Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-25727 (GCVE-0-2026-25727)
Vulnerability from cvelistv5 – Published: 2026-02-06 19:20 – Updated: 2026-02-06 20:22
VLAI
EPSS
Title
time affected by a stack exhaustion denial of service attack
Summary
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/time-rs/time/security/advisori… | x_refsource_CONFIRM |
| https://github.com/time-rs/time/commit/1c63dc7985… | x_refsource_MISC |
| https://github.com/time-rs/time/blob/main/CHANGEL… | x_refsource_MISC |
| https://github.com/time-rs/time/releases/tag/v0.3.47 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:22:34.026090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:22:58.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "time",
"vendor": "time-rs",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.6, \u003c 0.3.47"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:20:56.298Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"
},
{
"name": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"
},
{
"name": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
},
{
"name": "https://github.com/time-rs/time/releases/tag/v0.3.47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/releases/tag/v0.3.47"
}
],
"source": {
"advisory": "GHSA-r6v5-fh4h-64xc",
"discovery": "UNKNOWN"
},
"title": "time affected by a stack exhaustion denial of service attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25727",
"datePublished": "2026-02-06T19:20:56.298Z",
"dateReserved": "2026-02-05T16:48:00.426Z",
"dateUpdated": "2026-02-06T20:22:58.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-25727",
"date": "2026-06-25",
"epss": "0.00291",
"percentile": "0.20731"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25727\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T20:16:11.860\",\"lastModified\":\"2026-02-24T15:23:35.563\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:time_project:time:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"0.3.6\",\"versionEndExcluding\":\"0.3.47\",\"matchCriteriaId\":\"7B1E36BA-97A9-44D1-8E88-2E5B96901D1A\"}]}]}],\"references\":[{\"url\":\"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/time-rs/time/releases/tag/v0.3.47\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-06T20:22:34.026090Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-06T20:22:35.892Z\"}}], \"cna\": {\"title\": \"time affected by a stack exhaustion denial of service attack\", \"source\": {\"advisory\": \"GHSA-r6v5-fh4h-64xc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"time-rs\", \"product\": \"time\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.3.6, \u003c 0.3.47\"}]}], \"references\": [{\"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\", \"name\": \"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\", \"name\": \"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\", \"name\": \"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/time-rs/time/releases/tag/v0.3.47\", \"name\": \"https://github.com/time-rs/time/releases/tag/v0.3.47\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T19:20:56.298Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-06T20:22:58.488Z\", \"dateReserved\": \"2026-02-05T16:48:00.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T19:20:56.298Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2026:0452-1
Vulnerability from csaf_suse - Published: 2026-02-11 16:17 - Updated: 2026-02-11 16:17Summary
Security update for rust-keylime
Severity
Important
Notes
Title of the patch: Security update for rust-keylime
Description of the patch: This update for rust-keylime fixes the following issues:
Update to version 0.2.8+116.
Security issues fixed:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257908).
Other updates and bugfixes:
- Update vendored crates `time` to version 0.3.47.
- Update to version 0.2.8+116:
* build(deps): bump bytes from 1.7.2 to 1.11.1
* api: Modify /version endpoint output in version 2.5
* Add API v2.5 with backward-compatible /v2.5/quotes/integrity
* tests: add unit test for resolve_agent_id (#1182)
* (pull-model): enable retry logic for registration
* rpm: Update specfiles to apply on master
* workflows: Add test to detect unused crates
* lib: Drop unused crates
* push-model: Drop unused crates
* keylime-agent: Drop unused crates
* build(deps): bump uuid from 1.18.1 to 1.19.0
* Update reqwest-retry to 0.8, retry-policies to 0.5
* rpm: Fix cargo_build macro usage on CentOS Stream
* fix(push-model): resolve hash_ek uuid to actual EK hash
* build(deps): bump thiserror from 2.0.16 to 2.0.17
* workflows: Separate upstream test suite from e2e coverage
* Send UEFI measured boot logs as raw bytes (#1173)
* auth: Add unit tests for SecretToken implementation
* packit: Enable push-attestation tests
* resilient_client: Prevent authentication token leakage in logs
- Use tmpfiles.d for /var directories (PED-14736)
- Update to version 0.2.8+96:
* build(deps): bump wiremock from 0.6.4 to 0.6.5
* build(deps): bump actions/checkout from 5 to 6
* build(deps): bump chrono from 0.4.41 to 0.4.42
* packit: Get coverage from Fedora 43 runs
* Fix issues pointed out by clippy
* Replace mutex unwraps with proper error handling in TPM library
* Remove unused session request methods from StructureFiller
* Fix config panic on missing ek_handle in push model agent
* build(deps): bump tempfile from 3.21.0 to 3.23.0
* build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
* Fix clippy warnings project-wide
* Add KEYLIME_DIR support for verifier TLS certificates in push model agent
* Thread privileged resources and use MeasurementList for IMA reading
* Add privileged resource initialization and privilege dropping to push model agent
* Fix privilege dropping order in run_as()
* add documentation on FQDN hostnames
* Remove confusing logs for push mode agent
* Set correct default Verifier port (8891->8881) (#1159)
* Add verifier_url to reference configuration file (#1158)
* Add TLS support for Registrar communication (#1139)
* Fix agent handling of 403 registration responses (#1154)
* Add minor README.md rephrasing (#1151)
* build(deps): bump actions/checkout from 5 to 6 (#1153)
