozto: Fix downloads returning HTML error page
* docs: adjust spectra logic example endpoint name
* docs: update version introduced to v1.70 in doi docs
* testserver: fix HDFS server after run.bash adjustments
* testserver: remind developers about allocating a port
* testserver: make run.bash variables less likely to collide with scripts
* testserver: fix seafile servers messing up _connect string
* testserver: make sure TestWebdavInfiniteScale uses an assigned port
* testserver: make sure we don't overwrite the NAME variable set
* Add n4n5 to contributors
* Add Alex to contributors
* Add Copilot to contributors
* docs: update contributing docs regarding backend documentation
* rc: add jobs stats
* docs: fix alignment of some of the icons in the storage system dropdown
* docs: run markdownlint on _index.md
* docs: fix markdownlint issues and other styling improvements in backend command docs
* docs: fix markdownlint issue md046/code-block-style in backend command docs
* docs: fix missing punctuation in backend commands short description
* docs: fix markdownlint issues in backend command generated output
* build: improve backend docs autogenerated marker line
* backend/compress: add zstd compression
* sftp: fix zombie SSH processes with --sftp-ssh - Fixes #8929
* testserver: fix tests failing due to stopped servers
* docs: add new integration tester site link
* docs: update the method for running integration tests
* bisync: fix failing tests
* Add SublimePeace to contributors
* b2: fix "expected a FileSseMode but found: ''"
* docs: s3: clarify multipart uploads memory usage
* test_all: fix detection of running servers
* accounting: add AccountReadN for use in cluster
* fs: add NonDefaultRC for discovering options in use
* fs: move tests into correct files
* rc: add NewJobFromBytes for reading jobs from non HTTP transactions
* rc: add job/batch for sending batches of rc commands to run concurrently
* Add Ted Robertson to contributors
* Add Joseph Brownlee to contributors
* Add fries1234 to contributors
* Add Fawzib Rojas to contributors
* Add Riaz Arbi to contributors
* Add Lukas Krejci to contributors
* Add Adam Dinwoodie to contributors
* Add dulanting to contributors
* docs: add AppArmor restrictions to rclone mount
* check: improved reporting of differences in sizes and contents
* mega: implement 2FA login
* docs: change to light code block style to better match overall theme
* docs: fix various markdownlint issues
* build: restrict the markdown languages to use for code blocks
* docs: fix various markdownlint issues
* docs: fix markdownlint issue md013/line-length
* docs: change syntax hightlighting for command examples from sh to console
* docs: Clarify remote naming convention
* b2: Add Server-Side encryption support
* Added rclone archive command to create and read archive files
* accounting: add io.Seeker/io.ReaderAt support to accounting.Account
* operations: add ReadAt method to ReOpen
* fstest: add ResetRun to allow the remote to be reset in tests
* gcs: fix --gcs-storage-class to work with server side copy for objects
* ulozto: implement the about functionality
* local: add --skip-specials to ignore special files
* swift: Report disk usage in segment containers
* refactor: use strings.Builder to improve performance
* Archive backend to read archives on cloud storage.
* vfs: remove unecessary import in tests to fix import cycles
* Add Lakshmi-Surekha to contributors
* Add Andrew Gunnerson to contributors
* Add divinity76 to contributors
* build: enable support for aix/ppc64
* rc: fix name of "queue" JSON key in docs for vfs/cache
* cmount: windows: improve error message on missing winfsp
* docs: add the Provider to the options examples in the backend docs
* Add Aneesh Agrawal to contributors
* Add viocha to contributors
* Add reddaisyy to contributors
* fs: remove unnecessary Seek call on log file
* s3: make it easier to add new S3 providers
* build(deps): bump actions/upload-artifact from 4 to 5
* build(deps): bump actions/download-artifact from 5 to 6
* ftp: fix SOCK proxy support - fixes #8892 (#8918)
* webdav: Add Access-Control-Max-Age header for CORS preflight caching - fixes #5078
* webdav: use SpaceSepList to parse bearer token command
* refactor: use strings.Builder to improve performance
* docs: re-arrange sponsors page
* docs: add Spectra Logic as a sponsor
* Add Oleksandr Redko to contributors
* build: enable all govet checks (except fieldalignment and shadow) and fix issues.
* march: fix --no-traverse being very slow - fixes #8860
* Add vastonus to contributors
* s3: add new FileLu S5 endpoints
* build: remove obsolete build tag
* azurefiles: add ListP interface - #4788
* dropbox: add ListP interface - #4788
* webdav: add ListP interface - #4788
* pcloud: add ListP interface - #4788
* box: add ListP interface - #4788
* onedrive: add ListP interface - #4788
* drive: add ListP interface - #4788
* Add hunshcn to contributors
* webdav: optimize bearer token fetching with singleflight
* Changelog updates from Version v1.71.2
* lib/http: cleanup indentation and other whitespace in http serve template
* docs: improve formatting of http serve template parameters
* build: stop markdown linter leaving behind docker containers
* Add Marco Ferretti to contributors
* s3: add cubbit as provider
* s3: add servercore as a provider
* docs: update sponsors
* docs: update sponsor images
* docs: update privacy policy with a section on user data
* Add Dulani Woods to contributors
* Add spiffytech to contributors
* gcs: add region us-east5 - fixes #8863
* jottacloud: refactor service list from map to slice to get predefined order
* jottacloud: added support for traditional oauth authentication also for the main service
* oauthutil: improved debug logs from token refresh
* backend: add S3 provider for Hetzner object storage #8183
* jottacloud: improved token refresh handling
* s3: provider reordering
* index: add missing providers
* docs: add missing `
* s3: add rabata as a provider
* mega: fix 402 payment required errors - fixes #8758
* Add Andrew Ruthven to contributors
* Add Microscotch to contributors
* Add iTrooz to contributors
* build: Bump SwiftAIO container to a newer one
* build: Retry stopping the test server
* build: Increase attempts to connect to test server
* swift: If storage_policy isn't set, use the root containers policy
* proton: automated 2FA login with OTP secret key
* serve s3: fix log output to remove the EXTRA messages
* docs/jottacloud: update description of invalid_grant error according to changes
* jottacloud: add support for MediaMarkt Cloud as a whitelabel service
* s3: add FileLu S5 provider
* docs: fix variants of --user-from-header
* vfs: fix chunker integration test
* test_all: give TestZoho: extra time as it has been timing out
* test_all: give TestCompressDrive: extra time as it has been timing out
* rclone config string: reduce quoting with Human rendering for strings #8859
* Add juejinyuxitu to contributors
* docs/jottacloud: update documentation with new whitelabel services and changed configuration flow
* jottacloud: abort attempts to run unsupported rclone authorize command
* jottacloud: minor adjustment of texts in config ui
* jottacloud: add support for Let's Go Cloud (from MediaMarkt) as a whitelabel service
* jottacloud: fix authentication for whitelabel services from Elkjp subsidiaries
* jottacloud: refactor config handling of whitelabel services to use openid provider configuration
* jottacloud: remove nil error object from error message
* jottacloud: fix legacy authentication
* docs: add remote setup page to main docs dropdown
* docs: update remote setup page
* docs: add link from authorize command docs to remote setup docs
* docs: lowercase internet and web browser instead of Internet browser
* docs: use the term backend name instead of fs name for authorize command
* add `rclone config string` for making connection strings #8859
* config: add more human readable configmap.Simple output
* serve http: download folders as zip
* s3: reorder providers to be in alphabetical order
* refactor: use strings.FieldsFuncSeq to reduce memory allocations
* accounting: add SetMaxCompletedTransfers method to fix bisync race #8815
* accounting: add RemoveDoneTransfers method to fix bisync race #8815
* bisync: fix race when CaptureOutput is used concurrently #8815
* build: update all dependencies
* Makefile: remove deprecated go mod usage
* azurefiles: Fix server side copy not waiting for completion - fixes #8848
* Changelog updates from Version v1.71.1
* test_all: fix branch name in test report
* pacer: fix deadlock with --max-connections
* Revert "azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors"
* Add Youfu Zhang to contributors
* Add Matt LaPaglia to contributors
* smb: optimize smb mount performance by avoiding stat checks during initialization
* pikpak: fix unnecessary retries by using URL expire parameter - fixes #8601
* serve http: fix: logging url on start
* docs: fix typo
* b2: fix 1TB+ uploads
* march: fix deadlock when using --fast-list on syncs - fixes #8811
* build: slices.Contains, added in go1.21
* build: use strings.CutPrefix introduced in go1.20
* build: use sequence Split introduced in go1.24
* build: use "for i := range n", added in go1.22
* build: modernize benchmark usage
* build: in tests use t.Context, added in go1.24
* build: replace interface{} by the 'any' type added in go1.18
* build: use the built-in min or max functions added in go1.21
* Add russcoss to contributors
* build: remove x := x made unnecessary by the new semantics of loops in go1.22
* lib/pool: fix unreliable TestPoolMaxBufferMemory test
* Update S-Pegg1 email
* Add Jean-Christophe Cura to contributors
* pool: fix flaky unreliability test
* copyurl: reworked code, added concurrency and tests
* copyurl: Added --url to read urls from csv file - #8127
* docs: HDFS: erasure coding limitation #8808
* fstest: fix slice bounds out of range error when using -remotes local
* local: fix time zones on tests
* s3: added SpectraLogic as a provider
* local: fix rmdir "Access is denied" on windows - fixes #8363
* bisync: fix error handling for renamed conflicts
* docs: pcloud: update root_folder_id instructions
* operations: fix partial name collisions for non --inplace copies
* drive: docs: update making your own client ID instructions
* swift: add ListP interface - #4788
* memory: add ListP interface - #4788
* oraceobjectstorage: add ListP interface - #4788
* B2: add ListP interface - #4788
* azureblob: add ListP interface - #4788
* googlecloudstorage: add ListP interface - Fixes #8763
* build: bump actions/github-script from 7 to 8
* build: bump actions/setup-go from 5 to 6
* bisync: fix chunker integration tests
* bisync: fix koofr integration tests
* internetarchive: fix server side copy files with spaces
* lib/rest: add URLPathEscapeAll to URL escape as many chars as possible
* Add alternate email for dougal to contributors
* test speed: add command to test a specified remotes speed
* docs: add link to MEGA S4 from MEGA page
* Add Robin Rolf to contributors
* Add anon-pradip to contributors
* s3: Add Intercolo provider
* gendocs: refactor and add logging of skipped command docs
* gendocs: ignore missing rclone_mount.md, rclone_nfsmount.md, rclone_serve_nfs.md on windows
* bin: add bisync.md generator
* fstest: refactor to decouple package from implementation
* gendocs: ignore missing rclone_mount.md on macOS
* bisync: ignore expected "nothing to transfer" differences on tests
* bisync: fix TestBisyncConcurrent ignoring -case
* bisync: make number of parallel tests configurable
* docs: clarify subcommand description in rclone usage
* docs: fix description of regex syntax of name transform
* docs: add some more details about supported regex syntax
* makefile: fix lib/transform docs not getting updated
* lib/pool: fix flaky test which was causing timeouts
* Add dougal to contributors
* vfs: fix SIGHUP killing serve instead of flushing directory caches
* bisync: use unique stats groups on tests
* fstest: stop errors in test cleanup changing the global stats
* Add Motte to contributors
* Add Claudius Ellsel to contributors
* build: add local markdown linting to make check
* lsf: add support for unix and unixnano time formats
* docs: remove broken links from rc to commands
* hashsum: changed output format when listing algorithms
* docs: add example of how to add date as suffix
* box: fix about after change in API return - fixes #8776
* Add skbeh to contributors
* Add Tilman Vogel to contributors
* docs: fix incorrectly escaped windows path separators
* build: restore error handling in gendocs
* combine: propagate SlowHash feature
* docs/oracleobjectstorage: add introduction before external links and remove broken link
* docs: fix markdown lint issues in backend docs
* docs: fix markdown lint issues in command docs
* docs: update markdown code block json indent size 2
* mount: do not log successful unmount as an error - fixes #8766
* Start v1.72.0-DEV development
- Update to version 1.71.2:
* Version v1.71.2
* docs: update sponsors
* docs: update sponsor images
* docs: update privacy policy with a section on user data
* gcs: add region us-east5 - fixes #8863
* index: add missing providers
* docs: add missing `
* mega: fix 402 payment required errors - fixes #8758
* docs: fix variants of --user-from-header
* docs: add remote setup page to main docs dropdown
* docs: update remote setup page
* docs: add link from authorize command docs to remote setup docs
* docs: lowercase internet and web browser instead of Internet browser
* docs: use the term backend name instead of fs name for authorize command
* bisync: fix race when CaptureOutput is used concurrently #8815
* azurefiles: Fix server side copy not waiting for completion - fixes #8848
* pikpak: fix unnecessary retries by using URL expire parameter - fixes #8601
* serve http: fix: logging url on start
* docs: fix typo
* b2: fix 1TB+ uploads
* Start v1.71.2-DEV development
- Update to version 1.71.1:
* Version v1.71.1
* pacer: fix deadlock with --max-connections
* Revert "azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors"
* march: fix deadlock when using --fast-list on syncs - fixes #8811
* docs: HDFS: erasure coding limitation #8808
* local: fix rmdir "Access is denied" on windows - fixes #8363
* bisync: fix error handling for renamed conflicts
* docs: pcloud: update root_folder_id instructions
* operations: fix partial name collisions for non --inplace copies
* drive: docs: update making your own client ID instructions
* internetarchive: fix server side copy files with spaces
* lib/rest: add URLPathEscapeAll to URL escape as many chars as possible
* docs: add link to MEGA S4 from MEGA page
* docs: clarify subcommand description in rclone usage
* docs: fix description of regex syntax of name transform
* docs: add some more details about supported regex syntax
* makefile: fix lib/transform docs not getting updated
* vfs: fix SIGHUP killing serve instead of flushing directory caches
* docs: remove broken links from rc to commands
* docs: add example of how to add date as suffix
* box: fix about after change in API return - fixes #8776
* docs: fix incorrectly escaped windows path separators
* build: restore error handling in gendocs
* combine: propagate SlowHash feature
* docs/oracleobjectstorage: add introduction before external links and remove broken link
* docs: fix markdown lint issues in backend docs
* docs: fix markdown lint issues in command docs
* docs: update markdown code block json indent size 2
* mount: do not log successful unmount as an error - fixes #8766
* Start v1.71.1-DEV development
- Update to version 1.71.0:
* Version v1.71.0
* fs: tls: add --client-pass support for encrypted --client-key files
* ftp: make TLS config default to global TLS config - Fixes #6671
* fshttp: return *Transport rather than http.RoundTripper from NewTransport
* bisync: release from beta
* bisync: fix markdown formatting issues flagged by linter in docs
* bisync: fix --no-slow-hash settings on path2
* Add cui to contributors
* docs: add code of conduct
* lib/mmap: convert to using unsafe.Slice to avoid deprecated reflect.SliceHeader
* build: bump golangci/golangci-lint-action from 6 to 8
* build: update golangci-lint configuration
* build: ignore revive lint issue var-naming: avoid meaningless package names
* build: fix lint issue: should omit type error from declaration
* Revert "build: downgrade linter to use go1.24 until it is fixed for go1.25"
* build: migrate golangci-lint configuration to v2 format
* s3: add --s3-use-arn-region flag - fixes #8686
* Add Binbin Qian to contributors
* Add Lucas Bremgartner to contributors
* docs: add tips about outdated certificates
* FAQ: specify the availability of SSL_CERT_* env vars