* ci: update spec files for packit COPR build
* docs: improve challenge encoding and async TPM documentation
* refactor: improve middleware and error handling
* feat: add authentication client with middleware integration
* docker: Include keylime_push_model_agent binary
* Include attestation_interval configuration (#1146)
* Persist payload keys to avoid attestation failure on restart
* crypto: Implement the load or generate pattern for keys
* Use simple algorithm specifiers in certification_keys object (#1140)
* tests: Enable more tests in CI
* Fix RSA2048 algorithm reporting in keylime agent
* Remove disabled_signing_algorithms configuration
* rpm: Fix metadata patches to apply to current code
* workflows/rpm.yml: Use more strict patching
* build(deps): bump uuid from 1.17.0 to 1.18.1
* Fix ECC algorithm selection and reporting for keylime agent
* Improve logging consistency and coherency
* Implement minimal RFC compliance for Location header and URI parsing (#1125)
* Use separate keys for payload mechanism and mTLS
* docker: update rust to 1.81 for distroless Dockerfile
* Ensure UEFI log capabilities are set to false
* build(deps): bump http from 1.1.0 to 1.3.1
* build(deps): bump log from 0.4.27 to 0.4.28
* build(deps): bump cfg-if from 1.0.1 to 1.0.3
* build(deps): bump actix-rt from 2.10.0 to 2.11.0
* build(deps): bump async-trait from 0.1.88 to 0.1.89
* build(deps): bump trybuild from 1.0.105 to 1.0.110
* Accept evidence handling structures null entries
* workflows: Add test to check if RPM patches still apply
* CI: Enable test add-agent-with-malformed-ek-cert
* config: Fix singleton tests
* FSM: Remove needless lifetime annotations (#1105)
* rpm: Do not remove wiremock which is now available in Fedora
* Use latest Fedora httpdate version (1.0.3)
* Enhance coverage with parse_retry_after test
* Fix issues reported by CI regarding unwrap() calls
* Reuse max retries indicated to the ResilientClient
* Include limit of retries to 5 for Retry-After
* Add policy to handle Retry-After response headers
* build(deps): bump wiremock from 0.6.3 to 0.6.4
* build(deps): bump serde_json from 1.0.140 to 1.0.143
* build(deps): bump pest_derive from 2.8.0 to 2.8.1
* build(deps): bump syn from 2.0.90 to 2.0.106
* build(deps): bump tempfile from 3.20.0 to 3.21.0
* build(deps): bump thiserror from 2.0.12 to 2.0.16
* rpm: Fix patches to apply to current master code
* build(deps): bump anyhow from 1.0.98 to 1.0.99
* state_machine: Automatically clean config override during tests
* config: Implement singleton and factory pattern
* testing: Support overriding configuration during tests
* feat: implement standalone challenge-response authentication module
* structures: rename session structs for clarity and fix typos
* tpm: refactor certify_credential_with_iak() into a more generic function
* Add Push Model Agent Mermaid FSM chart (#1095)
* Add state to avoid exiting on wrong attestation (#1093)
* Add 6 alphanumeric lowercase X-Request-ID header
* Enhance Evidence Handling response parsing
* build(deps): bump quote from 1.0.35 to 1.0.40
* build(deps): bump libc from 0.2.172 to 0.2.175
* build(deps): bump glob from 0.3.2 to 0.3.3
* build(deps): bump actix-web from 4.10.2 to 4.11.0
Patchnames: SUSE-2026-452,SUSE-SLE-Micro-5.4-2026-452
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rust-keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rust-keylime fixes the following issues:\n\nUpdate to version 0.2.8+116.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257908).\n\nOther updates and bugfixes:\n\n- Update vendored crates `time` to version 0.3.47.\n\n- Update to version 0.2.8+116:\n\n * build(deps): bump bytes from 1.7.2 to 1.11.1\n * api: Modify /version endpoint output in version 2.5\n * Add API v2.5 with backward-compatible /v2.5/quotes/integrity\n * tests: add unit test for resolve_agent_id (#1182)\n * (pull-model): enable retry logic for registration\n * rpm: Update specfiles to apply on master\n * workflows: Add test to detect unused crates\n * lib: Drop unused crates\n * push-model: Drop unused crates\n * keylime-agent: Drop unused crates\n * build(deps): bump uuid from 1.18.1 to 1.19.0\n * Update reqwest-retry to 0.8, retry-policies to 0.5\n * rpm: Fix cargo_build macro usage on CentOS Stream\n * fix(push-model): resolve hash_ek uuid to actual EK hash\n * build(deps): bump thiserror from 2.0.16 to 2.0.17\n * workflows: Separate upstream test suite from e2e coverage\n * Send UEFI measured boot logs as raw bytes (#1173)\n * auth: Add unit tests for SecretToken implementation\n * packit: Enable push-attestation tests\n * resilient_client: Prevent authentication token leakage in logs\n\n- Use tmpfiles.d for /var directories (PED-14736)\n \n- Update to version 0.2.8+96:\n \n * build(deps): bump wiremock from 0.6.4 to 0.6.5\n * build(deps): bump actions/checkout from 5 to 6\n * build(deps): bump chrono from 0.4.41 to 0.4.42\n * packit: Get coverage from Fedora 43 runs\n * Fix issues pointed out by clippy\n * Replace mutex unwraps with proper error handling in TPM library\n * Remove unused session request methods from StructureFiller\n * Fix config panic on missing ek_handle in push model agent\n * build(deps): bump tempfile from 3.21.0 to 3.23.0\n * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)\n * Fix clippy warnings project-wide\n * Add KEYLIME_DIR support for verifier TLS certificates in push model agent\n * Thread privileged resources and use MeasurementList for IMA reading\n * Add privileged resource initialization and privilege dropping to push model agent\n * Fix privilege dropping order in run_as()\n * add documentation on FQDN hostnames\n * Remove confusing logs for push mode agent\n * Set correct default Verifier port (8891-\u003e8881) (#1159)\n * Add verifier_url to reference configuration file (#1158)\n * Add TLS support for Registrar communication (#1139)\n * Fix agent handling of 403 registration responses (#1154)\n * Add minor README.md rephrasing (#1151)\n * build(deps): bump actions/checkout from 5 to 6 (#1153)\n * ci: update spec files for packit COPR build\n * docs: improve challenge encoding and async TPM documentation\n * refactor: improve middleware and error handling\n * feat: add authentication client with middleware integration\n * docker: Include keylime_push_model_agent binary\n * Include attestation_interval configuration (#1146)\n * Persist payload keys to avoid attestation failure on restart\n * crypto: Implement the load or generate pattern for keys\n * Use simple algorithm specifiers in certification_keys object (#1140)\n * tests: Enable more tests in CI\n * Fix RSA2048 algorithm reporting in keylime agent\n * Remove disabled_signing_algorithms configuration\n * rpm: Fix metadata patches to apply to current code\n * workflows/rpm.yml: Use more strict patching\n * build(deps): bump uuid from 1.17.0 to 1.18.1\n * Fix ECC algorithm selection and reporting for keylime agent\n * Improve logging consistency and coherency\n * Implement minimal RFC compliance for Location header and URI parsing (#1125)\n * Use separate keys for payload mechanism and mTLS\n * docker: update rust to 1.81 for distroless Dockerfile\n * Ensure UEFI log capabilities are set to false\n * build(deps): bump http from 1.1.0 to 1.3.1\n * build(deps): bump log from 0.4.27 to 0.4.28\n * build(deps): bump cfg-if from 1.0.1 to 1.0.3\n * build(deps): bump actix-rt from 2.10.0 to 2.11.0\n * build(deps): bump async-trait from 0.1.88 to 0.1.89\n * build(deps): bump trybuild from 1.0.105 to 1.0.110\n * Accept evidence handling structures null entries\n * workflows: Add test to check if RPM patches still apply\n * CI: Enable test add-agent-with-malformed-ek-cert\n * config: Fix singleton tests\n * FSM: Remove needless lifetime annotations (#1105)\n * rpm: Do not remove wiremock which is now available in Fedora\n * Use latest Fedora httpdate version (1.0.3)\n * Enhance coverage with parse_retry_after test\n * Fix issues reported by CI regarding unwrap() calls\n * Reuse max retries indicated to the ResilientClient\n * Include limit of retries to 5 for Retry-After\n * Add policy to handle Retry-After response headers\n * build(deps): bump wiremock from 0.6.3 to 0.6.4\n * build(deps): bump serde_json from 1.0.140 to 1.0.143\n * build(deps): bump pest_derive from 2.8.0 to 2.8.1\n * build(deps): bump syn from 2.0.90 to 2.0.106\n * build(deps): bump tempfile from 3.20.0 to 3.21.0\n * build(deps): bump thiserror from 2.0.12 to 2.0.16\n * rpm: Fix patches to apply to current master code\n * build(deps): bump anyhow from 1.0.98 to 1.0.99\n * state_machine: Automatically clean config override during tests\n * config: Implement singleton and factory pattern\n * testing: Support overriding configuration during tests\n * feat: implement standalone challenge-response authentication module\n * structures: rename session structs for clarity and fix typos\n * tpm: refactor certify_credential_with_iak() into a more generic function\n * Add Push Model Agent Mermaid FSM chart (#1095)\n * Add state to avoid exiting on wrong attestation (#1093)\n * Add 6 alphanumeric lowercase X-Request-ID header\n * Enhance Evidence Handling response parsing\n * build(deps): bump quote from 1.0.35 to 1.0.40\n * build(deps): bump libc from 0.2.172 to 0.2.175\n * build(deps): bump glob from 0.3.2 to 0.3.3\n * build(deps): bump actix-web from 4.10.2 to 4.11.0\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-452,SUSE-SLE-Micro-5.4-2026-452",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0452-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0452-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260452-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0452-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024129.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257908",
"url": "https://bugzilla.suse.com/1257908"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for rust-keylime",
"tracking": {
"current_release_date": "2026-02-11T16:17:16Z",
"generator": {
"date": "2026-02-11T16:17:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0452-1",
"initial_release_date": "2026-02-11T16:17:16Z",
"revision_history": [
{
"date": "2026-02-11T16:17:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.aarch64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.aarch64",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"product_id": "rust-keylime-0.2.8+116-150400.3.11.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.ppc64le",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.ppc64le",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.11.1.ppc64le",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.ppc64le",
"product_id": "rust-keylime-0.2.8+116-150400.3.11.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.s390x",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.s390x",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.11.1.s390x"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"product_id": "rust-keylime-0.2.8+116-150400.3.11.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.x86_64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.11.1.x86_64",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.11.1.x86_64",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.x86_64",
"product_id": "rust-keylime-0.2.8+116-150400.3.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.aarch64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.aarch64"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.s390x as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.s390x"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.11.1.x86_64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.x86_64"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.4:rust-keylime-0.2.8+116-150400.3.11.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T16:17:16Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0453-1
Vulnerability from csaf_suse - Published: 2026-02-11 16:17 - Updated: 2026-02-11 16:17Summary
Security update for rust-keylime
Severity
Important
Notes
Title of the patch: Security update for rust-keylime
Description of the patch: This update for rust-keylime fixes the following issues:
Update to version 0.2.8+116.
Security issues fixed:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257908).
Other updates and bugfixes:
- Update vendored crates `time` to version 0.3.47.