* pikpak: add file name integrity check during upload
* bisync: skip TestBisyncConcurrent on non-local
* internetarchive: fix server side copy files with &
* Revert "s3: set useAlreadyExists to false for Alibaba OSS"
* Add huangnauh to contributors
* smb: improve multithreaded upload performance using multiple connections
* bisync: fix data races on tests
* bisync: remove unused parameters
* bisync: deglobalize to fix concurrent runs via rc - fixes #8675
* mount: fix identification of symlinks in directory listings
* s3: fix Content-Type: aws-chunked causing upload errors with --metadata
* config: fix problem reading pasted tokens over 4095 bytes
* config: fix test failure on local machine with a config file
* log: add log rotation to --log-file - fixes #2259
* accounting: Fix stats (speed=0 and eta=nil) when starting jobs via rc
* docs: update overview table for oracle object storage
* Add praveen-solanki-oracle to contributors
* oracleobjectstorage: add read only metadata support - Fixes #8705
* doc: sync doesn't symlinks in dest without --link - Fixes #8749
* s3: sort providers in docs
* s3: add docs for Exaba Object Storage
* azureblob: fix double accounting for multipart uploads - fixes #8718
* pool: fix deadlock with --max-buffer-memory
* azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors
* build: downgrade linter to use go1.24 until it is fixed for go1.25
* build: update all dependencies
* build: update to go1.25 and make go1.24 the minimum required version
* Add Timothy Jacobs to contributors
* bisync: fix time.Local data race on tests - fixes #8272
* googlecloudstorage: fix rateLimitExceeded error on bisync tests
* accounting: populate transfer snapshot with "what" value
* build(deps): bump actions/checkout from 4 to 5
* build(deps): bump actions/download-artifact from 4 to 5
* googlecloudstorage: enable bisync integration tests
* fstest: fix parsing of commas in -remotes
* azurefiles: fix hash getting erased when modtime is set
* bisync: disable --sftp-copy-is-hardlink on sftp tests
* local: fix --copy-links on Windows when listing Junction points
* operations: fix too many connections open when using --max-memory
* pool: fix deadlock with --max-memory and multipart transfers
* pool: unify memory between multipart and asyncreader to use one pool
* docs: update links to rcloneui
* docs: add MEGA S4 as a gold sponsor
* about: fix potential overflow of about in various backends
* box: fix about: cannot unmarshal number 1.0e+18 into Go struct field
* oauthutil: fix nil pointer crash when started with expired token
* rc: listremotes should send an empty array instead of nil
* config: add error if RCLONE_CONFIG_PASS was supplied but didn't decrypt config
* rc: add config/unlock to unlock the config file
* ftp: allow insecure TLS ciphers - fixes #8701
* s3: set useAlreadyExists to false for Alibaba OSS
* docs: update sponsors page
* fs: allow global variables to be overriden or set on backend creation
* fs: allow setting of --http_proxy from command line
* tests: cloudinary: remove test ignore after merging fix from #8707
* Add Antonin Goude to contributors
* Add Yu Xin to contributors
* Add houance to contributors
* Add Florent Vennetier to contributors
* Add n4n5 to contributors
* Add Albin Parou to contributors
* Add liubingrun to contributors
* sync: fix testLoggerVsLsf when backend only reads modtime
* sync: fix testLoggerVsLsf checking wrong fs
* docs: fix make opengraph tags absolute as not all sites understand relative
* docs: update contributing guide regarding markdown documentation
* build: add markdown linting to workflow
* build: add markdownlint configuration
* docs: minor format cleanup install.md
* docs: fix markdownlint issue md049/emphasis-style
* docs: fix markdownlint issue md036/no-emphasis-as-heading
* docs: fix markdownlint issue md033/no-inline-html
* docs: fix markdownlint issue md025/single-title
* docs: fix markdownlint issue md041/first-line-heading
* docs: fix markdownlint issue md001/heading-increment
* docs: fix markdownlint issue md003/heading-style
* docs: fix markdownlint issue md034/no-bare-urls
* docs: fix markdownlint issue md010/no-hard-tabs
* docs: fix markdownlint issue md013/line-length
* docs: fix markdownlint issue md038/no-space-in-code
* docs: fix markdownlint issue md040/fenced-code-language
* docs: fix markdownlint issue md046/code-block-style
* docs: fix markdownlint issue md037/no-space-in-emphasis
* docs: fix markdownlint issue md059/descriptive-link-text
* docs: fix markdownlint issues md007/ul-indent md004/ul-style
* docs: fix markdownlint issue md012/no-multiple-blanks
* docs: fix markdownlint issue md058/blanks-around-tables
* docs: fix markdownlint issue md022/blanks-around-headings
* docs: fix markdownlint issue md031/blanks-around-fences
* docs: fix markdownlint issue md032/blanks-around-lists
* docs: fix markdownlint issue md009/no-trailing-spaces
* docs: fix markdownlint issue md014/commands-show-output
* docs: fix markdownlint issues md007/ul-indent md004/ul-style (bin/update-authors.py)
* docs: fix markdownlint issues md007/ul-indent md004/ul-style (authors.md)
* docs: add opengraph tags for website social media previews
* mount: note that bucket based remotes can use directory markers
* pikpak: add docs for methods to clarify name collision handling and restrictions
* pikpak: enhance Copy method to handle name collisions and improve error management
* pikpak: enhance Move for better handling of error and name collision
* accounting: fix incorrect stats with --transfers=1 - fixes #8670
* rc: fix `operations/check` ignoring `oneWay` parameter
* s3: add OVHcloud Object Storage provider
* docs: rc: fix description of how to read local config
* build: limit check for edits of autogenerated files to only commits in a pull request
* build: extend check for edits of autogenerated files to all commits in a pull request
* smb: refresh Kerberos credentials when ccache file changes
* s3: fix multipart upload and server side copy when using bucket policy SSE-C
* backend/s3: Fix memory leak by cloning strings #8683
* purge: exit with a fatal error if filters are set on `rclone purge`
* docs: Add Backblaze as a Platinum sponsor
* Add Sam Pegg to contributors
* googlephotos: added warning for Google Photos compatability-fixes #8672
* test: remove flakey TestChunkerChunk50bYandex: test
* docs: Consolidate entries for Josh Soref in contributors
* docs: remove dead link to example of writing a plugin
* filescom: document that hashes need to be enabled - fixes #8674
* Add Sudipto Baral to contributors
* docs: fix incorrect json syntax in sample output
* docs: ignore author email piyushgarg80
* docs: fix header level for --dump option section
* docs: use stringArray as parameter type
* docs: use consistent markdown heading syntax
* imagekit: remove server side Copy method as it was downloading and uploading
* imagekit: don't low level retry uploads
* imagekit: return correct error when attempting to upload zero length files
* smb: add --smb-kerberos-ccache option to set kerberos ccache per smb backend
* test: fix smb kerberos integration tests
* Changelog updates from Version v1.70.3
* config: make parsing of duration options consistent
* docs: cleanup usage
* docs: break long lines
* docs: add option value type to header where missing
* docs: mention that identifiers in option values are case insensitive
* docs: rewrite dump option examples
* docs: use markdown inline code format for dump option headers that are real examples
* docs: change spelling from server side to server-side
* docs: cleanup header casing
* docs: rename OSX to macOS
* docs: fix list and code block issue
* docs: consistent markdown list format
* docs: split section with general description of options with that documenting actual main options
* docs: improve description of option types
* docs: use space instead of equal sign to separate option and value in headers
* docs: use comma to separate short and long option format in headers
* docs: remove use of uncommon parameter types
* docs: remove use of parameter type FILE
* docs: remove use of parameter type DIR
* docs: remove use of parameter type CONFIG_FILE
* docs: change use of parameter type N and NUMBER to int consistent with flags and cli help
* docs: change use of parameter type TIME to Duration consistent with flags and cli help
* docs: change use of parameter type BANDWIDTH_SPEC to BwTimetable consistent with flags and cli help
* docs: change use of parameter type SIZE to SizeSuffix consistent with flags and cli help
* docs: cleanup markdown header format
* docs: explain separated list parameters
* azureblob: fix server side copy error "requires exactly one scope"
* test: remove and ignore failing integration tests
* docs: explain the json log format in more detail
* check: fix difference report (was reporting error counts)
* serve sftp: add support for more hashes (crc32, sha256, blake3, xxh3, xxh128)
* serve sftp: extract function refactoring for handling hashsum commands
* sftp: add support for more hashes (crc32, sha256, blake3, xxh3, xxh128)
* local: configurable supported hashes
* hash: add support for BLAKE3, XXH3, XXH128
* vfs: make integration TestDirEntryModTimeInvalidation test more reliable
* smb: skip non integration tests when doing integration tests
* seafile: fix integration test errors by adding dot to encoding
* linkbox: fix upload error "user upload file not exist"
* build: remove integration tests which are too slow
* march: fix deadlock when using --no-traverse - fixes #8656
* pikpak: improve error handling for missing links and unrecoverable 500s
* pikpak: rewrite upload to bypass AWS S3 manager - fixes #8629
* test: fix TestSMBKerberos password expiring errors
* Add Vikas Bhansali to contributors
* Add Ross Smith II to contributors
* azureblob,azurefiles: add support for client assertion based authentication
* webdav: fix setting modtime to that of local object instead of remote
* build: set default shell to bash in build.yml
* docs: fix filescom/filelu link mixup
* Add Davide Bizzarri to contributors
* fix: b2 versionAt read metadata
* test: make TestWebdavInfiniteScale startup more reliable
* test_all: add _connect_delay for slow starting servers
* docs: update link for filescom
* test_all: make TestWebdav InfiniteScale integration tests run
* test_all: make SMB with Kerberos integration tests run properly
* test_all: allow an env parameter to set environment variables
* Changelog updates from Version v1.70.2
* Add Ali Zein Yousuf to contributors
* Add $@M@RTH_ to contributors
* docs: update client ID instructions to current Azure AD portal - fixes #8027
* s3: add Zata provider
* pacer: fix nil pointer deref in RetryError - fixes #8077
* docs: Remove Warp as a sponsor
* docs: add files.com as a Gold sponsor
* docs: add links to SecureBuild docker image
* Add curlwget to contributors
* convmv: fix moving to unicode-equivalent name - fixes #8634
* transform: add truncate_keep_extension and truncate_bytes
* convmv: make --dry-run logs less noisy
* sync: avoid copying dir metadata to itself
* docs: fix some function names in comments
* combine: fix directory not found errors with ListP interface - Fixes #8627
* local: fix --skip-links on Windows when skipping Junction points
* Add Marvin Rsch to contributors
* build: bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 to fix GHSA-vrw8-fxc6-2r93
* copy,copyto,move,moveto: implement logger flags to store result of sync
* log: fix deadlock when using systemd logging - fixes #8621
* docs: googlephotos: detail how to make your own client_id - fixes #8622
* Add necaran to contributors
* mega: fix tls handshake failure - fixes #8565
* Changelog updates from Version v1.70.1
* Add jinjingroad to contributors
* docs: DOI grammar error
* docs: lib/transform: cleanup formatting
* lib/transform: avoid empty charmap entry
* chore: fix function name
* convmv: fix spurious "error running command echo" on Windows
* docs: client-credentials is not support by all backends
* Start v1.71.0-DEV development
- Update to version 1.70.3:
* Version v1.70.3
* azureblob: fix server side copy error "requires exactly one scope"
* docs: explain the json log format in more detail
* check: fix difference report (was reporting error counts)
* linkbox: fix upload error "user upload file not exist"
* march: fix deadlock when using --no-traverse - fixes #8656
* pikpak: improve error handling for missing links and unrecoverable 500s
* webdav: fix setting modtime to that of local object instead of remote
* fix: b2 versionAt read metadata
* Start v1.70.3-DEV development
* docs: fix filescom/filelu link mixup
* docs: update link for filescom
- Update to version 1.70.2:
* Version v1.70.2
* docs: update client ID instructions to current Azure AD portal - fixes #8027
* mega: fix tls handshake failure - fixes #8565
* pacer: fix nil pointer deref in RetryError - fixes #8077
* convmv: fix moving to unicode-equivalent name - fixes #8634
* convmv: make --dry-run logs less noisy
* sync: avoid copying dir metadata to itself
* combine: fix directory not found errors with ListP interface - Fixes #8627
* local: fix --skip-links on Windows when skipping Junction points
* build: bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 to fix GHSA-vrw8-fxc6-2r93
* log: fix deadlock when using systemd logging - fixes #8621
* docs: googlephotos: detail how to make your own client_id - fixes #8622
* pikpak: fix uploads fail with "aws-chunked encoding is not supported" error
* Start v1.70.2-DEV development
* docs: Remove Warp as a sponsor
* docs: add files.com as a Gold sponsor
* docs: add links to SecureBuild docker image
- Update to version 1.70.1:
* Version v1.70.1
* docs: DOI grammar error
* docs: lib/transform: cleanup formatting
* lib/transform: avoid empty charmap entry
* chore: fix function name
* convmv: fix spurious "error running command echo" on Windows
* docs: client-credentials is not support by all backends
* Start v1.70.1-DEV development
- Update to version 1.70.0:
* Version v1.70.0
* ftp: add --ftp-http-proxy to connect via HTTP CONNECT proxy
* pcloud: fix "Access denied. You do not have permissions to perform this operation" on large uploads
* operations: fix TransformFile when can't server-side copy/move
* fstest: fix -verbose flag after logging revamp
* googlecloudstorage: fix directory marker after // changes in #5858
* s3: fix directory marker after // changes in #5858
* azureblob: fix directory marker after // changes in #5858
* tests: ignore some more habitually failing tests
* googlephotos: fix typo in error message - Fixes #8600
* s3: MEGA S4 support
* Add Ser-Bul to contributors
* chunker: fix double-transform
* docs: mailru: added note about permissions level choice for the apps password
* tests: ignore habitually failing tests and backends
* docs: link to asciinema rather than including the js
* docs: target="_blank" must have rel="noopener"
* sync: fix testLoggerVsLsf when dst is local
* docs: fix FileLu docs
* build: update all dependencies
* onedrive: fix crash if no metadata was updated
* Add kingston125 to contributors
* Add Flora Thiebaut to contributors
* Add FileLu cloud storage backend
* doi: add new doi backend
* build: fix check_autogenerated_edits.py flagging up files that didn't exist
* docs: rc: add more info on how to discover _config and _filter parameters #8584
* s3: add Exaba provider
* convmv: add convmv command
* lib/transform: add transform library and --name-transform flag
* march: split src and dst
* Add ahxxm to contributors
* Add Nathanael Demacon to contributors
* b2: use file id from listing when not presented in headers - fixes #8113
* fs: fix goroutine leak and improve stats accounting process
* march: fix syncing with a duplicate file and directory
* Add PrathameshLakawade to contributors
* Add Oleksiy Stashok to contributors
* docs: fix page_facing_up typo next to Lyve Cloud in README.md
* backend/s3: require custom endpoint for Lyve Cloud v2 support
* backend: skip hash calculation when the hashType is None - fixes #8518
* azureblob: fix multipart server side copies of 0 sized files
* Add Jeremy Daer to contributors
* Add wbulot to contributors
* s3: add Pure Storage FlashBlade provider support (#8575)
* backend/gofile: update to use new direct upload endpoint
* log: add --windows-event-log-level to support Windows Event Log
* fs: Remove github.com/sirupsen/logrus and replace with log/slog
* Add fhuber to contributors
* cmd serve s3: fix ListObjectsV2 response
* Changelog updates from Version v1.69.3
* onedrive: re-add --onedrive-upload-cutoff flag
* onedrive: fix "The upload session was not found" errors
* Add Germn Casares to contributors
* Add Jeff Geerling to contributors
* googlephotos: update read only and read write scopes to meet Google's requirements.