- Update to version 0.2.8+116:
* build(deps): bump bytes from 1.7.2 to 1.11.1
* api: Modify /version endpoint output in version 2.5
* Add API v2.5 with backward-compatible /v2.5/quotes/integrity
* tests: add unit test for resolve_agent_id (#1182)
* (pull-model): enable retry logic for registration
* rpm: Update specfiles to apply on master
* workflows: Add test to detect unused crates
* lib: Drop unused crates
* push-model: Drop unused crates
* keylime-agent: Drop unused crates
* build(deps): bump uuid from 1.18.1 to 1.19.0
* Update reqwest-retry to 0.8, retry-policies to 0.5
* rpm: Fix cargo_build macro usage on CentOS Stream
* fix(push-model): resolve hash_ek uuid to actual EK hash
* build(deps): bump thiserror from 2.0.16 to 2.0.17
* workflows: Separate upstream test suite from e2e coverage
* Send UEFI measured boot logs as raw bytes (#1173)
* auth: Add unit tests for SecretToken implementation
* packit: Enable push-attestation tests
* resilient_client: Prevent authentication token leakage in logs
- Use tmpfiles.d for /var directories (PED-14736)
- Update to version 0.2.8+96:
* build(deps): bump wiremock from 0.6.4 to 0.6.5
* build(deps): bump actions/checkout from 5 to 6
* build(deps): bump chrono from 0.4.41 to 0.4.42
* packit: Get coverage from Fedora 43 runs
* Fix issues pointed out by clippy
* Replace mutex unwraps with proper error handling in TPM library
* Remove unused session request methods from StructureFiller
* Fix config panic on missing ek_handle in push model agent
* build(deps): bump tempfile from 3.21.0 to 3.23.0
* build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
* Fix clippy warnings project-wide
* Add KEYLIME_DIR support for verifier TLS certificates in push model agent
* Thread privileged resources and use MeasurementList for IMA reading
* Add privileged resource initialization and privilege dropping to push model agent
* Fix privilege dropping order in run_as()
* add documentation on FQDN hostnames
* Remove confusing logs for push mode agent
* Set correct default Verifier port (8891->8881) (#1159)
* Add verifier_url to reference configuration file (#1158)
* Add TLS support for Registrar communication (#1139)
* Fix agent handling of 403 registration responses (#1154)
* Add minor README.md rephrasing (#1151)
* build(deps): bump actions/checkout from 5 to 6 (#1153)
* ci: update spec files for packit COPR build
* docs: improve challenge encoding and async TPM documentation
* refactor: improve middleware and error handling
* feat: add authentication client with middleware integration
* docker: Include keylime_push_model_agent binary
* Include attestation_interval configuration (#1146)
* Persist payload keys to avoid attestation failure on restart
* crypto: Implement the load or generate pattern for keys
* Use simple algorithm specifiers in certification_keys object (#1140)
* tests: Enable more tests in CI
* Fix RSA2048 algorithm reporting in keylime agent
* Remove disabled_signing_algorithms configuration
* rpm: Fix metadata patches to apply to current code
* workflows/rpm.yml: Use more strict patching
* build(deps): bump uuid from 1.17.0 to 1.18.1
* Fix ECC algorithm selection and reporting for keylime agent
* Improve logging consistency and coherency
* Implement minimal RFC compliance for Location header and URI parsing (#1125)
* Use separate keys for payload mechanism and mTLS
* docker: update rust to 1.81 for distroless Dockerfile
* Ensure UEFI log capabilities are set to false
* build(deps): bump http from 1.1.0 to 1.3.1
* build(deps): bump log from 0.4.27 to 0.4.28
* build(deps): bump cfg-if from 1.0.1 to 1.0.3
* build(deps): bump actix-rt from 2.10.0 to 2.11.0
* build(deps): bump async-trait from 0.1.88 to 0.1.89
* build(deps): bump trybuild from 1.0.105 to 1.0.110
* Accept evidence handling structures null entries
* workflows: Add test to check if RPM patches still apply
* CI: Enable test add-agent-with-malformed-ek-cert
* config: Fix singleton tests
* FSM: Remove needless lifetime annotations (#1105)
* rpm: Do not remove wiremock which is now available in Fedora
* Use latest Fedora httpdate version (1.0.3)
* Enhance coverage with parse_retry_after test
* Fix issues reported by CI regarding unwrap() calls
* Reuse max retries indicated to the ResilientClient
* Include limit of retries to 5 for Retry-After
* Add policy to handle Retry-After response headers
* build(deps): bump wiremock from 0.6.3 to 0.6.4
* build(deps): bump serde_json from 1.0.140 to 1.0.143
* build(deps): bump pest_derive from 2.8.0 to 2.8.1
* build(deps): bump syn from 2.0.90 to 2.0.106
* build(deps): bump tempfile from 3.20.0 to 3.21.0
* build(deps): bump thiserror from 2.0.12 to 2.0.16
* rpm: Fix patches to apply to current master code
* build(deps): bump anyhow from 1.0.98 to 1.0.99
* state_machine: Automatically clean config override during tests
* config: Implement singleton and factory pattern
* testing: Support overriding configuration during tests
* feat: implement standalone challenge-response authentication module
* structures: rename session structs for clarity and fix typos
* tpm: refactor certify_credential_with_iak() into a more generic function
* Add Push Model Agent Mermaid FSM chart (#1095)
* Add state to avoid exiting on wrong attestation (#1093)
* Add 6 alphanumeric lowercase X-Request-ID header
* Enhance Evidence Handling response parsing
* build(deps): bump quote from 1.0.35 to 1.0.40
* build(deps): bump libc from 0.2.172 to 0.2.175
* build(deps): bump glob from 0.3.2 to 0.3.3
* build(deps): bump actix-web from 4.10.2 to 4.11.0
Patchnames: SUSE-2026-453,SUSE-SLE-Micro-5.3-2026-453
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rust-keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rust-keylime fixes the following issues:\n\nUpdate to version 0.2.8+116.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257908).\n\nOther updates and bugfixes:\n\n- Update vendored crates `time` to version 0.3.47.