* build: update github.com/ebitengine/purego to v0.8.3 to fix mac_amd64 build
* docs: add hint about config touch and config file not found
* docs: add FAQ for dismissing 'rclone.conf not found'
* docs: document how to keep an out of tree backend
* Add Clment Wehrung to contributors
* iclouddrive: fix panic and files potentially downloaded twice
* docs: move --max-connections documentation to the correct place
* Add Ben Boeckel to contributors
* Add Tho Neyugn to contributors
* docs: fix typo in s3/storj docs
* serve s3: remove redundant handler initialization
* Changelog updates from Version 1.69.2
* sftp: add --sftp-http-proxy to connect via HTTP CONNECT proxy
* Add Jugal Kishore to contributors
* docs: correct SSL docs anchor link from #ssl-tls to #tls-ssl
* drive: metadata: fix error when setting copy-requires-writer-permission on a folder
* docs: Update contributors
* build: bump golang.org/x/net from 0.36.0 to 0.38.0
* Update README.md
* docs: fix typos via codespell
* webdav: add an ownCloud Infinite Scale vendor that enables tus chunked upload support
* onedrive: fix metadata ordering in permissions
* Add Ben Alex to contributors
* Add simwai to contributors
* iclouddrive: fix so created files are writable
* cmd/authorize: show required arguments in help text
* cloudinary: var naming convention - #8416
* cloudinary: automatically add/remove known media files extensions #8416
* Add Markus Gerstel to contributors
* Add Enduriel to contributors
* Add huanghaojun to contributors
* Add simonmcnair to contributors
* Add Samantha Bowen to contributors
* s3: documentation regression - fixes #8438
* hash: add SHA512 support for file hashes
* vfs: fix inefficient directory caching when directory reads are slow
* docs: update fuse version in docker docs
* fs/config: Read configuration passwords from stdin even when terminated with EOF - fixes #8480
* cmd/gitannex: Reject unknown layout modes in INITREMOTE
* cmd/gitannex: Add configparse.go and refactor
* cmd/gitannex: Permit remotes with options
* serve ftp: add serve rc interface
* serve sftp: add serve rc interface
* serve restic: add serve rc interface
* serve s3: add serve rc interface
* serve dlna: add serve rc interface
* serve webdav: add serve rc interface - fixes #4505
* serve http: add serve rc interface
* serve nfs: add serve rc interface
* serve: Add rc control for serve commands #4505
* configstruct: add SetAny to parse config from the rc
* rc: In options/info make FieldName contain a "." if it should be nested
* serve restic: convert options to new style
* serve s3: convert options to new style
* serve http: convert options to new style
* serve webdav: convert options to new style
* auth proxy: convert options to new style
* auth proxy: add VFS options parameter for use for default VFS
* serve: make the servers self registering
* lib/http: fix race between Serve() and Shutdown()
* lib/http: add Addr() method to return the first configured server address
* Add Danny Garside to contributors
* docs: fix minor typo in box docs
* sync: implement --list-cutoff to allow on disk sorting for reduced memory use
* march: Implement callback based syncing
* list: add ListDirSortedFn for callback oriented directory listing
* list: Implement Sorter to sort directory entries
* cache: mark ListP as not supported yet
* hasher: implement ListP interface
* compress: implement ListP interface
* chunker: mark ListP as not supported yet
* union: mark ListP as not supported yet
* crypt: implement ListP interface
* combine: implement ListP interface
* s3: Implement paged listing interface ListP
* list: add WithListP helper to implement List for ListP backends
* walk: move NewListRHelper into list.Helper to avoid circular dependency
* fs: define ListP interface for paged listing #4788
* accounting: Add listed stat for number of directory entries listed
* walk: factor Listing helpers into their own file and add tests
* serve nfs: make metadata files have special file handles
* serve nfs: change the format of --nfs-cache-type symlink file handles
* vfs: add --vfs-metadata-extension to expose metadata sidecar files
* docs: Add rcloneui.com as Silver Sponsor
* Add Klaas Freitag to contributors
* Add eccoisle to contributors
* Add Fernando Fernndez to contributors
* Add alingse to contributors
* Add Jrn Friedrich Dreyer to contributors
* docs: replace option --auto-filename-header with --header-filename
* build: update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to fix CVE-2025-30204
* docs/googlephotos: fix typos
* build: bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2
* operations: fix call fmt.Errorf with wrong err
* webdav: retry propfind on 425 status
* Add --max-connections to control maximum backend concurrency
* rc: fix debug/* commands not being available over unix sockets
* cmd/gitannex: Prevent tests from hanging when assertion fails
* cmd/gitannex: Add explicit timeout for mock stdout reads in tests
* http: correct root if definitely pointing to a file - fixes #8428
* pool: add --max-buffer-memory to limit total buffer memory usage
* filter: Add `--hash-filter` to deterministically select a subset of files
* build: update golang.org/x/net to 0.36.0. to fix CVE-2025-22869
* rc: add add short parameter to core/stats to not return transferring and checking
* fs: fix corruption of SizeSuffix with "B" suffix in config (eg --min-size)
* filters: show --min-size and --max-size in --dump filters
* build: check docs for edits of autogenerated sections
* Add jack to contributors
* docs: fix incorrect mentions of vfs-cache-min-free-size
* fs/object: fix memory object out of bounds Seek
* serve nfs: fix unlikely crash
* docs: update minimum OS requirements for go1.24
* cmd/gitannex: Tweak parsing of "rcloneremotename" config
* cmd/gitannex: Drop var rebindings now that we have go1.23
* docs: add note for using rclone cat for slicing out a byte range from a file
* rcserver: improve content-type check
* build: modernize Go usage
* build: update all dependencies and fix deprecations
* build: update golang.org/x/crypto to v0.35.0 to fix CVE-2025-22869
* build: make go1.23 the minimum go version
* cmd/gitannex: Add to integration tests
* cmd/gitannex: Simplify verbose failures in tests
* cmd/gitannex: Port unit tests to fstest
* vfs: fix integration test failures
* azureblob: fix errors not being retried when doing single part copy
* azureblob: handle retry error codes more carefully
* touch: make touch obey --transfers
* Add luzpaz to contributors
* Add Dave Vasilevsky to contributors
* docs: fix various typos Found via
* dropbox: Retry link without expiry
* Dropbox: Support Dropbox Paper
* chore: update contributor email
* docs: correct stable release workflow
* Add Lorenz Brun to contributors
* Add Michael Kebe to contributors
* vfs: fix directory cache serving stale data
* build: fix docker plugin build - fixes #8394
* docs: improved sftp limitations
* Changelog updates from Version v1.69.1
* docs: add FileLu as sponsors and tidy sponsor logos
* accounting: fix percentDiff calculation -- fixes #8345
* vfs: fix the cache failing to upload symlinks when --links was specified
* Add jbagwell-akamai to contributors
* Add ll3006 to contributors
* doc: add note on concurrency of rclone purge
* s3: add latest Linode Object Storage endpoints
* cmd: fix crash if rclone is invoked without any arguments - Fixes #8378
* build: disable docker builds on PRs & add missing dockerfile changes
* sync: copy dir modtimes even when copyEmptySrcDirs is false - fixes #8317
* sync: add tests to check dir modtimes are kept when syncing
* fix golangci-lint errors
* bisync: fix false positive on integration tests
* s3: split the GCS quirks into -s3-use-x-id and -s3-sign-accept-encoding #8373
* Add Joel K Biju to contributors
* stats: fix the speed not getting updated after a pause in the processing
* opendrive: added --opendrive-access flag to handle permissions
* bisync: fix listings missing concurrent modifications - fixes #8359
* Added parallel docker builds and caching for go build in the container
* smb: improve connection pooling efficiency
* lib/oauthutil: fix redirect URL mismatch errors - fixes #8351
* b2: fix "fatal error: concurrent map writes" - fixes #8355
* Add Alexander Minbaev to contributors
* Add Zachary Vorhies to contributors
* Add Jess to contributors
* s3: add IBM IAM signer - fixes #7617
* serve nfs: update docs to note Windows is not supported - fixes #8352
* cmd/config(update remote): introduce --no-output option
* s3: add DigitalOcean regions SFO2, LON1, TOR1, BLR1
* sync: fix cpu spinning when empty directory finding with leading slashes
* s3: fix handling of objects with // in #5858
* azureblob: fix handling of objects with // in #5858
* fstest: add integration tests objects with // on bucket based backends #5858
* fs/list: tweak directory listing assertions after allowing // names
* lib/bucket: fix tidying of // in object keys #5858
* lib/bucket: add IsAllSlashes function
* azureblob: remove uncommitted blocks on InvalidBlobOrBlock error
* azureblob: implement multipart server side copy
* azureblob: speed up server side copies for small files #8249
* azureblob: cleanup uncommitted blocks on upload errors
* azureblob: factor readMetaData into readMetaDataAlways returning blob properties
* Add b-wimmer to contributors
* azurefiles: add --azurefiles-use-az and --azurefiles-disable-instance-discovery
* onedrive: mark German (de) region as deprecated
* Add Trevor Starick to contributors
* Add hiddenmarten to contributors
* Add Corentin Barreau to contributors
* Add Bruno Fernandes to contributors
* Add Moises Lima to contributors
* Add izouxv to contributors
* Add Robin Schneider to contributors
* Add Tim White to contributors
* Add Christoph Berger to contributors
* azureblob: add support for `x-ms-tags` header
* rc: disable the metrics server when running `rclone rc`
* internetarchive: add --internetarchive-metadata="key=value" for setting item metadata
* lib/batcher: Deprecate unused option: batch_commit_timeout
* s3: Added new storage class to magalu provider
* http servers: add --user-from-header to use for authentication
* b2: add SkipDestructive handling to backend commands - fixes #8194
* vfs: close the change notify channel on Shutdown
* Docker image: Add label org.opencontainers.image.source for release notes in Renovate dependency updates
* docs: add OneDrive Impersonate instructions - fixes #5610
* docs: explain the stringArray flag parameter descriptor
* iclouddrive: add notes on ADP and Missing PCS cookies - fixes #8310
* docs: fix typos found by codespell in docs and code comments
* fs: fix confusing "didn't find section in config file" error
* vfs: fix race detected by race detector
* Add Jonathan Giannuzzi to contributors
* Add Spencer McCullough to contributors
* Add Matt Ickstadt to contributors
* smb: add support for kerberos authentication
* drive: added `backend moveid` command
* docs: fix reference to serves3 setting disable_multipart_uploads which was renamed
* docs: fix link to Rclone Serve S3
* serve s3: fix list objects encoding-type
* build: update gopkg.in/yaml.v2 to v3
* build: update all dependencies
* bisync: fix go vet problems with go1.24
* build: update to go1.24rc1 and make go1.22 the minimum required version
* version: add --deps flag to show dependencies and other build info
* doc: make man page well formed for whatis - fixes #7430
* Start v1.70.0-DEV development
- Install completion files in the right place.
- Update to version 1.69.3:
* build: update github.com/ebitengine/purego to work around bug in go1.24.3
* build: reapply update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to fix CVE-2025-30204
- Update to version 1.69.2:
- Bug fixes
- accounting: Fix percentDiff calculation -- (Anagh Kumar
Baranwal)
- build
- Update github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 to
fix CVE-2025-30204 (dependabot[bot])
- Update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to
fix CVE-2025-30204 (dependabot[bot])
- Update golang.org/x/crypto to v0.35.0 to fix CVE-2025-22869
(Nick Craig-Wood)
- Update golang.org/x/net from 0.36.0 to 0.38.0 to fix
CVE-2025-22870 (dependabot[bot])
- Update golang.org/x/net to 0.36.0. to fix CVE-2025-22869
(dependabot[bot])
- Stop building with go < go1.23 as security updates forbade
it (Nick Craig-Wood)
- Fix docker plugin build (Anagh Kumar Baranwal)
- cmd: Fix crash if rclone is invoked without any arguments
(Janne Hellsten)
- config: Read configuration passwords from stdin even when
terminated with EOF (Samantha Bowen)
- doc fixes (Andrew Kreimer, Danny Garside, eccoisle, Ed
Craig-Wood, emyarod, jack, Jugal Kishore, Markus Gerstel,
Michael Kebe, Nick Craig-Wood, simonmcnair, simwai, Zachary
Vorhies)
- fs: Fix corruption of SizeSuffix with "B" suffix in config
(eg --min-size) (Nick Craig-Wood)
- lib/http: Fix race between Serve() and Shutdown() (Nick
Craig-Wood)
- object: Fix memory object out of bounds Seek (Nick
Craig-Wood)
- operations: Fix call fmt.Errorf with wrong err (alingse)
- rc
- Disable the metrics server when running rclone rc
(hiddenmarten)
- Fix debug/* commands not being available over unix sockets
(Nick Craig-Wood)
- serve nfs: Fix unlikely crash (Nick Craig-Wood)
- stats: Fix the speed not getting updated after a pause in the
processing (Anagh Kumar Baranwal)
- sync
- Fix cpu spinning when empty directory finding with leading
slashes (Nick Craig-Wood)
- Copy dir modtimes even when copyEmptySrcDirs is false
(ll3006)
- vfs
- Fix directory cache serving stale data (Lorenz Brun)
- Fix inefficient directory caching when directory reads are
slow (huanghaojun)
- Fix integration test failures (Nick Craig-Wood)
- Drive
- Metadata: fix error when setting
copy-requires-writer-permission on a folder (Nick Craig-Wood)
- Dropbox
- Retry link without expiry (Dave Vasilevsky)
- HTTP
- Correct root if definitely pointing to a file (nielash)
- Iclouddrive
- Fix so created files are writable (Ben Alex)
- Onedrive
- Fix metadata ordering in permissions (Nick Craig-Wood)
- Update to version 1.69.1:
* Version v1.69.1
* build: disable docker builds on PRs & add missing dockerfile changes
* Added parallel docker builds and caching for go build in the container
* docs: add FileLu as sponsors and tidy sponsor logos
* vfs: fix the cache failing to upload symlinks when --links was specified
* doc: add note on concurrency of rclone purge
* s3: add latest Linode Object Storage endpoints
* fix golangci-lint errors
* bisync: fix listings missing concurrent modifications - fixes #8359
* lib/oauthutil: fix redirect URL mismatch errors - fixes #8351
* b2: fix "fatal error: concurrent map writes" - fixes #8355
* serve nfs: update docs to note Windows is not supported - fixes #8352
* s3: add DigitalOcean regions SFO2, LON1, TOR1, BLR1
* onedrive: mark German (de) region as deprecated
* s3: Added new storage class to magalu provider
* vfs: close the change notify channel on Shutdown
* docs: add OneDrive Impersonate instructions - fixes #5610
* docs: explain the stringArray flag parameter descriptor
* iclouddrive: add notes on ADP and Missing PCS cookies - fixes #8310
* docs: fix typos found by codespell in docs and code comments
* fs: fix confusing "didn't find section in config file" error
* vfs: fix race detected by race detector
* docs: fix reference to serves3 setting disable_multipart_uploads which was renamed
* docs: fix link to Rclone Serve S3
* serve s3: fix list objects encoding-type
* doc: make man page well formed for whatis - fixes #7430
* Start v1.69.1-DEV development
- Update to version 1.69.0:
https://rclone.org/changelog/#v1-69-0-2025-01-12
Rclone is using golang.org/x/net but was not affected to
CVE-2024-45337 and CVE-2024-45338.
* Version v1.69.0
* test_all: disable docker plugin tests
* docs: fix typo
* accounting: fix race stopping/starting the stats counter
* docs: add github.com/icholy/gomajor to RELEASE for updating major versions
* ftp: fix ls commands returning empty on "Microsoft FTP Service" servers
* s3: add docs on data integrity
* webdav: make --webdav-auth-redirect to fix 401 unauthorized on redirect
* rest: make auth preserving redirects an option
* box: fix panic when decoding corrupted PEM from JWT file
* size: make output compatible with -P
* vfs: add remote name to vfs cache log messages - fixes #7952
* dropbox: fix return status when full to be fatal error
* rc: add relative to vfs/queue-set-expiry
* vfs: fix open files disappearing from directory listings
* docker serve: parse all remaining mount and VFS options
* smb: fix panic if stat fails
* googlephotos: fix nil pointer crash on upload - fixes #8233
* iclouddrive: tweak docs
* serve dlna: sort the directory entries by directories first then alphabetically by name
* serve nfs: fix missing inode numbers which was messing up ls -laR
* serve nfs: implement --nfs-cache-type symlink
* azureblob,oracleobjectstorage,s3: quit multipart uploads if the context is cancelled
* http: fix incorrect URLs with initial slash
* build: update `github.com/shirou/gopsutil` to v4
* Replace Windows-specific NewLazyDLL with NewLazySystemDLL
* lib/oauthutil: don't require token to exist for client credentials flow
* fs/operations: make log messages consistent for mkdir/rmdir at INFO level
* Add Francesco Frassinelli to contributors
* smb: Add support for Kerberos authentication.
* docs: smb: link to CloudSoda/go-smb2 fork
* cloudinary: add cloudinary backend - fixes #7989
* operations: fix eventual consistency in TestParseSumFile test
* Add TAKEI Yuya to contributors
* docs: Remove Backblaze as a Platinum sponsor
* docs: add RcloneView as silver sponsor
* serve docker: fix incorrect GID assignment
* serve s3: fix Last-Modified timestamp
* Add ToM to contributors
* Add Henry Lee to contributors
* Add Louis Laureys to contributors
* docs: filtering: mention feeding --files-from from standard input
* docs: filtering: fix --include-from copypaste error
* s3: rename glacier storage class to flexible retrieval
* b2: add daysFromStartingToCancelingUnfinishedLargeFiles to backend lifecycle command
* build: update golang.org/x/net to v0.33.0 to fix CVE-2024-45338
* azurefiles: fix missing x-ms-file-request-intent header
* Add Thomas ten Cate to contributors
* docs: Document --url and --unix-socket on the rc page
* docs: link to the outstanding vfs symlinks issue
* Add Yxxx to contributors
* Add hayden.pan to contributors
* docs: update pcloud doc to avoid puzzling token error when use remote rclone authorize
* pikpak: add option to use original file links - fixes #8246
* rc/job: use mutex for adding listeners thread safety
* docs: mention in serve tls options when value is path to file - fixes #8232
* build: update all dependencies
* accounting: fix debug printing when debug wasn't set
* Add Filipe Azevedo to contributors
* fs: make --links flag global and add new --local-links and --vfs-links flag
* vfs: add docs for -l/--links flag
* nfsmount,serve nfs: introduce symlink support #2975
* mount2: introduce symlink support #2975
* mount: introduce symlink support #2975
* cmount: introduce symlink support #2975
* vfstest: make VFS test suite support symlinks
* vfs: add symlink support to VFS
* vfs: add ELOOP error
* vfs: Add link permissions
* vfs: Add VFS --links command line switch
* vfs: add vfs.WriteFile to match os.WriteFile
* fs: Move link suffix to fs
* cmount: fix problems noticed by linter
* mount2: Fix missing . and .. entries
* sftp: fix nil check when using auth proxy
* Add Martin Hassack to contributors
* serve sftp: resolve CVE-2024-45337
* googlecloudstorage: typo fix in docs
* onedrive: add support for OAuth client credential flow - fixes #6197
* lib/oauthutil: add support for OAuth client credential flow
* lib/oauthutil: return error messages from the oauth process better
* bin/test_backend_sizes.py fix compile flags and s3 reporting
* test makefiles: add --flat flag for making directories with many entries
* Add divinity76 to contributors
* Add Ilias Ozgur Can Leonard to contributors
* Add remygrandin to contributors
* Add Michael R. Davis to contributors
* cmd/mountlib: better snap mount error message
* vfs: with --vfs-used-is-size value is calculated and then thrown away - fixes #8220
* serve sftp: fix loading of authorized keys file with comment on last line - fixes #8227
* oracleobjectstorage: make specifying compartmentid optional
* plcoud: fix failing large file uploads - fixes #8147
* docs: add docker volume plugin troubleshooting steps
* docs: fix missing `state` parameter in `/auth` link in instructions
* build: fix build failure on ubuntu
* docs: upgrade fontawesome to v6
* s3: fix multitenant multipart uploads with CEPH
* Add David Seifert to contributors
* Add vintagefuture to contributors
* use better docs
* googlecloudstorage: update docs on service account access tokens
* test_all: POSIX head/tail invocations
* icloud: Added note about app specific password not working
* s3: fix download of compressed files from Cloudflare R2 - fixes #8137
* s3: fix testing tiers which don't exist except on AWS
* Changelog updates from Version v1.68.2
* local: fix permission and ownership on symlinks with --links and --metadata
* Revert "Merge commit from fork"
* Add Dimitrios Slamaris to contributors
* Merge commit from fork
* onedrive: fix integration tests after precision change
* operations: fix TestRemoveExisting on crypt backends by shortening the file name
* bisync: fix output capture restoring the wrong output for logrus
* serve sftp: update github.com/pkg/sftp to v1.13.7 and fix deadlock in tests
* build: fix comments after golangci-lint upgrade
* build: update all dependencies
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1
* pikpak: fix fatal crash on startup with token that can't be refreshed
* yandex: fix server side copying over existing object
* sugarsync: fix server side copying over existing object
* putio: fix server side copying over existing object
* onedrive: fix server side copying over existing object
* dropbox: fix server side copying over existing object
* operations: add RemoveExisting to safely remove an existing file
* gofile: fix server side copying over existing object
* test_all: try to fix mailru rate limits in integration tests
* Add shenpengfeng to contributors
* Add Dimitar Ivanov to contributors
* docs: fix function name in comment
* sftp: allow inline ssh public certificate for sftp
* serve s3: fix excess locking which was making serve s3 single threaded
* lib/oauthutil: allow the browser opening function to be overridden
* Add Moises Lima to contributors
* lib/http: disable automatic authentication skipping for unix sockets
* onedrive: fix Retry-After handling to look at 503 errors also
* s3: Storj provider: fix server-side copy of files bigger than 5GB
* s3: add Selectel as a provider
* fs: fix Don't know how to set key "chunkSize" on upload errors in tests
* drive: implement rclone backend rescue to rescue orphaned files
* Add tgfisher to contributors
* Add Diego Monti to contributors
* Add Randy Bush to contributors
* Add Alexandre Hamez to contributors
* Add Simon Bos to contributors
* docs: mention that inline comments are not supported in a filter-file
* s3: add Wasabi eu-south-1 region
* docs: fix forward refs in step 9 of using your own client id
* docs: fix Scaleway Glacier website URL
* dlna: fix loggingResponseWriter disregarding log level
* build: remove required property on boolean inputs
* build: use inputs context in github workflow
* s3: fix crash when using --s3-download-url after migration to SDKv2
* docs: update overview to show pcloud can set modtime
* Add Andr Tran to contributors
* Add Matthias Gatto to contributors
* Add lostb1t to contributors
* Add Noam Ross to contributors
* Add Benjamin Legrand to contributors
* s3: add Outscale provider
* Add ICloud Drive backend
* drive: add support for markdown format
* accounting: fix global error acounting
* onedrive: fix time precision for OneDrive personal
* Add RcloneView as a sponsor
* Add Leandro Piccilli to contributors
* cache: skip bisync tests
* bisync: allow blank hashes on tests
* box: fix server-side copying a file over existing dst - fixes #3511
* sync: add tests for copying/moving a file over itself
* fs/cache: fix parent not getting pinned when remote is a file
* gcs: add access token auth with --gcs-access-token
* accounting: write the current bwlimit to the log on SIGUSR2
* accounting: fix wrong message on SIGUSR2 to enable/disable bwlimit
* gphotos: implment --gphotos-proxy to allow download of full resolution media
* googlephotos: remove noisy debugging statements
* docs: add note to CONTRIBUTING that the overview needs editing in 2 places
* test_all: add ignoretests parameter for skipping certain tests
* build: replace "golang.org/x/exp/slices" with "slices" now go1.21 is required
* Changelog updates from Version v1.68.1
* Makefile: Fail when doc recipes create dir named '$HOME'
* Makefile: Prevent `doc` recipe from creating dir named '$HOME'
* pikpak: fix cid/gcid calculations for fs.OverrideRemote
* bisync: change exit code from 2 to 7 for critically aborted run
* cmd: change exit code from 1 to 2 for syntax and usage errors
* local: fix --copy-links on macOS when cloning
* azureblob: add --azureblob-use-az to force the use of the Azure CLI for auth
* azureblob: add --azureblob-disable-instance-discovery
* s3: add initial --s3-directory-bucket to support AWS Directory Buckets
* Add Lawrence Murray to contributors
* backend/protondrive: improve performance of Proton Drive backend
* ftp: implement --ftp-no-check-upload to allow upload to write only dirs
* docs: document that fusermount3 may be needed when mounting/unmounting
* Add rishi.sridhar to contributors
* Add quiescens to contributors
* docs/zoho: update options
* zoho: make upload cutoff configurable
* zoho: add support for private spaces
* zoho: try to handle rate limits a bit better
* zoho: print clear error message when missing oauth scope
* zoho: switch to large file upload API for larger files, fix missing URL encoding of filenames for the upload API
* zoho: use download server to accelerate downloads
* opendrive: add about support to backend
* pikpak: fix login issue where token retrieval fails
* webdav: nextcloud: implement backoff and retry for 423 LOCKED errors
* s3: fix rclone ignoring static credentials when env_auth=true
* fs: fix setting stringArray config values from environment variables
* rc: fix default value of --metrics-addr
* fs: fix --dump filters not always appearing
* docs: correct notes on docker manual build
* Add ttionya to contributors
* build: fix docker release build - fixes #8062
* docs: add section for improving performance for s3
* onedrive: fix spurious "Couldn't decode error response: EOF" DEBUG
* Add Divyam to contributors
* serve docker: add missing vfs-read-chunk-streams option in docker volume driver
* Start v1.69.0-DEV development
- Update to version 1.68.2:
* Version v1.68.2
* s3: fix multitenant multipart uploads with CEPH
* local: fix permission and ownership on symlinks with --links and --metadata
CVE-2024-52522 boo#1233422
* bisync: fix output capture restoring the wrong output for logrus
* build: fix comments after golangci-lint upgrade
* build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1
* pikpak: fix fatal crash on startup with token that can't be refreshed
* serve s3: fix excess locking which was making serve s3 single threaded
* onedrive: fix Retry-After handling to look at 503 errors also
* s3: Storj provider: fix server-side copy of files bigger than 5GB
* docs: mention that inline comments are not supported in a filter-file
* docs: fix forward refs in step 9 of using your own client id
* docs: fix Scaleway Glacier website URL
* dlna: fix loggingResponseWriter disregarding log level
* s3: fix crash when using --s3-download-url after migration to SDKv2
* docs: update overview to show pcloud can set modtime
* Add RcloneView as a sponsor
* accounting: fix wrong message on SIGUSR2 to enable/disable bwlimit
* pikpak: fix cid/gcid calculations for fs.OverrideRemote
* local: fix --copy-links on macOS when cloning
* Start v1.68.2-DEV development
- CVE-2024-51744: updated jwt to v4.5.1 (bsc#1232964).
Patchnames: openSUSE-Leap-16.0-packagehub-213
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
4.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.4 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
9.8 (Critical)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
47 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rclone",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rclone fixes the following issues:\n\nChanges in rclone:\n\n- Update to version 1.73.5:\n * Version v1.73.5\n * operations: add AuthRequired to operations/fsinfo to prevent backend creation CVE-2026-41179\n * rc: snapshot NoAuth at startup to prevent runtime auth bypass CVE-2026-41176\n * rc: add AuthRequired to options/set to prevent auth bypass CVE-2026-41176\n * s3: fix empty delimiter parameter rejected by Archiware P5 server\n * azureblob/auth: add Microsoft Partner Network User-Agent prefix\n * drime: fix User.EntryPermissions JSON unmarshalling\n * filter: fix debug logs that fire before logger is configured - fixes #9291\n * s3: fix TencentCOS CDN endpoint failing on bucket check\n * iclouddrive: fix \u0027directory not found\u0027 error when the directory contains accent marks\n * Start v1.73.5-DEV development\n\n- Update to version 1.73.4:\n * Version v1.73.4\n * Update to go 1.25.9 to fix multiple CVEs\n * build: fix Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder\n * docs: fix markdown issues in mount docs\n * docs: fix header level for metadata option\n * fix(docs): Fix link to not be language specific\n * filen: update SDK version\n * build(deps): bump golang.org/x/image from 0.36.0 to 0.38.0\n * docs: note macOS 10.15 (Catalina) support with version v1.70.3\n * Start v1.73.4-DEV development\n\n- Update to version 1.73.3: (CVE-2026-33186 GHSA-6g7g-w4f8-9c9x)\n * Version v1.73.3\n * build(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2\n * docs/jottacloud: fix broken link\n * docs: clarify Filen password change requires updating both password and API key in rclone config\n * docs: note that Filen API key changes on password change\n * build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3\n * s3: add multi tenant support for Cubbit\n * lib/rest: fix URLPathEscapeAll breaking WebDAV servers (eg nzbdav) with strict path matching\n * list: fix nil pointer panic in Sorter when temp file creation fails\n * docs: update RELEASE procedure to avoid mistakes\n * docs: added text to the label showing version-introduced info\n * Start v1.73.3-DEV development\n * docs: update sponsors\n\n- Update to version 1.73.2:\n * Version v1.73.2\n * Update to go 1.25.8 to fix multiple CVEs\n * build: update to golang.org/x/net v0.51.0 to fix CVE-2026-27141 #9220\n * docs: fix new drive flag typo in changelog\n * webdav: add missing headers for CORS\n * docs: Document unsupported S3 object keys with double slashes\n * docs: note that --use-server-modtime only works on some backends\n * internxt: fix Entry doesn\u0027t belong in directory errors on windows\n * drime: fix chunk-uploaded files ignoring workspace ID\n * docs: Fix headers hierarchy for mount.md\n * webdav: escape reserved characters in URL path segments\n * bisync: add group Sync to the bisync command\n * archive: extract: strip \"./\" prefix from tar entry paths\n * docs: add instructions on how to update Go version\n * buid: update github.com/cloudflare/circl to v1.6.3 to fix CVE-2026-1229\n * Start v1.73.2-DEV development\n\n- Update to version 1.73.1:\n * Version v1.73.1\n * build: fix build using go 1.26.0 instead of go 1.25.7\n * fs/march: fix runtime: program exceeds 10000-thread limit\n * accounting: fix missing server side stats from core/stats rc\n * pacer: re-read the sleep time as it may be stale\n * pacer: fix deadlock between pacer token and --max-connections\n * build: fix CVE-2025-68121 by updating go to 1.25.7 or later - fixes #9167\n * drime: fix files and directories being created in the default workspace\n * docs: update sponsors\n * copyurl: Extend copyurl docs with an example of CSV FILENAMEs starting with a path.\n * internxt: implement re-login under refresh logic, improve retry logic - fixes #9174\n * docs: add ExchangeRate-API as a sponsor\n * build: bump github.com/go-chi/chi/v5 from 5.2.3 to 5.2.5 to fix GO-2026-4316\n * Set list_version to 2 for FileLu S3 configuration\n * filelu: add multipart upload support with configurable cutoff\n * filelu: add multipart init response type\n * filelu: add comment for response body wrapping\n * filelu: avoid buffering entire file in memory\n * docs: update sponsor logos\n * filen: fix potential panic in case of error during upload\n * filen: fix 32 bit targets not being able to list directories Fixes #9142\n * Start v1.73.1-DEV development\n\n- Update to version 1.73.0:\n * Version v1.73.0\n * drive: fix crash when trying to creating shortcut to a Google doc\n * azureblob,azurefiles: factor the common auth into a library\n * test: allow backends to return fs.ErrorCantListRoot to skip Root tests\n * build: add privatebeta Makefile target\n * docs: add Internxt as a sponsor\n * internxt: remove use of CVE laden github.com/disintegration/imaging\n * docs: fix Internxt docs after merge\n * docs: update making a new backend docs\n * docs: build overview page from the backend data\n * docs: add tiering to the documentation - fixes #8873\n * docs: add data about each backend in YAML format\n * docs: add bin/manage_backends.py for managing the backend data files\n * internxt: use rclone\u0027s http.Client to enable more features\n * internxt: fix lint problems\n * Add StarHack to contributors\n * Add lullius to contributors\n * Add jzunigax2 to contributors\n * internxt: add Internxt backend - fixes #7610\n * drive: add --drive-metadata-force-expansive-access flag - Fixes #8980\n * test_all: allow drime more time to complete\n * onedrive: fix permissions on onedrive Personal\n * onedrive: fix require sign in for Onedrive Personal\n * onedrive: Onedrive Personal no longer supports description\n * onedrive: fix setting modification time on directories for onedrive Personal\n * onedrive: fix cancelling multipart upload\n * docs: fix WinFsp link in mount documentation\n * cmount: make work under OpenBSD - fixes #1727\n * vfs: make mount tests run on OpenBSD\n * docs: improve alignment of icons\n * protondrive: update to use forks of upstream modules\n * Add hyusap to contributors\n * Add Nick Owens to contributors\n * Add Mikel Olasagasti Uranga to contributors\n * docs: fix googlephotos custom client_id instructions\n * cmount: fix OpenBSD mount support.