\n\n- Update to version 0.2.8+116:\n \n * build(deps): bump bytes from 1.7.2 to 1.11.1\n * api: Modify /version endpoint output in version 2.5\n * Add API v2.5 with backward-compatible /v2.5/quotes/integrity\n * tests: add unit test for resolve_agent_id (#1182)\n * (pull-model): enable retry logic for registration\n * rpm: Update specfiles to apply on master\n * workflows: Add test to detect unused crates\n * lib: Drop unused crates\n * push-model: Drop unused crates\n * keylime-agent: Drop unused crates\n * build(deps): bump uuid from 1.18.1 to 1.19.0\n * Update reqwest-retry to 0.8, retry-policies to 0.5\n * rpm: Fix cargo_build macro usage on CentOS Stream\n * fix(push-model): resolve hash_ek uuid to actual EK hash\n * build(deps): bump thiserror from 2.0.16 to 2.0.17\n * workflows: Separate upstream test suite from e2e coverage\n * Send UEFI measured boot logs as raw bytes (#1173)\n * auth: Add unit tests for SecretToken implementation\n * packit: Enable push-attestation tests\n * resilient_client: Prevent authentication token leakage in logs\n\n- Use tmpfiles.d for /var directories (PED-14736)\n \n- Update to version 0.2.8+96:\n \n * build(deps): bump wiremock from 0.6.4 to 0.6.5\n * build(deps): bump actions/checkout from 5 to 6\n * build(deps): bump chrono from 0.4.41 to 0.4.42\n * packit: Get coverage from Fedora 43 runs\n * Fix issues pointed out by clippy\n * Replace mutex unwraps with proper error handling in TPM library\n * Remove unused session request methods from StructureFiller\n * Fix config panic on missing ek_handle in push model agent\n * build(deps): bump tempfile from 3.21.0 to 3.23.0\n * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)\n * Fix clippy warnings project-wide\n * Add KEYLIME_DIR support for verifier TLS certificates in push model agent\n * Thread privileged resources and use MeasurementList for IMA reading\n * Add privileged resource initialization and privilege dropping to push model agent\n * Fix privilege dropping order in run_as()\n * add documentation on FQDN hostnames\n * Remove confusing logs for push mode agent\n * Set correct default Verifier port (8891-\u003e8881) (#1159)\n * Add verifier_url to reference configuration file (#1158)\n * Add TLS support for Registrar communication (#1139)\n * Fix agent handling of 403 registration responses (#1154)\n * Add minor README.md rephrasing (#1151)\n * build(deps): bump actions/checkout from 5 to 6 (#1153)\n * ci: update spec files for packit COPR build\n * docs: improve challenge encoding and async TPM documentation\n * refactor: improve middleware and error handling\n * feat: add authentication client with middleware integration\n * docker: Include keylime_push_model_agent binary\n * Include attestation_interval configuration (#1146)\n * Persist payload keys to avoid attestation failure on restart\n * crypto: Implement the load or generate pattern for keys\n * Use simple algorithm specifiers in certification_keys object (#1140)\n * tests: Enable more tests in CI\n * Fix RSA2048 algorithm reporting in keylime agent\n * Remove disabled_signing_algorithms configuration\n * rpm: Fix metadata patches to apply to current code\n * workflows/rpm.yml: Use more strict patching\n * build(deps): bump uuid from 1.17.0 to 1.18.1\n * Fix ECC algorithm selection and reporting for keylime agent\n * Improve logging consistency and coherency\n * Implement minimal RFC compliance for Location header and URI parsing (#1125)\n * Use separate keys for payload mechanism and mTLS\n * docker: update rust to 1.81 for distroless Dockerfile\n * Ensure UEFI log capabilities are set to false\n * build(deps): bump http from 1.1.0 to 1.3.1\n * build(deps): bump log from 0.4.27 to 0.4.28\n * build(deps): bump cfg-if from 1.0.1 to 1.0.3\n * build(deps): bump actix-rt from 2.10.0 to 2.11.0\n * build(deps): bump async-trait from 0.1.88 to 0.1.89\n * build(deps): bump trybuild from 1.0.105 to 1.0.110\n * Accept evidence handling structures null entries\n * workflows: Add test to check if RPM patches still apply\n * CI: Enable test add-agent-with-malformed-ek-cert\n * config: Fix singleton tests\n * FSM: Remove needless lifetime annotations (#1105)\n * rpm: Do not remove wiremock which is now available in Fedora\n * Use latest Fedora httpdate version (1.0.3)\n * Enhance coverage with parse_retry_after test\n * Fix issues reported by CI regarding unwrap() calls\n * Reuse max retries indicated to the ResilientClient\n * Include limit of retries to 5 for Retry-After\n * Add policy to handle Retry-After response headers\n * build(deps): bump wiremock from 0.6.3 to 0.6.4\n * build(deps): bump serde_json from 1.0.140 to 1.0.143\n * build(deps): bump pest_derive from 2.8.0 to 2.8.1\n * build(deps): bump syn from 2.0.90 to 2.0.106\n * build(deps): bump tempfile from 3.20.0 to 3.21.0\n * build(deps): bump thiserror from 2.0.12 to 2.0.16\n * rpm: Fix patches to apply to current master code\n * build(deps): bump anyhow from 1.0.98 to 1.0.99\n * state_machine: Automatically clean config override during tests\n * config: Implement singleton and factory pattern\n * testing: Support overriding configuration during tests\n * feat: implement standalone challenge-response authentication module\n * structures: rename session structs for clarity and fix typos\n * tpm: refactor certify_credential_with_iak() into a more generic function\n * Add Push Model Agent Mermaid FSM chart (#1095)\n * Add state to avoid exiting on wrong attestation (#1093)\n * Add 6 alphanumeric lowercase X-Request-ID header\n * Enhance Evidence Handling response parsing\n * build(deps): bump quote from 1.0.35 to 1.0.40\n * build(deps): bump libc from 0.2.172 to 0.2.175\n * build(deps): bump glob from 0.3.2 to 0.3.3\n * build(deps): bump actix-web from 4.10.2 to 4.11.0\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-453,SUSE-SLE-Micro-5.3-2026-453",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0453-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0453-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260453-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0453-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024128.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257908",
"url": "https://bugzilla.suse.com/1257908"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for rust-keylime",
"tracking": {
"current_release_date": "2026-02-11T16:17:25Z",
"generator": {
"date": "2026-02-11T16:17:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0453-1",
"initial_release_date": "2026-02-11T16:17:25Z",
"revision_history": [
{
"date": "2026-02-11T16:17:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"product_id": "rust-keylime-0.2.8+116-150400.3.13.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.13.1.ppc64le",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.ppc64le",
"product_id": "rust-keylime-0.2.8+116-150400.3.13.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"product_id": "rust-keylime-0.2.8+116-150400.3.13.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64",
"product_id": "keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150400.3.13.1.x86_64",
"product": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.x86_64",
"product_id": "rust-keylime-0.2.8+116-150400.3.13.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150400.3.13.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"
},
"product_reference": "rust-keylime-0.2.8+116-150400.3.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x",
"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T16:17:25Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0470-1
Vulnerability from csaf_suse - Published: 2026-02-12 11:22 - Updated: 2026-02-12 11:22Summary
Security update for rust-keylime
Severity
Important
Notes
Title of the patch: Security update for rust-keylime
Description of the patch: This update for rust-keylime fixes the following issues:
Update to version 0.2.8+116.