\n * fs: fix bwlimit: correctly report minutes\n * fs: fix bwlimit: use %d instead of %q for ints\n * mega: reverts TLS workaround\n * docs: fix formatting\n * docs: add faq entry about re-enabling old TLS ciphers\n * Add Marc-Philip to contributors\n * Add yy to contributors\n * filen: swap to blake3 hashes\n * docs: fix echo command syntax for password input\n * docs: fix typos in comments and messages\n * docs: fix use of removed rem macro\n * uptobox: remove backend as service is no longer available\n * rc: add operations/hashsumfile to sum a single file only\n * docs: update sponsor link\n * filen: add Filen backend - Fixes #6728\n * sftp: fix proxy initialisation\n * fstest: skip Copy mutation test with --sftp-copy-is-hardlink\n * fstest: Make Copy mutation test work properly\n * Add Qingwei Li to contributors\n * Add Nicolas Dessart to contributors\n * log: fix systemd adding extra newline - fixes #9086\n * oracleobjectstorage, sftp: eliminate unnecessary heap allocation\n * sftp,ftp: add http proxy authentication support\n * Add Drime backend\n * lib/rest: add opts.MultipartContentType to explicitly set Content-Type of attachements\n * dircache: allow empty string as root parent id\n * docs: update sponsors\n * s3: add provider Bizfly Cloud Simple Storage\n * docs: update sponsor logos\n * Add sys6101 to contributors\n * Add darkdragon-001 to contributors\n * Add vupn0712 to contributors\n * docs: add cloudinary to readme\n * docs: fix headers hierarchy in mount docs\n * s3: fix Copy ignoring storage class\n * serve s3: make errors in --s3-auth-key fatal - fixes #9044\n * Add masrlinu to contributors\n * pcloud: add support for real-time updates in mount\n * memory: add --memory-discard flag for speed testing - fixes #9037\n * Add vyv03354 to contributors\n * shade: Fix VFS test issues\n * docs: mention use of ListR feature in ls docs\n * build: bump actions/download-artifact from 6 to 7\n * build: bump actions/upload-artifact from 5 to 6\n * build: bump actions/cache from 4 to 5\n * docs: reflects the fact that pCloud supports ListR\n * S3: Linode: updated endpoints to use ISO 3166-1 alpha-2 standard\n * sync: fix error propagation in tests (#9025)\n * Changelog updates from Version v1.72.1\n * s3: add more regions for Selectel\n * Add jhasse-shade to contributors\n * Add Shade backend\n * log: fix backtrace not going to the --log-file #9014\n * build: fix lint warning after linter upgrade\n * Add Jonas Tingeborn to contributors\n * Add Tingsong Xu to contributors\n * configfile: add piped config support - fixes #9012\n * fs/log: fix PID not included in JSON log output\n * build: adjust lint rules to exclude new errors from linter update\n * proxy: fix error handling in tests spotted by the linter\n * Add Johannes Rothe to contributors\n * Add Leo to contributors\n * Add Vladislav Tropnikov to contributors\n * Add Cliff Frey to contributors\n * Add vicerace to contributors\n * b2: Fix listing root buckets with unrestricted API key\n * googlecloudstorage: improve endpoint parameter docs\n * serve webdav: implement download-directory-as-zip\n * s3: The ability to specify an IAM role for cross-account interaction\n * azureblob: add metadata and tags support across upload and copy paths\n * refactor: use strings.Cut to simplify code\n * docs: note where a provider has an S3 compatible alternative\n * Add Shade as sponsor\n * Add Duncan Smart to contributors\n * Add Diana to contributors\n * docs: Clarify OAuth scopes for readonly Google Drive access\n * b2: support authentication with new bucket restricted application keys\n * docs: update sponsor logos\n * docs: fix lint error in changelog\n * Start v1.73.0-DEV development\n\n- Update to version 1.72.1:\n * Version v1.72.1\n * s3: add more regions for Selectel\n * log: fix backtrace not going to the --log-file #9014\n * build: fix lint warning after linter upgrade\n * configfile: add piped config support - fixes #9012\n * fs/log: fix PID not included in JSON log output\n * build: adjust lint rules to exclude new errors from linter update\n * proxy: fix error handling in tests spotted by the linter\n * googlecloudstorage: improve endpoint parameter docs\n * docs: note where a provider has an S3 compatible alternative\n * Add Shade as sponsor\n * docs: Clarify OAuth scopes for readonly Google Drive access\n * docs: update sponsor logos\n * docs: fix lint error in changelog\n * Start v1.72.1-DEV development\n\n- Update to version 1.72.0:\n * Version v1.72.0\n * rc: fix formatting in job/batch\n * test speed: fix formatting of help\n * docs: update sponsor logos\n * build: bump actions/checkout from 5 to 6\n * s3: add multi-part-upload support for If-Match and If-None-Match\n * rc: config/unlock: rename parameter to `configPassword` accept old as well\n * rc: correct names of parameters in job/list output\n * Add Nikolay Kiryanov to contributors\n * rc: add `executeId` to job statuses - fixes #8972\n * build: bump golang.org/x/crypto from 0.43.0 to 0.45.0 to fix CVE-2025-58181\n * s3: fix single file copying behavior with low permission - Fixes #8975\n * docs: onedrive: note how to backup up any user\u0027s data\n * Add Dominik Sander to contributors\n * Add jijamik to contributors\n * box: allow to configure with config file contents\n * http: add basic metadata and provide it via serve\n * ftp: fix transfers from servers that return 250 ok messages\n * b2: allow individual old versions to be deleted with --b2-versions - fixes #1626\n * build: fix tls: failed to verify certificate: x509: negative serial number\n * Add Sean Turner to contributors\n * s3: add support for --upload-header If-Match and If-None-Match\n * fix: comment typos\n * dropbox: fix error moving just created objects - fixes #8881\n * s3: add --s3-use-data-integrity-protections to fix BadDigest error in Alibaba, Tencent\n * rc: make sure fatal errors don\u0027t crash rclone - fixes #8955\n * pacer: factor call stack searching into its own package\n * rc: add osVersion, osKernel and osArch to core/version\n * build: update all dependencies\n * build(deps): bump golangci/golangci-lint-action from 8 to 9\n * webdav: fix out of memory with sharepoint-ntlm when uploading large file\n * testserver: fix owncloud test server startup\n * Add aliaj1 to contributors\n * ulozto: Fix downloads returning HTML error page\n * docs: adjust spectra logic example endpoint name\n * docs: update version introduced to v1.70 in doi docs\n * testserver: fix HDFS server after run.bash adjustments\n * testserver: remind developers about allocating a port\n * testserver: make run.bash variables less likely to collide with scripts\n * testserver: fix seafile servers messing up _connect string\n * testserver: make sure TestWebdavInfiniteScale uses an assigned port\n * testserver: make sure we don\u0027t overwrite the NAME variable set\n * Add n4n5 to contributors\n * Add Alex to contributors\n * Add Copilot to contributors\n * docs: update contributing docs regarding backend documentation\n * rc: add jobs stats\n * docs: fix alignment of some of the icons in the storage system dropdown\n * docs: run markdownlint on _index.md\n * docs: fix markdownlint issues and other styling improvements in backend command docs\n * docs: fix markdownlint issue md046/code-block-style in backend command docs\n * docs: fix missing punctuation in backend commands short description\n * docs: fix markdownlint issues in backend command generated output\n * build: improve backend docs autogenerated marker line\n * backend/compress: add zstd compression\n * sftp: fix zombie SSH processes with --sftp-ssh - Fixes #8929\n * testserver: fix tests failing due to stopped servers\n * docs: add new integration tester site link\n * docs: update the method for running integration tests\n * bisync: fix failing tests\n * Add SublimePeace to contributors\n * b2: fix \"expected a FileSseMode but found: \u0027\u0027\"\n * docs: s3: clarify multipart uploads memory usage\n * test_all: fix detection of running servers\n * accounting: add AccountReadN for use in cluster\n * fs: add NonDefaultRC for discovering options in use\n * fs: move tests into correct files\n * rc: add NewJobFromBytes for reading jobs from non HTTP transactions\n * rc: add job/batch for sending batches of rc commands to run concurrently\n * Add Ted Robertson to contributors\n * Add Joseph Brownlee to contributors\n * Add fries1234 to contributors\n * Add Fawzib Rojas to contributors\n * Add Riaz Arbi to contributors\n * Add Lukas Krejci to contributors\n * Add Adam Dinwoodie to contributors\n * Add dulanting to contributors\n * docs: add AppArmor restrictions to rclone mount\n * check: improved reporting of differences in sizes and contents\n * mega: implement 2FA login\n * docs: change to light code block style to better match overall theme\n * docs: fix various markdownlint issues\n * build: restrict the markdown languages to use for code blocks\n * docs: fix various markdownlint issues\n * docs: fix markdownlint issue md013/line-length\n * docs: change syntax hightlighting for command examples from sh to console\n * docs: Clarify remote naming convention\n * b2: Add Server-Side encryption support\n * Added rclone archive command to create and read archive files\n * accounting: add io.Seeker/io.ReaderAt support to accounting.Account\n * operations: add ReadAt method to ReOpen\n * fstest: add ResetRun to allow the remote to be reset in tests\n * gcs: fix --gcs-storage-class to work with server side copy for objects\n * ulozto: implement the about functionality\n * local: add --skip-specials to ignore special files\n * swift: Report disk usage in segment containers\n * refactor: use strings.Builder to improve performance\n * Archive backend to read archives on cloud storage.\n * vfs: remove unecessary import in tests to fix import cycles\n * Add Lakshmi-Surekha to contributors\n * Add Andrew Gunnerson to contributors\n * Add divinity76 to contributors\n * build: enable support for aix/ppc64\n * rc: fix name of \"queue\" JSON key in docs for vfs/cache\n * cmount: windows: improve error message on missing winfsp\n * docs: add the Provider to the options examples in the backend docs\n * Add Aneesh Agrawal to contributors\n * Add viocha to contributors\n * Add reddaisyy to contributors\n * fs: remove unnecessary Seek call on log file\n * s3: make it easier to add new S3 providers\n * build(deps): bump actions/upload-artifact from 4 to 5\n * build(deps): bump actions/download-artifact from 5 to 6\n * ftp: fix SOCK proxy support - fixes #8892 (#8918)\n * webdav: Add Access-Control-Max-Age header for CORS preflight caching - fixes #5078\n * webdav: use SpaceSepList to parse bearer token command\n * refactor: use strings.Builder to improve performance\n * docs: re-arrange sponsors page\n * docs: add Spectra Logic as a sponsor\n * Add Oleksandr Redko to contributors\n * build: enable all govet checks (except fieldalignment and shadow) and fix issues.\n * march: fix --no-traverse being very slow - fixes #8860\n * Add vastonus to contributors\n * s3: add new FileLu S5 endpoints\n * build: remove obsolete build tag\n * azurefiles: add ListP interface - #4788\n * dropbox: add ListP interface - #4788\n * webdav: add ListP interface - #4788\n * pcloud: add ListP interface - #4788\n * box: add ListP interface - #4788\n * onedrive: add ListP interface - #4788\n * drive: add ListP interface - #4788\n * Add hunshcn to contributors\n * webdav: optimize bearer token fetching with singleflight\n * Changelog updates from Version v1.71.2\n * lib/http: cleanup indentation and other whitespace in http serve template\n * docs: improve formatting of http serve template parameters\n * build: stop markdown linter leaving behind docker containers\n * Add Marco Ferretti to contributors\n * s3: add cubbit as provider\n * s3: add servercore as a provider\n * docs: update sponsors\n * docs: update sponsor images\n * docs: update privacy policy with a section on user data\n * Add Dulani Woods to contributors\n * Add spiffytech to contributors\n * gcs: add region us-east5 - fixes #8863\n * jottacloud: refactor service list from map to slice to get predefined order\n * jottacloud: added support for traditional oauth authentication also for the main service\n * oauthutil: improved debug logs from token refresh\n * backend: add S3 provider for Hetzner object storage #8183\n * jottacloud: improved token refresh handling\n * s3: provider reordering\n * index: add missing providers\n * docs: add missing `\n * s3: add rabata as a provider\n * mega: fix 402 payment required errors - fixes #8758\n * Add Andrew Ruthven to contributors\n * Add Microscotch to contributors\n * Add iTrooz to contributors\n * build: Bump SwiftAIO container to a newer one\n * build: Retry stopping the test server\n * build: Increase attempts to connect to test server\n * swift: If storage_policy isn\u0027t set, use the root containers policy\n * proton: automated 2FA login with OTP secret key\n * serve s3: fix log output to remove the EXTRA messages\n * docs/jottacloud: update description of invalid_grant error according to changes\n * jottacloud: add support for MediaMarkt Cloud as a whitelabel service\n * s3: add FileLu S5 provider\n * docs: fix variants of --user-from-header\n * vfs: fix chunker integration test\n * test_all: give TestZoho: extra time as it has been timing out\n * test_all: give TestCompressDrive: extra time as it has been timing out\n * rclone config string: reduce quoting with Human rendering for strings #8859\n * Add juejinyuxitu to contributors\n * docs/jottacloud: update documentation with new whitelabel services and changed configuration flow\n * jottacloud: abort attempts to run unsupported rclone authorize command\n * jottacloud: minor adjustment of texts in config ui\n * jottacloud: add support for Let\u0027s Go Cloud (from MediaMarkt) as a whitelabel service\n * jottacloud: fix authentication for whitelabel services from Elkjp subsidiaries\n * jottacloud: refactor config handling of whitelabel services to use openid provider configuration\n * jottacloud: remove nil error object from error message\n * jottacloud: fix legacy authentication\n * docs: add remote setup page to main docs dropdown\n * docs: update remote setup page\n * docs: add link from authorize command docs to remote setup docs\n * docs: lowercase internet and web browser instead of Internet browser\n * docs: use the term backend name instead of fs name for authorize command\n * add `rclone config string` for making connection strings #8859\n * config: add more human readable configmap.Simple output\n * serve http: download folders as zip\n * s3: reorder providers to be in alphabetical order\n * refactor: use strings.FieldsFuncSeq to reduce memory allocations\n * accounting: add SetMaxCompletedTransfers method to fix bisync race #8815\n * accounting: add RemoveDoneTransfers method to fix bisync race #8815\n * bisync: fix race when CaptureOutput is used concurrently #8815\n * build: update all dependencies\n * Makefile: remove deprecated go mod usage\n * azurefiles: Fix server side copy not waiting for completion - fixes #8848\n * Changelog updates from Version v1.71.1\n * test_all: fix branch name in test report\n * pacer: fix deadlock with --max-connections\n * Revert \"azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors\"\n * Add Youfu Zhang to contributors\n * Add Matt LaPaglia to contributors\n * smb: optimize smb mount performance by avoiding stat checks during initialization\n * pikpak: fix unnecessary retries by using URL expire parameter - fixes #8601\n * serve http: fix: logging url on start\n * docs: fix typo\n * b2: fix 1TB+ uploads\n * march: fix deadlock when using --fast-list on syncs - fixes #8811\n * build: slices.Contains, added in go1.21\n * build: use strings.CutPrefix introduced in go1.20\n * build: use sequence Split introduced in go1.24\n * build: use \"for i := range n\", added in go1.22\n * build: modernize benchmark usage\n * build: in tests use t.Context, added in go1.24\n * build: replace interface{} by the \u0027any\u0027 type added in go1.18\n * build: use the built-in min or max functions added in go1.21\n * Add russcoss to contributors\n * build: remove x := x made unnecessary by the new semantics of loops in go1.22\n * lib/pool: fix unreliable TestPoolMaxBufferMemory test\n * Update S-Pegg1 email\n * Add Jean-Christophe Cura to contributors\n * pool: fix flaky unreliability test\n * copyurl: reworked code, added concurrency and tests\n * copyurl: Added --url to read urls from csv file - #8127\n * docs: HDFS: erasure coding limitation #8808\n * fstest: fix slice bounds out of range error when using -remotes local\n * local: fix time zones on tests\n * s3: added SpectraLogic as a provider\n * local: fix rmdir \"Access is denied\" on windows - fixes #8363\n * bisync: fix error handling for renamed conflicts\n * docs: pcloud: update root_folder_id instructions\n * operations: fix partial name collisions for non --inplace copies\n * drive: docs: update making your own client ID instructions\n * swift: add ListP interface - #4788\n * memory: add ListP interface - #4788\n * oraceobjectstorage: add ListP interface - #4788\n * B2: add ListP interface - #4788\n * azureblob: add ListP interface - #4788\n * googlecloudstorage: add ListP interface - Fixes #8763\n * build: bump actions/github-script from 7 to 8\n * build: bump actions/setup-go from 5 to 6\n * bisync: fix chunker integration tests\n * bisync: fix koofr integration tests\n * internetarchive: fix server side copy files with spaces\n * lib/rest: add URLPathEscapeAll to URL escape as many chars as possible\n * Add alternate email for dougal to contributors\n * test speed: add command to test a specified remotes speed\n * docs: add link to MEGA S4 from MEGA page\n * Add Robin Rolf to contributors\n * Add anon-pradip to contributors\n * s3: Add Intercolo provider\n * gendocs: refactor and add logging of skipped command docs\n * gendocs: ignore missing rclone_mount.md, rclone_nfsmount.md, rclone_serve_nfs.md on windows\n * bin: add bisync.md generator\n * fstest: refactor to decouple package from implementation\n * gendocs: ignore missing rclone_mount.md on macOS\n * bisync: ignore expected \"nothing to transfer\" differences on tests\n * bisync: fix TestBisyncConcurrent ignoring -case\n * bisync: make number of parallel tests configurable\n * docs: clarify subcommand description in rclone usage\n * docs: fix description of regex syntax of name transform\n * docs: add some more details about supported regex syntax\n * makefile: fix lib/transform docs not getting updated\n * lib/pool: fix flaky test which was causing timeouts\n * Add dougal to contributors\n * vfs: fix SIGHUP killing serve instead of flushing directory caches\n * bisync: use unique stats groups on tests\n * fstest: stop errors in test cleanup changing the global stats\n * Add Motte to contributors\n * Add Claudius Ellsel to contributors\n * build: add local markdown linting to make check\n * lsf: add support for unix and unixnano time formats\n * docs: remove broken links from rc to commands\n * hashsum: changed output format when listing algorithms\n * docs: add example of how to add date as suffix\n * box: fix about after change in API return - fixes #8776\n * Add skbeh to contributors\n * Add Tilman Vogel to contributors\n * docs: fix incorrectly escaped windows path separators\n * build: restore error handling in gendocs\n * combine: propagate SlowHash feature\n * docs/oracleobjectstorage: add introduction before external links and remove broken link\n * docs: fix markdown lint issues in backend docs\n * docs: fix markdown lint issues in command docs\n * docs: update markdown code block json indent size 2\n * mount: do not log successful unmount as an error - fixes #8766\n * Start v1.72.0-DEV development\n\n- Update to version 1.71.2:\n * Version v1.71.2\n * docs: update sponsors\n * docs: update sponsor images\n * docs: update privacy policy with a section on user data\n * gcs: add region us-east5 - fixes #8863\n * index: add missing providers\n * docs: add missing `\n * mega: fix 402 payment required errors - fixes #8758\n * docs: fix variants of --user-from-header\n * docs: add remote setup page to main docs dropdown\n * docs: update remote setup page\n * docs: add link from authorize command docs to remote setup docs\n * docs: lowercase internet and web browser instead of Internet browser\n * docs: use the term backend name instead of fs name for authorize command\n * bisync: fix race when CaptureOutput is used concurrently #8815\n * azurefiles: Fix server side copy not waiting for completion - fixes #8848\n * pikpak: fix unnecessary retries by using URL expire parameter - fixes #8601\n * serve http: fix: logging url on start\n * docs: fix typo\n * b2: fix 1TB+ uploads\n * Start v1.71.2-DEV development\n\n- Update to version 1.71.1:\n * Version v1.71.1\n * pacer: fix deadlock with --max-connections\n * Revert \"azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors\"\n * march: fix deadlock when using --fast-list on syncs - fixes #8811\n * docs: HDFS: erasure coding limitation #8808\n * local: fix rmdir \"Access is denied\" on windows - fixes #8363\n * bisync: fix error handling for renamed conflicts\n * docs: pcloud: update root_folder_id instructions\n * operations: fix partial name collisions for non --inplace copies\n * drive: docs: update making your own client ID instructions\n * internetarchive: fix server side copy files with spaces\n * lib/rest: add URLPathEscapeAll to URL escape as many chars as possible\n * docs: add link to MEGA S4 from MEGA page\n * docs: clarify subcommand description in rclone usage\n * docs: fix description of regex syntax of name transform\n * docs: add some more details about supported regex syntax\n * makefile: fix lib/transform docs not getting updated\n * vfs: fix SIGHUP killing serve instead of flushing directory caches\n * docs: remove broken links from rc to commands\n * docs: add example of how to add date as suffix\n * box: fix about after change in API return - fixes #8776\n * docs: fix incorrectly escaped windows path separators\n * build: restore error handling in gendocs\n * combine: propagate SlowHash feature\n * docs/oracleobjectstorage: add introduction before external links and remove broken link\n * docs: fix markdown lint issues in backend docs\n * docs: fix markdown lint issues in command docs\n * docs: update markdown code block json indent size 2\n * mount: do not log successful unmount as an error - fixes #8766\n * Start v1.71.1-DEV development\n\n- Update to version 1.71.0:\n * Version v1.71.0\n * fs: tls: add --client-pass support for encrypted --client-key files\n * ftp: make TLS config default to global TLS config - Fixes #6671\n * fshttp: return *Transport rather than http.RoundTripper from NewTransport\n * bisync: release from beta\n * bisync: fix markdown formatting issues flagged by linter in docs\n * bisync: fix --no-slow-hash settings on path2\n * Add cui to contributors\n * docs: add code of conduct\n * lib/mmap: convert to using unsafe.Slice to avoid deprecated reflect.SliceHeader\n * build: bump golangci/golangci-lint-action from 6 to 8\n * build: update golangci-lint configuration\n * build: ignore revive lint issue var-naming: avoid meaningless package names\n * build: fix lint issue: should omit type error from declaration\n * Revert \"build: downgrade linter to use go1.24 until it is fixed for go1.25\"\n * build: migrate golangci-lint configuration to v2 format\n * s3: add --s3-use-arn-region flag - fixes #8686\n * Add Binbin Qian to contributors\n * Add Lucas Bremgartner to contributors\n * docs: add tips about outdated certificates\n * FAQ: specify the availability of SSL_CERT_* env vars\n * pikpak: add file name integrity check during upload\n * bisync: skip TestBisyncConcurrent on non-local\n * internetarchive: fix server side copy files with \u0026\n * Revert \"s3: set useAlreadyExists to false for Alibaba OSS\"\n * Add huangnauh to contributors\n * smb: improve multithreaded upload performance using multiple connections\n * bisync: fix data races on tests\n * bisync: remove unused parameters\n * bisync: deglobalize to fix concurrent runs via rc - fixes #8675\n * mount: fix identification of symlinks in directory listings\n * s3: fix Content-Type: aws-chunked causing upload errors with --metadata\n * config: fix problem reading pasted tokens over 4095 bytes\n * config: fix test failure on local machine with a config file\n * log: add log rotation to --log-file - fixes #2259\n * accounting: Fix stats (speed=0 and eta=nil) when starting jobs via rc\n * docs: update overview table for oracle object storage\n * Add praveen-solanki-oracle to contributors\n * oracleobjectstorage: add read only metadata support - Fixes #8705\n * doc: sync doesn\u0027t symlinks in dest without --link - Fixes #8749\n * s3: sort providers in docs\n * s3: add docs for Exaba Object Storage\n * azureblob: fix double accounting for multipart uploads - fixes #8718\n * pool: fix deadlock with --max-buffer-memory\n * azureblob: fix deadlock with --max-connections with InvalidBlockOrBlob errors\n * build: downgrade linter to use go1.24 until it is fixed for go1.25\n * build: update all dependencies\n * build: update to go1.25 and make go1.24 the minimum required version\n * Add Timothy Jacobs to contributors\n * bisync: fix time.Local data race on tests - fixes #8272\n * googlecloudstorage: fix rateLimitExceeded error on bisync tests\n * accounting: populate transfer snapshot with \"what\" value\n * build(deps): bump actions/checkout from 4 to 5\n * build(deps): bump actions/download-artifact from 4 to 5\n * googlecloudstorage: enable bisync integration tests\n * fstest: fix parsing of commas in -remotes\n * azurefiles: fix hash getting erased when modtime is set\n * bisync: disable --sftp-copy-is-hardlink on sftp tests\n * local: fix --copy-links on Windows when listing Junction points\n * operations: fix too many connections open when using --max-memory\n * pool: fix deadlock with --max-memory and multipart transfers\n * pool: unify memory between multipart and asyncreader to use one pool\n * docs: update links to rcloneui\n * docs: add MEGA S4 as a gold sponsor\n * about: fix potential overflow of about in various backends\n * box: fix about: cannot unmarshal number 1.0e+18 into Go struct field\n * oauthutil: fix nil pointer crash when started with expired token\n * rc: listremotes should send an empty array instead of nil\n * config: add error if RCLONE_CONFIG_PASS was supplied but didn\u0027t decrypt config\n * rc: add config/unlock to unlock the config file\n * ftp: allow insecure TLS ciphers - fixes #8701\n * s3: set useAlreadyExists to false for Alibaba OSS\n * docs: update sponsors page\n * fs: allow global variables to be overriden or set on backend creation\n * fs: allow setting of --http_proxy from command line\n * tests: cloudinary: remove test ignore after merging fix from #8707\n * Add Antonin Goude to contributors\n * Add Yu Xin to contributors\n * Add houance to contributors\n * Add Florent Vennetier to contributors\n * Add n4n5 to contributors\n * Add Albin Parou to contributors\n * Add liubingrun to contributors\n * sync: fix testLoggerVsLsf when backend only reads modtime\n * sync: fix testLoggerVsLsf checking wrong fs\n * docs: fix make opengraph tags absolute as not all sites understand relative\n * docs: update contributing guide regarding markdown documentation\n * build: add markdown linting to workflow\n * build: add markdownlint configuration\n * docs: minor format cleanup install.md\n * docs: fix markdownlint issue md049/emphasis-style\n * docs: fix markdownlint issue md036/no-emphasis-as-heading\n * docs: fix markdownlint issue md033/no-inline-html\n * docs: fix markdownlint issue md025/single-title\n * docs: fix markdownlint issue md041/first-line-heading\n * docs: fix markdownlint issue md001/heading-increment\n * docs: fix markdownlint issue md003/heading-style\n * docs: fix markdownlint issue md034/no-bare-urls\n * docs: fix markdownlint issue md010/no-hard-tabs\n * docs: fix markdownlint issue md013/line-length\n * docs: fix markdownlint issue md038/no-space-in-code\n * docs: fix markdownlint issue md040/fenced-code-language\n * docs: fix markdownlint issue md046/code-block-style\n * docs: fix markdownlint issue md037/no-space-in-emphasis\n * docs: fix markdownlint issue md059/descriptive-link-text\n * docs: fix markdownlint issues md007/ul-indent md004/ul-style\n * docs: fix markdownlint issue md012/no-multiple-blanks\n * docs: fix markdownlint issue md058/blanks-around-tables\n * docs: fix markdownlint issue md022/blanks-around-headings\n * docs: fix markdownlint issue md031/blanks-around-fences\n * docs: fix markdownlint issue md032/blanks-around-lists\n * docs: fix markdownlint issue md009/no-trailing-spaces\n * docs: fix markdownlint issue md014/commands-show-output\n * docs: fix markdownlint issues md007/ul-indent md004/ul-style (bin/update-authors.py)\n * docs: fix markdownlint issues md007/ul-indent md004/ul-style (authors.md)\n * docs: add opengraph tags for website social media previews\n * mount: note that bucket based remotes can use directory markers\n * pikpak: add docs for methods to clarify name collision handling and restrictions\n * pikpak: enhance Copy method to handle name collisions and improve error management\n * pikpak: enhance Move for better handling of error and name collision\n * accounting: fix incorrect stats with --transfers=1 - fixes #8670\n * rc: fix `operations/check` ignoring `oneWay` parameter\n * s3: add OVHcloud Object Storage provider\n * docs: rc: fix description of how to read local config\n * build: limit check for edits of autogenerated files to only commits in a pull request\n * build: extend check for edits of autogenerated files to all commits in a pull request\n * smb: refresh Kerberos credentials when ccache file changes\n * s3: fix multipart upload and server side copy when using bucket policy SSE-C\n * backend/s3: Fix memory leak by cloning strings #8683\n * purge: exit with a fatal error if filters are set on `rclone purge`\n * docs: Add Backblaze as a Platinum sponsor\n * Add Sam Pegg to contributors\n * googlephotos: added warning for Google Photos compatability-fixes #8672\n * test: remove flakey TestChunkerChunk50bYandex: test\n * docs: Consolidate entries for Josh Soref in contributors\n * docs: remove dead link to example of writing a plugin\n * filescom: document that hashes need to be enabled - fixes #8674\n * Add Sudipto Baral to contributors\n * docs: fix incorrect json syntax in sample output\n * docs: ignore author email piyushgarg80\n * docs: fix header level for --dump option section\n * docs: use stringArray as parameter type\n * docs: use consistent markdown heading syntax\n * imagekit: remove server side Copy method as it was downloading and uploading\n * imagekit: don\u0027t low level retry uploads\n * imagekit: return correct error when attempting to upload zero length files\n * smb: add --smb-kerberos-ccache option to set kerberos ccache per smb backend\n * test: fix smb kerberos integration tests\n * Changelog updates from Version v1.70.3\n * config: make parsing of duration options consistent\n * docs: cleanup usage\n * docs: break long lines\n * docs: add option value type to header where missing\n * docs: mention that identifiers in option values are case insensitive\n * docs: rewrite dump option examples\n * docs: use markdown inline code format for dump option headers that are real examples\n * docs: change spelling from server side to server-side\n * docs: cleanup header casing\n * docs: rename OSX to macOS\n * docs: fix list and code block issue\n * docs: consistent markdown list format\n * docs: split section with general description of options with that documenting actual main options\n * docs: improve description of option types\n * docs: use space instead of equal sign to separate option and value in headers\n * docs: use comma to separate short and long option format in headers\n * docs: remove use of uncommon parameter types\n * docs: remove use of parameter type FILE\n * docs: remove use of parameter type DIR\n * docs: remove use of parameter type CONFIG_FILE\n * docs: change use of parameter type N and NUMBER to int consistent with flags and cli help\n * docs: change use of parameter type TIME to Duration consistent with flags and cli help\n * docs: change use of parameter type BANDWIDTH_SPEC to BwTimetable consistent with flags and cli help\n * docs: change use of parameter type SIZE to SizeSuffix consistent with flags and cli help\n * docs: cleanup markdown header format\n * docs: explain separated list parameters\n * azureblob: fix server side copy error \"requires exactly one scope\"\n * test: remove and ignore failing integration tests\n * docs: explain the json log format in more detail\n * check: fix difference report (was reporting error counts)\n * serve sftp: add support for more hashes (crc32, sha256, blake3, xxh3, xxh128)\n * serve sftp: extract function refactoring for handling hashsum commands\n * sftp: add support for more hashes (crc32, sha256, blake3, xxh3, xxh128)\n * local: configurable supported hashes\n * hash: add support for BLAKE3, XXH3, XXH128\n * vfs: make integration TestDirEntryModTimeInvalidation test more reliable\n * smb: skip non integration tests when doing integration tests\n * seafile: fix integration test errors by adding dot to encoding\n * linkbox: fix upload error \"user upload file not exist\"\n * build: remove integration tests which are too slow\n * march: fix deadlock when using --no-traverse - fixes #8656\n * pikpak: improve error handling for missing links and unrecoverable 500s\n * pikpak: rewrite upload to bypass AWS S3 manager - fixes #8629\n * test: fix TestSMBKerberos password expiring errors\n * Add Vikas Bhansali to contributors\n * Add Ross Smith II to contributors\n * azureblob,azurefiles: add support for client assertion based authentication\n * webdav: fix setting modtime to that of local object instead of remote\n * build: set default shell to bash in build.yml\n * docs: fix filescom/filelu link mixup\n * Add Davide Bizzarri to contributors\n * fix: b2 versionAt read metadata\n * test: make TestWebdavInfiniteScale startup more reliable\n * test_all: add _connect_delay for slow starting servers\n * docs: update link for filescom\n * test_all: make TestWebdav InfiniteScale integration tests run\n * test_all: make SMB with Kerberos integration tests run properly\n * test_all: allow an env parameter to set environment variables\n * Changelog updates from Version v1.70.2\n * Add Ali Zein Yousuf to contributors\n * Add $@M@RTH_ to contributors\n * docs: update client ID instructions to current Azure AD portal - fixes #8027\n * s3: add Zata provider\n * pacer: fix nil pointer deref in RetryError - fixes #8077\n * docs: Remove Warp as a sponsor\n * docs: add files.com as a Gold sponsor\n * docs: add links to SecureBuild docker image\n * Add curlwget to contributors\n * convmv: fix moving to unicode-equivalent name - fixes #8634\n * transform: add truncate_keep_extension and truncate_bytes\n * convmv: make --dry-run logs less noisy\n * sync: avoid copying dir metadata to itself\n * docs: fix some function names in comments\n * combine: fix directory not found errors with ListP interface - Fixes #8627\n * local: fix --skip-links on Windows when skipping Junction points\n * Add Marvin Rsch to contributors\n * build: bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 to fix GHSA-vrw8-fxc6-2r93\n * copy,copyto,move,moveto: implement logger flags to store result of sync\n * log: fix deadlock when using systemd logging - fixes #8621\n * docs: googlephotos: detail how to make your own client_id - fixes #8622\n * Add necaran to contributors\n * mega: fix tls handshake failure - fixes #8565\n * Changelog updates from Version v1.70.1\n * Add jinjingroad to contributors\n * docs: DOI grammar error\n * docs: lib/transform: cleanup formatting\n * lib/transform: avoid empty charmap entry\n * chore: fix function name\n * convmv: fix spurious \"error running command echo\" on Windows\n * docs: client-credentials is not support by all backends\n * Start v1.71.0-DEV development\n\n- Update to version 1.70.3:\n * Version v1.70.3\n * azureblob: fix server side copy error \"requires exactly one scope\"\n * docs: explain the json log format in more detail\n * check: fix difference report (was reporting error counts)\n * linkbox: fix upload error \"user upload file not exist\"\n * march: fix deadlock when using --no-traverse - fixes #8656\n * pikpak: improve error handling for missing links and unrecoverable 500s\n * webdav: fix setting modtime to that of local object instead of remote\n * fix: b2 versionAt read metadata\n * Start v1.70.3-DEV development\n * docs: fix filescom/filelu link mixup\n * docs: update link for filescom\n\n- Update to version 1.70.2:\n * Version v1.70.2\n * docs: update client ID instructions to current Azure AD portal - fixes #8027\n * mega: fix tls handshake failure - fixes #8565\n * pacer: fix nil pointer deref in RetryError - fixes #8077\n * convmv: fix moving to unicode-equivalent name - fixes #8634\n * convmv: make --dry-run logs less noisy\n * sync: avoid copying dir metadata to itself\n * combine: fix directory not found errors with ListP interface - Fixes #8627\n * local: fix --skip-links on Windows when skipping Junction points\n * build: bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 to fix GHSA-vrw8-fxc6-2r93\n * log: fix deadlock when using systemd logging - fixes #8621\n * docs: googlephotos: detail how to make your own client_id - fixes #8622\n * pikpak: fix uploads fail with \"aws-chunked encoding is not supported\" error\n * Start v1.70.2-DEV development\n * docs: Remove Warp as a sponsor\n * docs: add files.com as a Gold sponsor\n * docs: add links to SecureBuild docker image\n\n- Update to version 1.70.1:\n * Version v1.70.1\n * docs: DOI grammar error\n * docs: lib/transform: cleanup formatting\n * lib/transform: avoid empty charmap entry\n * chore: fix function name\n * convmv: fix spurious \"error running command echo\" on Windows\n * docs: client-credentials is not support by all backends\n * Start v1.70.1-DEV development\n\n- Update to version 1.70.0:\n * Version v1.70.0\n * ftp: add --ftp-http-proxy to connect via HTTP CONNECT proxy\n * pcloud: fix \"Access denied. You do not have permissions to perform this operation\" on large uploads\n * operations: fix TransformFile when can\u0027t server-side copy/move\n * fstest: fix -verbose flag after logging revamp\n * googlecloudstorage: fix directory marker after // changes in #5858\n * s3: fix directory marker after // changes in #5858\n * azureblob: fix directory marker after // changes in #5858\n * tests: ignore some more habitually failing tests\n * googlephotos: fix typo in error message - Fixes #8600\n * s3: MEGA S4 support\n * Add Ser-Bul to contributors\n * chunker: fix double-transform\n * docs: mailru: added note about permissions level choice for the apps password\n * tests: ignore habitually failing tests and backends\n * docs: link to asciinema rather than including the js\n * docs: target=\"_blank\" must have rel=\"noopener\"\n * sync: fix testLoggerVsLsf when dst is local\n * docs: fix FileLu docs\n * build: update all dependencies\n * onedrive: fix crash if no metadata was updated\n * Add kingston125 to contributors\n * Add Flora Thiebaut to contributors\n * Add FileLu cloud storage backend\n * doi: add new doi backend\n * build: fix check_autogenerated_edits.py flagging up files that didn\u0027t exist\n * docs: rc: add more info on how to discover _config and _filter parameters #8584\n * s3: add Exaba provider\n * convmv: add convmv command\n * lib/transform: add transform library and --name-transform flag\n * march: split src and dst\n * Add ahxxm to contributors\n * Add Nathanael Demacon to contributors\n * b2: use file id from listing when not presented in headers - fixes #8113\n * fs: fix goroutine leak and improve stats accounting process\n * march: fix syncing with a duplicate file and directory\n * Add PrathameshLakawade to contributors\n * Add Oleksiy Stashok to contributors\n * docs: fix page_facing_up typo next to Lyve Cloud in README.md\n * backend/s3: require custom endpoint for Lyve Cloud v2 support\n * backend: skip hash calculation when the hashType is None - fixes #8518\n * azureblob: fix multipart server side copies of 0 sized files\n * Add Jeremy Daer to contributors\n * Add wbulot to contributors\n * s3: add Pure Storage FlashBlade provider support (#8575)\n * backend/gofile: update to use new direct upload endpoint\n * log: add --windows-event-log-level to support Windows Event Log\n * fs: Remove github.com/sirupsen/logrus and replace with log/slog\n * Add fhuber to contributors\n * cmd serve s3: fix ListObjectsV2 response\n * Changelog updates from Version v1.69.3\n * onedrive: re-add --onedrive-upload-cutoff flag\n * onedrive: fix \"The upload session was not found\" errors\n * Add Germn Casares to contributors\n * Add Jeff Geerling to contributors\n * googlephotos: update read only and read write scopes to meet Google\u0027s requirements.\n * build: update github.com/ebitengine/purego to v0.8.3 to fix mac_amd64 build\n * docs: add hint about config touch and config file not found\n * docs: add FAQ for dismissing \u0027rclone.conf not found\u0027\n * docs: document how to keep an out of tree backend\n * Add Clment Wehrung to contributors\n * iclouddrive: fix panic and files potentially downloaded twice\n * docs: move --max-connections documentation to the correct place\n * Add Ben Boeckel to contributors\n * Add Tho Neyugn to contributors\n * docs: fix typo in s3/storj docs\n * serve s3: remove redundant handler initialization\n * Changelog updates from Version 1.69.2\n * sftp: add --sftp-http-proxy to connect via HTTP CONNECT proxy\n * Add Jugal Kishore to contributors\n * docs: correct SSL docs anchor link from #ssl-tls to #tls-ssl\n * drive: metadata: fix error when setting copy-requires-writer-permission on a folder\n * docs: Update contributors\n * build: bump golang.org/x/net from 0.36.0 to 0.38.0\n * Update README.md\n * docs: fix typos via codespell\n * webdav: add an ownCloud Infinite Scale vendor that enables tus chunked upload support\n * onedrive: fix metadata ordering in permissions\n * Add Ben Alex to contributors\n * Add simwai to contributors\n * iclouddrive: fix so created files are writable\n * cmd/authorize: show required arguments in help text\n * cloudinary: var naming convention - #8416\n * cloudinary: automatically add/remove known media files extensions #8416\n * Add Markus Gerstel to contributors\n * Add Enduriel to contributors\n * Add huanghaojun to contributors\n * Add simonmcnair to contributors\n * Add Samantha Bowen to contributors\n * s3: documentation regression - fixes #8438\n * hash: add SHA512 support for file hashes\n * vfs: fix inefficient directory caching when directory reads are slow\n * docs: update fuse version in docker docs\n * fs/config: Read configuration passwords from stdin even when terminated with EOF - fixes #8480\n * cmd/gitannex: Reject unknown layout modes in INITREMOTE\n * cmd/gitannex: Add configparse.go and refactor\n * cmd/gitannex: Permit remotes with options\n * serve ftp: add serve rc interface\n * serve sftp: add serve rc interface\n * serve restic: add serve rc interface\n * serve s3: add serve rc interface\n * serve dlna: add serve rc interface\n * serve webdav: add serve rc interface - fixes #4505\n * serve http: add serve rc interface\n * serve nfs: add serve rc interface\n * serve: Add rc control for serve commands #4505\n * configstruct: add SetAny to parse config from the rc\n * rc: In options/info make FieldName contain a \".\" if it should be nested\n * serve restic: convert options to new style\n * serve s3: convert options to new style\n * serve http: convert options to new style\n * serve webdav: convert options to new style\n * auth proxy: convert options to new style\n * auth proxy: add VFS options parameter for use for default VFS\n * serve: make the servers self registering\n * lib/http: fix race between Serve() and Shutdown()\n * lib/http: add Addr() method to return the first configured server address\n * Add Danny Garside to contributors\n * docs: fix minor typo in box docs\n * sync: implement --list-cutoff to allow on disk sorting for reduced memory use\n * march: Implement callback based syncing\n * list: add ListDirSortedFn for callback oriented directory listing\n * list: Implement Sorter to sort directory entries\n * cache: mark ListP as not supported yet\n * hasher: implement ListP interface\n * compress: implement ListP interface\n * chunker: mark ListP as not supported yet\n * union: mark ListP as not supported yet\n * crypt: implement ListP interface\n * combine: implement ListP interface\n * s3: Implement paged listing interface ListP\n * list: add WithListP helper to implement List for ListP backends\n * walk: move NewListRHelper into list.Helper to avoid circular dependency\n * fs: define ListP interface for paged listing #4788\n * accounting: Add listed stat for number of directory entries listed\n * walk: factor Listing helpers into their own file and add tests\n * serve nfs: make metadata files have special file handles\n * serve nfs: change the format of --nfs-cache-type symlink file handles\n * vfs: add --vfs-metadata-extension to expose metadata sidecar files\n * docs: Add rcloneui.com as Silver Sponsor\n * Add Klaas Freitag to contributors\n * Add eccoisle to contributors\n * Add Fernando Fernndez to contributors\n * Add alingse to contributors\n * Add Jrn Friedrich Dreyer to contributors\n * docs: replace option --auto-filename-header with --header-filename\n * build: update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to fix CVE-2025-30204\n * docs/googlephotos: fix typos\n * build: bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2\n * operations: fix call fmt.Errorf with wrong err\n * webdav: retry propfind on 425 status\n * Add --max-connections to control maximum backend concurrency\n * rc: fix debug/* commands not being available over unix sockets\n * cmd/gitannex: Prevent tests from hanging when assertion fails\n * cmd/gitannex: Add explicit timeout for mock stdout reads in tests\n * http: correct root if definitely pointing to a file - fixes #8428\n * pool: add --max-buffer-memory to limit total buffer memory usage\n * filter: Add `--hash-filter` to deterministically select a subset of files\n * build: update golang.org/x/net to 0.36.0. to fix CVE-2025-22869\n * rc: add add short parameter to core/stats to not return transferring and checking\n * fs: fix corruption of SizeSuffix with \"B\" suffix in config (eg --min-size)\n * filters: show --min-size and --max-size in --dump filters\n * build: check docs for edits of autogenerated sections\n * Add jack to contributors\n * docs: fix incorrect mentions of vfs-cache-min-free-size\n * fs/object: fix memory object out of bounds Seek\n * serve nfs: fix unlikely crash\n * docs: update minimum OS requirements for go1.24\n * cmd/gitannex: Tweak parsing of \"rcloneremotename\" config\n * cmd/gitannex: Drop var rebindings now that we have go1.23\n * docs: add note for using rclone cat for slicing out a byte range from a file\n * rcserver: improve content-type check\n * build: modernize Go usage\n * build: update all dependencies and fix deprecations\n * build: update golang.org/x/crypto to v0.35.0 to fix CVE-2025-22869\n * build: make go1.23 the minimum go version\n * cmd/gitannex: Add to integration tests\n * cmd/gitannex: Simplify verbose failures in tests\n * cmd/gitannex: Port unit tests to fstest\n * vfs: fix integration test failures\n * azureblob: fix errors not being retried when doing single part copy\n * azureblob: handle retry error codes more carefully\n * touch: make touch obey --transfers\n * Add luzpaz to contributors\n * Add Dave Vasilevsky to contributors\n * docs: fix various typos Found via\n * dropbox: Retry link without expiry\n * Dropbox: Support Dropbox Paper\n * chore: update contributor email\n * docs: correct stable release workflow\n * Add Lorenz Brun to contributors\n * Add Michael Kebe to contributors\n * vfs: fix directory cache serving stale data\n * build: fix docker plugin build - fixes #8394\n * docs: improved sftp limitations\n * Changelog updates from Version v1.69.1\n * docs: add FileLu as sponsors and tidy sponsor logos\n * accounting: fix percentDiff calculation -- fixes #8345\n * vfs: fix the cache failing to upload symlinks when --links was specified\n * Add jbagwell-akamai to contributors\n * Add ll3006 to contributors\n * doc: add note on concurrency of rclone purge\n * s3: add latest Linode Object Storage endpoints\n * cmd: fix crash if rclone is invoked without any arguments - Fixes #8378\n * build: disable docker builds on PRs \u0026 add missing dockerfile changes\n * sync: copy dir modtimes even when copyEmptySrcDirs is false - fixes #8317\n * sync: add tests to check dir modtimes are kept when syncing\n * fix golangci-lint errors\n * bisync: fix false positive on integration tests\n * s3: split the GCS quirks into -s3-use-x-id and -s3-sign-accept-encoding #8373\n * Add Joel K Biju to contributors\n * stats: fix the speed not getting updated after a pause in the processing\n * opendrive: added --opendrive-access flag to handle permissions\n * bisync: fix listings missing concurrent modifications - fixes #8359\n * Added parallel docker builds and caching for go build in the container\n * smb: improve connection pooling efficiency\n * lib/oauthutil: fix redirect URL mismatch errors - fixes #8351\n * b2: fix \"fatal error: concurrent map writes\" - fixes #8355\n * Add Alexander Minbaev to contributors\n * Add Zachary Vorhies to contributors\n * Add Jess to contributors\n * s3: add IBM IAM signer - fixes #7617\n * serve nfs: update docs to note Windows is not supported - fixes #8352\n * cmd/config(update remote): introduce --no-output option\n * s3: add DigitalOcean regions SFO2, LON1, TOR1, BLR1\n * sync: fix cpu spinning when empty directory finding with leading slashes\n * s3: fix handling of objects with // in #5858\n * azureblob: fix handling of objects with // in #5858\n * fstest: add integration tests objects with // on bucket based backends #5858\n * fs/list: tweak directory listing assertions after allowing // names\n * lib/bucket: fix tidying of // in object keys #5858\n * lib/bucket: add IsAllSlashes function\n * azureblob: remove uncommitted blocks on InvalidBlobOrBlock error\n * azureblob: implement multipart server side copy\n * azureblob: speed up server side copies for small files #8249\n * azureblob: cleanup uncommitted blocks on upload errors\n * azureblob: factor readMetaData into readMetaDataAlways returning blob properties\n * Add b-wimmer to contributors\n * azurefiles: add --azurefiles-use-az and --azurefiles-disable-instance-discovery\n * onedrive: mark German (de) region as deprecated\n * Add Trevor Starick to contributors\n * Add hiddenmarten to contributors\n * Add Corentin Barreau to contributors\n * Add Bruno Fernandes to contributors\n * Add Moises Lima to contributors\n * Add izouxv to contributors\n * Add Robin Schneider to contributors\n * Add Tim White to contributors\n * Add Christoph Berger to contributors\n * azureblob: add support for `x-ms-tags` header\n * rc: disable the metrics server when running `rclone rc`\n * internetarchive: add --internetarchive-metadata=\"key=value\" for setting item metadata\n * lib/batcher: Deprecate unused option: batch_commit_timeout\n * s3: Added new storage class to magalu provider\n * http servers: add --user-from-header to use for authentication\n * b2: add SkipDestructive handling to backend commands - fixes #8194\n * vfs: close the change notify channel on Shutdown\n * Docker image: Add label org.opencontainers.image.source for release notes in Renovate dependency updates\n * docs: add OneDrive Impersonate instructions - fixes #5610\n * docs: explain the stringArray flag parameter descriptor\n * iclouddrive: add notes on ADP and Missing PCS cookies - fixes #8310\n * docs: fix typos found by codespell in docs and code comments\n * fs: fix confusing \"didn\u0027t find section in config file\" error\n * vfs: fix race detected by race detector\n * Add Jonathan Giannuzzi to contributors\n * Add Spencer McCullough to contributors\n * Add Matt Ickstadt to contributors\n * smb: add support for kerberos authentication\n * drive: added `backend moveid` command\n * docs: fix reference to serves3 setting disable_multipart_uploads which was renamed\n * docs: fix link to Rclone Serve S3\n * serve s3: fix list objects encoding-type\n * build: update gopkg.in/yaml.v2 to v3\n * build: update all dependencies\n * bisync: fix go vet problems with go1.24\n * build: update to go1.24rc1 and make go1.22 the minimum required version\n * version: add --deps flag to show dependencies and other build info\n * doc: make man page well formed for whatis - fixes #7430\n * Start v1.70.0-DEV development\n\n- Install completion files in the right place.\n\n- Update to version 1.69.3:\n * build: update github.com/ebitengine/purego to work around bug in go1.24.3\n * build: reapply update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to fix CVE-2025-30204\n\n- Update to version 1.69.2:\n - Bug fixes\n - accounting: Fix percentDiff calculation -- (Anagh Kumar\n Baranwal)\n - build\n - Update github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 to\n fix CVE-2025-30204 (dependabot[bot])\n - Update github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 to\n fix CVE-2025-30204 (dependabot[bot])\n - Update golang.org/x/crypto to v0.35.0 to fix CVE-2025-22869\n (Nick Craig-Wood)\n - Update golang.org/x/net from 0.36.0 to 0.38.0 to fix\n CVE-2025-22870 (dependabot[bot])\n - Update golang.org/x/net to 0.36.0. to fix CVE-2025-22869\n (dependabot[bot])\n - Stop building with go \u003c go1.23 as security updates forbade\n it (Nick Craig-Wood)\n - Fix docker plugin build (Anagh Kumar Baranwal)\n - cmd: Fix crash if rclone is invoked without any arguments\n (Janne Hellsten)\n - config: Read configuration passwords from stdin even when\n terminated with EOF (Samantha Bowen)\n - doc fixes (Andrew Kreimer, Danny Garside, eccoisle, Ed\n Craig-Wood, emyarod, jack, Jugal Kishore, Markus Gerstel,\n Michael Kebe, Nick Craig-Wood, simonmcnair, simwai, Zachary\n Vorhies)\n - fs: Fix corruption of SizeSuffix with \"B\" suffix in config\n (eg --min-size) (Nick Craig-Wood)\n - lib/http: Fix race between Serve() and Shutdown() (Nick\n Craig-Wood)\n - object: Fix memory object out of bounds Seek (Nick\n Craig-Wood)\n - operations: Fix call fmt.Errorf with wrong err (alingse)\n - rc\n - Disable the metrics server when running rclone rc\n (hiddenmarten)\n - Fix debug/* commands not being available over unix sockets\n (Nick Craig-Wood)\n - serve nfs: Fix unlikely crash (Nick Craig-Wood)\n - stats: Fix the speed not getting updated after a pause in the\n processing (Anagh Kumar Baranwal)\n - sync\n - Fix cpu spinning when empty directory finding with leading\n slashes (Nick Craig-Wood)\n - Copy dir modtimes even when copyEmptySrcDirs is false\n (ll3006)\n - vfs\n - Fix directory cache serving stale data (Lorenz Brun)\n - Fix inefficient directory caching when directory reads are\n slow (huanghaojun)\n - Fix integration test failures (Nick Craig-Wood)\n - Drive\n - Metadata: fix error when setting\n copy-requires-writer-permission on a folder (Nick Craig-Wood)\n - Dropbox\n - Retry link without expiry (Dave Vasilevsky)\n - HTTP\n - Correct root if definitely pointing to a file (nielash)\n - Iclouddrive\n - Fix so created files are writable (Ben Alex)\n - Onedrive\n - Fix metadata ordering in permissions (Nick Craig-Wood)\n\n- Update to version 1.69.1:\n * Version v1.69.1\n * build: disable docker builds on PRs \u0026 add missing dockerfile changes\n * Added parallel docker builds and caching for go build in the container\n * docs: add FileLu as sponsors and tidy sponsor logos\n * vfs: fix the cache failing to upload symlinks when --links was specified\n * doc: add note on concurrency of rclone purge\n * s3: add latest Linode Object Storage endpoints\n * fix golangci-lint errors\n * bisync: fix listings missing concurrent modifications - fixes #8359\n * lib/oauthutil: fix redirect URL mismatch errors - fixes #8351\n * b2: fix \"fatal error: concurrent map writes\" - fixes #8355\n * serve nfs: update docs to note Windows is not supported - fixes #8352\n * s3: add DigitalOcean regions SFO2, LON1, TOR1, BLR1\n * onedrive: mark German (de) region as deprecated\n * s3: Added new storage class to magalu provider\n * vfs: close the change notify channel on Shutdown\n * docs: add OneDrive Impersonate instructions - fixes #5610\n * docs: explain the stringArray flag parameter descriptor\n * iclouddrive: add notes on ADP and Missing PCS cookies - fixes #8310\n * docs: fix typos found by codespell in docs and code comments\n * fs: fix confusing \"didn\u0027t find section in config file\" error\n * vfs: fix race detected by race detector\n * docs: fix reference to serves3 setting disable_multipart_uploads which was renamed\n * docs: fix link to Rclone Serve S3\n * serve s3: fix list objects encoding-type\n * doc: make man page well formed for whatis - fixes #7430\n * Start v1.69.1-DEV development\n\n- Update to version 1.69.0:\n https://rclone.org/changelog/#v1-69-0-2025-01-12\n\n Rclone is using golang.org/x/net but was not affected to\n CVE-2024-45337 and CVE-2024-45338.\n\n * Version v1.69.0\n * test_all: disable docker plugin tests\n * docs: fix typo\n * accounting: fix race stopping/starting the stats counter\n * docs: add github.com/icholy/gomajor to RELEASE for updating major versions\n * ftp: fix ls commands returning empty on \"Microsoft FTP Service\" servers\n * s3: add docs on data integrity\n * webdav: make --webdav-auth-redirect to fix 401 unauthorized on redirect\n * rest: make auth preserving redirects an option\n * box: fix panic when decoding corrupted PEM from JWT file\n * size: make output compatible with -P\n * vfs: add remote name to vfs cache log messages - fixes #7952\n * dropbox: fix return status when full to be fatal error\n * rc: add relative to vfs/queue-set-expiry\n * vfs: fix open files disappearing from directory listings\n * docker serve: parse all remaining mount and VFS options\n * smb: fix panic if stat fails\n * googlephotos: fix nil pointer crash on upload - fixes #8233\n * iclouddrive: tweak docs\n * serve dlna: sort the directory entries by directories first then alphabetically by name\n * serve nfs: fix missing inode numbers which was messing up ls -laR\n * serve nfs: implement --nfs-cache-type symlink\n * azureblob,oracleobjectstorage,s3: quit multipart uploads if the context is cancelled\n * http: fix incorrect URLs with initial slash\n * build: update `github.com/shirou/gopsutil` to v4\n * Replace Windows-specific NewLazyDLL with NewLazySystemDLL\n * lib/oauthutil: don\u0027t require token to exist for client credentials flow\n * fs/operations: make log messages consistent for mkdir/rmdir at INFO level\n * Add Francesco Frassinelli to contributors\n * smb: Add support for Kerberos authentication.