Security issues fixed:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257908).
Other updates and bugfixes:
- Update vendored crates `time` to version 0.3.47.
- Update to version 0.2.8+116:
* build(deps): bump bytes from 1.7.2 to 1.11.1
* api: Modify /version endpoint output in version 2.5
* Add API v2.5 with backward-compatible /v2.5/quotes/integrity
* tests: add unit test for resolve_agent_id (#1182)
* (pull-model): enable retry logic for registration
* rpm: Update specfiles to apply on master
* workflows: Add test to detect unused crates
* lib: Drop unused crates
* push-model: Drop unused crates
* keylime-agent: Drop unused crates
* build(deps): bump uuid from 1.18.1 to 1.19.0
* Update reqwest-retry to 0.8, retry-policies to 0.5
* rpm: Fix cargo_build macro usage on CentOS Stream
* fix(push-model): resolve hash_ek uuid to actual EK hash
* build(deps): bump thiserror from 2.0.16 to 2.0.17
* workflows: Separate upstream test suite from e2e coverage
* Send UEFI measured boot logs as raw bytes (#1173)
* auth: Add unit tests for SecretToken implementation
* packit: Enable push-attestation tests
* resilient_client: Prevent authentication token leakage in logs
- Use tmpfiles.d for /var directories (PED-14736)
- Update to version 0.2.8+96:
* build(deps): bump wiremock from 0.6.4 to 0.6.5
* build(deps): bump actions/checkout from 5 to 6
* build(deps): bump chrono from 0.4.41 to 0.4.42
* packit: Get coverage from Fedora 43 runs
* Fix issues pointed out by clippy
* Replace mutex unwraps with proper error handling in TPM library
* Remove unused session request methods from StructureFiller
* Fix config panic on missing ek_handle in push model agent
* build(deps): bump tempfile from 3.21.0 to 3.23.0
* build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
* Fix clippy warnings project-wide
* Add KEYLIME_DIR support for verifier TLS certificates in push model agent
* Thread privileged resources and use MeasurementList for IMA reading
* Add privileged resource initialization and privilege dropping to push model agent
* Fix privilege dropping order in run_as()
* add documentation on FQDN hostnames
* Remove confusing logs for push mode agent
* Set correct default Verifier port (8891->8881) (#1159)
* Add verifier_url to reference configuration file (#1158)
* Add TLS support for Registrar communication (#1139)
* Fix agent handling of 403 registration responses (#1154)
* Add minor README.md rephrasing (#1151)
* build(deps): bump actions/checkout from 5 to 6 (#1153)
* ci: update spec files for packit COPR build
* docs: improve challenge encoding and async TPM documentation
* refactor: improve middleware and error handling
* feat: add authentication client with middleware integration
* docker: Include keylime_push_model_agent binary
* Include attestation_interval configuration (#1146)
* Persist payload keys to avoid attestation failure on restart
* crypto: Implement the load or generate pattern for keys
* Use simple algorithm specifiers in certification_keys object (#1140)
* tests: Enable more tests in CI
* Fix RSA2048 algorithm reporting in keylime agent
* Remove disabled_signing_algorithms configuration
* rpm: Fix metadata patches to apply to current code
* workflows/rpm.yml: Use more strict patching
* build(deps): bump uuid from 1.17.0 to 1.18.1
* Fix ECC algorithm selection and reporting for keylime agent
* Improve logging consistency and coherency
* Implement minimal RFC compliance for Location header and URI parsing (#1125)
* Use separate keys for payload mechanism and mTLS
* docker: update rust to 1.81 for distroless Dockerfile
* Ensure UEFI log capabilities are set to false
* build(deps): bump http from 1.1.0 to 1.3.1
* build(deps): bump log from 0.4.27 to 0.4.28
* build(deps): bump cfg-if from 1.0.1 to 1.0.3
* build(deps): bump actix-rt from 2.10.0 to 2.11.0
* build(deps): bump async-trait from 0.1.88 to 0.1.89
* build(deps): bump trybuild from 1.0.105 to 1.0.110
* Accept evidence handling structures null entries
* workflows: Add test to check if RPM patches still apply
* CI: Enable test add-agent-with-malformed-ek-cert
* config: Fix singleton tests
* FSM: Remove needless lifetime annotations (#1105)
* rpm: Do not remove wiremock which is now available in Fedora
* Use latest Fedora httpdate version (1.0.3)
* Enhance coverage with parse_retry_after test
* Fix issues reported by CI regarding unwrap() calls
* Reuse max retries indicated to the ResilientClient
* Include limit of retries to 5 for Retry-After
* Add policy to handle Retry-After response headers
* build(deps): bump wiremock from 0.6.3 to 0.6.4
* build(deps): bump serde_json from 1.0.140 to 1.0.143
* build(deps): bump pest_derive from 2.8.0 to 2.8.1
* build(deps): bump syn from 2.0.90 to 2.0.106
* build(deps): bump tempfile from 3.20.0 to 3.21.0
* build(deps): bump thiserror from 2.0.12 to 2.0.16
* rpm: Fix patches to apply to current master code
* build(deps): bump anyhow from 1.0.98 to 1.0.99
* state_machine: Automatically clean config override during tests
* config: Implement singleton and factory pattern
* testing: Support overriding configuration during tests
* feat: implement standalone challenge-response authentication module
* structures: rename session structs for clarity and fix typos
* tpm: refactor certify_credential_with_iak() into a more generic function
* Add Push Model Agent Mermaid FSM chart (#1095)
* Add state to avoid exiting on wrong attestation (#1093)
* Add 6 alphanumeric lowercase X-Request-ID header
* Enhance Evidence Handling response parsing
* build(deps): bump quote from 1.0.35 to 1.0.40
* build(deps): bump libc from 0.2.172 to 0.2.175
* build(deps): bump glob from 0.3.2 to 0.3.3
* build(deps): bump actix-web from 4.10.2 to 4.11.0
Patchnames: SUSE-2026-470,SUSE-SLE-Micro-5.5-2026-470
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rust-keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rust-keylime fixes the following issues:\n\nUpdate to version 0.2.8+116.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257908).\n\nOther updates and bugfixes:\n\n- Update vendored crates `time` to version 0.3.47.\n\n- Update to version 0.2.8+116:\n\n * build(deps): bump bytes from 1.7.2 to 1.11.1\n * api: Modify /version endpoint output in version 2.5\n * Add API v2.5 with backward-compatible /v2.5/quotes/integrity\n * tests: add unit test for resolve_agent_id (#1182)\n * (pull-model): enable retry logic for registration\n * rpm: Update specfiles to apply on master\n * workflows: Add test to detect unused crates\n * lib: Drop unused crates\n * push-model: Drop unused crates\n * keylime-agent: Drop unused crates\n * build(deps): bump uuid from 1.18.1 to 1.19.0\n * Update reqwest-retry to 0.8, retry-policies to 0.5\n * rpm: Fix cargo_build macro usage on CentOS Stream\n * fix(push-model): resolve hash_ek uuid to actual EK hash\n * build(deps): bump thiserror from 2.0.16 to 2.0.17\n * workflows: Separate upstream test suite from e2e coverage\n * Send UEFI measured boot logs as raw bytes (#1173)\n * auth: Add unit tests for SecretToken implementation\n * packit: Enable push-attestation tests\n * resilient_client: Prevent authentication token leakage in logs\n\n- Use tmpfiles.d for /var directories (PED-14736)\n \n- Update to version 0.2.8+96:\n \n * build(deps): bump wiremock from 0.6.4 to 0.6.5\n * build(deps): bump actions/checkout from 5 to 6\n * build(deps): bump chrono from 0.4.41 to 0.4.42\n * packit: Get coverage from Fedora 43 runs\n * Fix issues pointed out by clippy\n * Replace mutex unwraps with proper error handling in TPM library\n * Remove unused session request methods from StructureFiller\n * Fix config panic on missing ek_handle in push model agent\n * build(deps): bump tempfile from 3.21.0 to 3.23.0\n * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)\n * Fix clippy warnings project-wide\n * Add KEYLIME_DIR support for verifier TLS certificates in push model agent\n * Thread privileged resources and use MeasurementList for IMA reading\n * Add privileged resource initialization and privilege dropping to push model agent\n * Fix privilege dropping order in run_as()\n * add documentation on FQDN hostnames\n * Remove confusing logs for push mode agent\n * Set correct default Verifier port (8891-\u003e8881) (#1159)\n * Add verifier_url to reference configuration file (#1158)\n * Add TLS support for Registrar communication (#1139)\n * Fix agent handling of 403 registration responses (#1154)\n * Add minor README.md rephrasing (#1151)\n * build(deps): bump actions/checkout from 5 to 6 (#1153)\n * ci: update spec files for packit COPR build\n * docs: improve challenge encoding and async TPM documentation\n * refactor: improve middleware and error handling\n * feat: add authentication client with middleware integration\n * docker: Include keylime_push_model_agent binary\n * Include attestation_interval configuration (#1146)\n * Persist payload keys to avoid attestation failure on restart\n * crypto: Implement the load or generate pattern for keys\n * Use simple algorithm specifiers in certification_keys object (#1140)\n * tests: Enable more tests in CI\n * Fix RSA2048 algorithm reporting in keylime agent\n * Remove disabled_signing_algorithms configuration\n * rpm: Fix metadata patches to apply to current code\n * workflows/rpm.yml: Use more strict patching\n * build(deps): bump uuid from 1.17.0 to 1.18.1\n * Fix ECC algorithm selection and reporting for keylime agent\n * Improve logging consistency and coherency\n * Implement minimal RFC compliance for Location header and URI parsing (#1125)\n * Use separate keys for payload mechanism and mTLS\n * docker: update rust to 1.81 for distroless Dockerfile\n * Ensure UEFI log capabilities are set to false\n * build(deps): bump http from 1.1.0 to 1.3.1\n * build(deps): bump log from 0.4.27 to 0.4.28\n * build(deps): bump cfg-if from 1.0.1 to 1.0.3\n * build(deps): bump actix-rt from 2.10.0 to 2.11.0\n * build(deps): bump async-trait from 0.1.88 to 0.1.89\n * build(deps): bump trybuild from 1.0.105 to 1.0.110\n * Accept evidence handling structures null entries\n * workflows: Add test to check if RPM patches still apply\n * CI: Enable test add-agent-with-malformed-ek-cert\n * config: Fix singleton tests\n * FSM: Remove needless lifetime annotations (#1105)\n * rpm: Do not remove wiremock which is now available in Fedora\n * Use latest Fedora httpdate version (1.0.3)\n * Enhance coverage with parse_retry_after test\n * Fix issues reported by CI regarding unwrap() calls\n * Reuse max retries indicated to the ResilientClient\n * Include limit of retries to 5 for Retry-After\n * Add policy to handle Retry-After response headers\n * build(deps): bump wiremock from 0.6.3 to 0.6.4\n * build(deps): bump serde_json from 1.0.140 to 1.0.143\n * build(deps): bump pest_derive from 2.8.0 to 2.8.1\n * build(deps): bump syn from 2.0.90 to 2.0.106\n * build(deps): bump tempfile from 3.20.0 to 3.21.0\n * build(deps): bump thiserror from 2.0.12 to 2.0.16\n * rpm: Fix patches to apply to current master code\n * build(deps): bump anyhow from 1.0.98 to 1.0.99\n * state_machine: Automatically clean config override during tests\n * config: Implement singleton and factory pattern\n * testing: Support overriding configuration during tests\n * feat: implement standalone challenge-response authentication module\n * structures: rename session structs for clarity and fix typos\n * tpm: refactor certify_credential_with_iak() into a more generic function\n * Add Push Model Agent Mermaid FSM chart (#1095)\n * Add state to avoid exiting on wrong attestation (#1093)\n * Add 6 alphanumeric lowercase X-Request-ID header\n * Enhance Evidence Handling response parsing\n * build(deps): bump quote from 1.0.35 to 1.0.40\n * build(deps): bump libc from 0.2.172 to 0.2.175\n * build(deps): bump glob from 0.3.2 to 0.3.3\n * build(deps): bump actix-web from 4.10.2 to 4.11.0\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-470,SUSE-SLE-Micro-5.5-2026-470",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0470-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0470-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260470-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0470-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024143.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257908",
"url": "https://bugzilla.suse.com/1257908"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for rust-keylime",
"tracking": {
"current_release_date": "2026-02-12T11:22:07Z",
"generator": {
"date": "2026-02-12T11:22:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0470-1",
"initial_release_date": "2026-02-12T11:22:07Z",
"revision_history": [
{
"date": "2026-02-12T11:22:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.aarch64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.aarch64",