\n * docs: smb: link to CloudSoda/go-smb2 fork\n * cloudinary: add cloudinary backend - fixes #7989\n * operations: fix eventual consistency in TestParseSumFile test\n * Add TAKEI Yuya to contributors\n * docs: Remove Backblaze as a Platinum sponsor\n * docs: add RcloneView as silver sponsor\n * serve docker: fix incorrect GID assignment\n * serve s3: fix Last-Modified timestamp\n * Add ToM to contributors\n * Add Henry Lee to contributors\n * Add Louis Laureys to contributors\n * docs: filtering: mention feeding --files-from from standard input\n * docs: filtering: fix --include-from copypaste error\n * s3: rename glacier storage class to flexible retrieval\n * b2: add daysFromStartingToCancelingUnfinishedLargeFiles to backend lifecycle command\n * build: update golang.org/x/net to v0.33.0 to fix CVE-2024-45338\n * azurefiles: fix missing x-ms-file-request-intent header\n * Add Thomas ten Cate to contributors\n * docs: Document --url and --unix-socket on the rc page\n * docs: link to the outstanding vfs symlinks issue\n * Add Yxxx to contributors\n * Add hayden.pan to contributors\n * docs: update pcloud doc to avoid puzzling token error when use remote rclone authorize\n * pikpak: add option to use original file links - fixes #8246\n * rc/job: use mutex for adding listeners thread safety\n * docs: mention in serve tls options when value is path to file - fixes #8232\n * build: update all dependencies\n * accounting: fix debug printing when debug wasn\u0027t set\n * Add Filipe Azevedo to contributors\n * fs: make --links flag global and add new --local-links and --vfs-links flag\n * vfs: add docs for -l/--links flag\n * nfsmount,serve nfs: introduce symlink support #2975\n * mount2: introduce symlink support #2975\n * mount: introduce symlink support #2975\n * cmount: introduce symlink support #2975\n * vfstest: make VFS test suite support symlinks\n * vfs: add symlink support to VFS\n * vfs: add ELOOP error\n * vfs: Add link permissions\n * vfs: Add VFS --links command line switch\n * vfs: add vfs.WriteFile to match os.WriteFile\n * fs: Move link suffix to fs\n * cmount: fix problems noticed by linter\n * mount2: Fix missing . and .. entries\n * sftp: fix nil check when using auth proxy\n * Add Martin Hassack to contributors\n * serve sftp: resolve CVE-2024-45337\n * googlecloudstorage: typo fix in docs\n * onedrive: add support for OAuth client credential flow - fixes #6197\n * lib/oauthutil: add support for OAuth client credential flow\n * lib/oauthutil: return error messages from the oauth process better\n * bin/test_backend_sizes.py fix compile flags and s3 reporting\n * test makefiles: add --flat flag for making directories with many entries\n * Add divinity76 to contributors\n * Add Ilias Ozgur Can Leonard to contributors\n * Add remygrandin to contributors\n * Add Michael R. Davis to contributors\n * cmd/mountlib: better snap mount error message\n * vfs: with --vfs-used-is-size value is calculated and then thrown away - fixes #8220\n * serve sftp: fix loading of authorized keys file with comment on last line - fixes #8227\n * oracleobjectstorage: make specifying compartmentid optional\n * plcoud: fix failing large file uploads - fixes #8147\n * docs: add docker volume plugin troubleshooting steps\n * docs: fix missing `state` parameter in `/auth` link in instructions\n * build: fix build failure on ubuntu\n * docs: upgrade fontawesome to v6\n * s3: fix multitenant multipart uploads with CEPH\n * Add David Seifert to contributors\n * Add vintagefuture to contributors\n * use better docs\n * googlecloudstorage: update docs on service account access tokens\n * test_all: POSIX head/tail invocations\n * icloud: Added note about app specific password not working\n * s3: fix download of compressed files from Cloudflare R2 - fixes #8137\n * s3: fix testing tiers which don\u0027t exist except on AWS\n * Changelog updates from Version v1.68.2\n * local: fix permission and ownership on symlinks with --links and --metadata\n * Revert \"Merge commit from fork\"\n * Add Dimitrios Slamaris to contributors\n * Merge commit from fork\n * onedrive: fix integration tests after precision change\n * operations: fix TestRemoveExisting on crypt backends by shortening the file name\n * bisync: fix output capture restoring the wrong output for logrus\n * serve sftp: update github.com/pkg/sftp to v1.13.7 and fix deadlock in tests\n * build: fix comments after golangci-lint upgrade\n * build: update all dependencies\n * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1\n * pikpak: fix fatal crash on startup with token that can\u0027t be refreshed\n * yandex: fix server side copying over existing object\n * sugarsync: fix server side copying over existing object\n * putio: fix server side copying over existing object\n * onedrive: fix server side copying over existing object\n * dropbox: fix server side copying over existing object\n * operations: add RemoveExisting to safely remove an existing file\n * gofile: fix server side copying over existing object\n * test_all: try to fix mailru rate limits in integration tests\n * Add shenpengfeng to contributors\n * Add Dimitar Ivanov to contributors\n * docs: fix function name in comment\n * sftp: allow inline ssh public certificate for sftp\n * serve s3: fix excess locking which was making serve s3 single threaded\n * lib/oauthutil: allow the browser opening function to be overridden\n * Add Moises Lima to contributors\n * lib/http: disable automatic authentication skipping for unix sockets\n * onedrive: fix Retry-After handling to look at 503 errors also\n * s3: Storj provider: fix server-side copy of files bigger than 5GB\n * s3: add Selectel as a provider\n * fs: fix Don\u0027t know how to set key \"chunkSize\" on upload errors in tests\n * drive: implement rclone backend rescue to rescue orphaned files\n * Add tgfisher to contributors\n * Add Diego Monti to contributors\n * Add Randy Bush to contributors\n * Add Alexandre Hamez to contributors\n * Add Simon Bos to contributors\n * docs: mention that inline comments are not supported in a filter-file\n * s3: add Wasabi eu-south-1 region\n * docs: fix forward refs in step 9 of using your own client id\n * docs: fix Scaleway Glacier website URL\n * dlna: fix loggingResponseWriter disregarding log level\n * build: remove required property on boolean inputs\n * build: use inputs context in github workflow\n * s3: fix crash when using --s3-download-url after migration to SDKv2\n * docs: update overview to show pcloud can set modtime\n * Add Andr Tran to contributors\n * Add Matthias Gatto to contributors\n * Add lostb1t to contributors\n * Add Noam Ross to contributors\n * Add Benjamin Legrand to contributors\n * s3: add Outscale provider\n * Add ICloud Drive backend\n * drive: add support for markdown format\n * accounting: fix global error acounting\n * onedrive: fix time precision for OneDrive personal\n * Add RcloneView as a sponsor\n * Add Leandro Piccilli to contributors\n * cache: skip bisync tests\n * bisync: allow blank hashes on tests\n * box: fix server-side copying a file over existing dst - fixes #3511\n * sync: add tests for copying/moving a file over itself\n * fs/cache: fix parent not getting pinned when remote is a file\n * gcs: add access token auth with --gcs-access-token\n * accounting: write the current bwlimit to the log on SIGUSR2\n * accounting: fix wrong message on SIGUSR2 to enable/disable bwlimit\n * gphotos: implment --gphotos-proxy to allow download of full resolution media\n * googlephotos: remove noisy debugging statements\n * docs: add note to CONTRIBUTING that the overview needs editing in 2 places\n * test_all: add ignoretests parameter for skipping certain tests\n * build: replace \"golang.org/x/exp/slices\" with \"slices\" now go1.21 is required\n * Changelog updates from Version v1.68.1\n * Makefile: Fail when doc recipes create dir named \u0027$HOME\u0027\n * Makefile: Prevent `doc` recipe from creating dir named \u0027$HOME\u0027\n * pikpak: fix cid/gcid calculations for fs.OverrideRemote\n * bisync: change exit code from 2 to 7 for critically aborted run\n * cmd: change exit code from 1 to 2 for syntax and usage errors\n * local: fix --copy-links on macOS when cloning\n * azureblob: add --azureblob-use-az to force the use of the Azure CLI for auth\n * azureblob: add --azureblob-disable-instance-discovery\n * s3: add initial --s3-directory-bucket to support AWS Directory Buckets\n * Add Lawrence Murray to contributors\n * backend/protondrive: improve performance of Proton Drive backend\n * ftp: implement --ftp-no-check-upload to allow upload to write only dirs\n * docs: document that fusermount3 may be needed when mounting/unmounting\n * Add rishi.sridhar to contributors\n * Add quiescens to contributors\n * docs/zoho: update options\n * zoho: make upload cutoff configurable\n * zoho: add support for private spaces\n * zoho: try to handle rate limits a bit better\n * zoho: print clear error message when missing oauth scope\n * zoho: switch to large file upload API for larger files, fix missing URL encoding of filenames for the upload API\n * zoho: use download server to accelerate downloads\n * opendrive: add about support to backend\n * pikpak: fix login issue where token retrieval fails\n * webdav: nextcloud: implement backoff and retry for 423 LOCKED errors\n * s3: fix rclone ignoring static credentials when env_auth=true\n * fs: fix setting stringArray config values from environment variables\n * rc: fix default value of --metrics-addr\n * fs: fix --dump filters not always appearing\n * docs: correct notes on docker manual build\n * Add ttionya to contributors\n * build: fix docker release build - fixes #8062\n * docs: add section for improving performance for s3\n * onedrive: fix spurious \"Couldn\u0027t decode error response: EOF\" DEBUG\n * Add Divyam to contributors\n * serve docker: add missing vfs-read-chunk-streams option in docker volume driver\n * Start v1.69.0-DEV development\n\n- Update to version 1.68.2:\n * Version v1.68.2\n * s3: fix multitenant multipart uploads with CEPH\n * local: fix permission and ownership on symlinks with --links and --metadata\n CVE-2024-52522 boo#1233422\n * bisync: fix output capture restoring the wrong output for logrus\n * build: fix comments after golangci-lint upgrade\n * build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1\n * pikpak: fix fatal crash on startup with token that can\u0027t be refreshed\n * serve s3: fix excess locking which was making serve s3 single threaded\n * onedrive: fix Retry-After handling to look at 503 errors also\n * s3: Storj provider: fix server-side copy of files bigger than 5GB\n * docs: mention that inline comments are not supported in a filter-file\n * docs: fix forward refs in step 9 of using your own client id\n * docs: fix Scaleway Glacier website URL\n * dlna: fix loggingResponseWriter disregarding log level\n * s3: fix crash when using --s3-download-url after migration to SDKv2\n * docs: update overview to show pcloud can set modtime\n * Add RcloneView as a sponsor\n * accounting: fix wrong message on SIGUSR2 to enable/disable bwlimit\n * pikpak: fix cid/gcid calculations for fs.OverrideRemote\n * local: fix --copy-links on macOS when cloning\n * Start v1.68.2-DEV development\n\n- CVE-2024-51744: updated jwt to v4.5.1 (bsc#1232964).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-213",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20620-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1232964",
"url": "https://bugzilla.suse.com/1232964"
},
{
"category": "self",
"summary": "SUSE Bug 1233422",
"url": "https://bugzilla.suse.com/1233422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-51744 page",
"url": "https://www.suse.com/security/cve/CVE-2024-51744/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52522 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52522/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30204 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30204/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-68121 page",
"url": "https://www.suse.com/security/cve/CVE-2025-68121/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1229 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1229/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27141 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27141/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41176 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41176/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41179 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41179/"
}
],
"title": "Security update for rclone",
"tracking": {
"current_release_date": "2026-04-23T16:22:47Z",
"generator": {
"date": "2026-04-23T16:22:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20620-1",
"initial_release_date": "2026-04-23T16:22:47Z",
"revision_history": [
{
"date": "2026-04-23T16:22:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.5-bp160.1.1.aarch64",
"product": {
"name": "rclone-1.73.5-bp160.1.1.aarch64",
"product_id": "rclone-1.73.5-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"product": {
"name": "rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"product_id": "rclone-bash-completion-1.73.5-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.73.5-bp160.1.1.noarch",
"product": {
"name": "rclone-zsh-completion-1.73.5-bp160.1.1.noarch",
"product_id": "rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.5-bp160.1.1.ppc64le",
"product": {
"name": "rclone-1.73.5-bp160.1.1.ppc64le",
"product_id": "rclone-1.73.5-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.73.5-bp160.1.1.x86_64",
"product": {
"name": "rclone-1.73.5-bp160.1.1.x86_64",
"product_id": "rclone-1.73.5-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.5-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64"
},
"product_reference": "rclone-1.73.5-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.5-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le"
},
"product_reference": "rclone-1.73.5-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.73.5-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64"
},
"product_reference": "rclone-1.73.5-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.73.5-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch"
},
"product_reference": "rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.73.5-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
},
"product_reference": "rclone-zsh-completion-1.73.5-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2024-51744",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-51744"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-51744",
"url": "https://www.suse.com/security/cve/CVE-2024-51744"
},
{
"category": "external",
"summary": "SUSE Bug 1232936 for CVE-2024-51744",
"url": "https://bugzilla.suse.com/1232936"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2024-51744"
},
{
"cve": "CVE-2024-52522",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52522"
}
],
"notes": [
{
"category": "general",
"text": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52522",
"url": "https://www.suse.com/security/cve/CVE-2024-52522"
},
{
"category": "external",
"summary": "SUSE Bug 1233422 for CVE-2024-52522",
"url": "https://bugzilla.suse.com/1233422"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2024-52522"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-30204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30204"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30204",
"url": "https://www.suse.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "SUSE Bug 1240441 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240441"
},
{
"category": "external",
"summary": "SUSE Bug 1240442 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2025-30204"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2025-68121",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-68121"
}
],
"notes": [
{
"category": "general",
"text": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-68121",
"url": "https://www.suse.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "SUSE Bug 1256818 for CVE-2025-68121",
"url": "https://bugzilla.suse.com/1256818"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2025-68121"
},
{
"cve": "CVE-2026-1229",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1229"
}
],
"notes": [
{
"category": "general",
"text": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1229",
"url": "https://www.suse.com/security/cve/CVE-2026-1229"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "critical"
}
],
"title": "CVE-2026-1229"
},
{
"cve": "CVE-2026-27141",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27141"
}
],
"notes": [
{
"category": "general",
"text": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27141",
"url": "https://www.suse.com/security/cve/CVE-2026-27141"
},
{
"category": "external",
"summary": "SUSE Bug 1259062 for CVE-2026-27141",
"url": "https://bugzilla.suse.com/1259062"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2026-27141"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-41176",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41176"
}
],
"notes": [
{
"category": "general",
"text": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41176",
"url": "https://www.suse.com/security/cve/CVE-2026-41176"
},
{
"category": "external",
"summary": "SUSE Bug 1262438 for CVE-2026-41176",
"url": "https://bugzilla.suse.com/1262438"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2026-41176"
},
{
"cve": "CVE-2026-41179",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41179"
}
],
"notes": [
{
"category": "general",
"text": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41179",
"url": "https://www.suse.com/security/cve/CVE-2026-41179"
},
{
"category": "external",
"summary": "SUSE Bug 1262439 for CVE-2026-41179",
"url": "https://bugzilla.suse.com/1262439"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.aarch64",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:rclone-1.73.5-bp160.1.1.x86_64",
"openSUSE Leap 16.0:rclone-bash-completion-1.73.5-bp160.1.1.noarch",
"openSUSE Leap 16.0:rclone-zsh-completion-1.73.5-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-23T16:22:47Z",
"details": "moderate"
}
],
"title": "CVE-2026-41179"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…