"product_id": "keylime-ima-policy-0.2.8+116-150500.3.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"product": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"product_id": "rust-keylime-0.2.8+116-150500.3.11.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.ppc64le",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.ppc64le",
"product_id": "keylime-ima-policy-0.2.8+116-150500.3.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"product": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"product_id": "rust-keylime-0.2.8+116-150500.3.11.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.s390x",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.s390x",
"product_id": "keylime-ima-policy-0.2.8+116-150500.3.11.1.s390x"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"product": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"product_id": "rust-keylime-0.2.8+116-150500.3.11.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.x86_64",
"product": {
"name": "keylime-ima-policy-0.2.8+116-150500.3.11.1.x86_64",
"product_id": "keylime-ima-policy-0.2.8+116-150500.3.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "rust-keylime-0.2.8+116-150500.3.11.1.x86_64",
"product": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.x86_64",
"product_id": "rust-keylime-0.2.8+116-150500.3.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.aarch64 as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.aarch64"
},
"product_reference": "rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.ppc64le as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.ppc64le"
},
"product_reference": "rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.s390x as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.s390x"
},
"product_reference": "rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.8+116-150500.3.11.1.x86_64 as component of SUSE Linux Enterprise Micro 5.5",
"product_id": "SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.x86_64"
},
"product_reference": "rust-keylime-0.2.8+116-150500.3.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.aarch64",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.ppc64le",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.s390x",
"SUSE Linux Enterprise Micro 5.5:rust-keylime-0.2.8+116-150500.3.11.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-12T11:22:07Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0505-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:31 - Updated: 2026-02-13 14:31Summary
Security update for cargo-auditable
Severity
Important
Notes
Title of the patch: Security update for cargo-auditable
Description of the patch: This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
Patchnames: SUSE-2026-505,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-505,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-505,openSUSE-SLE-15.6-2026-505
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-505,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-505,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-505,openSUSE-SLE-15.6-2026-505",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0505-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0505-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260505-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0505-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024243.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:31:50Z",
"generator": {
"date": "2026-02-13T14:31:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0505-1",
"initial_release_date": "2026-02-13T14:31:50Z",
"revision_history": [
{
"date": "2026-02-13T14:31:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:31:50Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0506-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:32 - Updated: 2026-02-13 14:32Summary
Security update for cargo-auditable
Severity
Important
Notes
Title of the patch: Security update for cargo-auditable
Description of the patch: This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
Patchnames: SUSE-2026-506,SUSE-SLE-Module-Development-Tools-15-SP7-2026-506
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-506,SUSE-SLE-Module-Development-Tools-15-SP7-2026-506",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0506-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0506-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260506-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0506-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024238.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:32:17Z",
"generator": {
"date": "2026-02-13T14:32:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0506-1",
"initial_release_date": "2026-02-13T14:32:17Z",
"revision_history": [
{
"date": "2026-02-13T14:32:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:32:17Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0514-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:57 - Updated: 2026-02-13 14:57Summary
Security update for cargo-auditable
Severity
Important
Notes
Title of the patch: Security update for cargo-auditable
Description of the patch: This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
- Update to version 0.6.4~0:
* Release cargo-auditable v0.6.4
* Correctly attribute changelog file addition in changelog
* Add changelog for auditable-extract
* Verify various feature combinations in CI
* Upgrade wasmparser to remove dependencies with `unsafe`
* Add LoongArch support
* cargo fmt
* Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages
* Expand on the note about WebAssembly parsing
* Populate changelogs
* Resume bragging about all dependencies being safe, now that there is a caveat below
* drop fuzz Cargo.lock to always fuzz against latest versions
* Bump `cargo auditable` version
* Mention WASM support in README
* Revert 'Be super duper extra sure both MinGW and MSVC are tested on CI'
* Be super duper extra sure both MinGW and MSVC are tested on CI
* Add wasm32 targets to CI for more platforms
* Don't pass --target twice in tests
* Install WASM toolchain in CI
* cargo fmt
* Add WASM end-to-end test
* cargo fmt
* Update documentation to mention the WASM feature
* cargo fmt
* Plumb WASM parsing feature through the whole stack
* Make WASM parsing an optional, non-default feature
* Add a fuzzing harness for WASM parsing
* Rewritten WASM parsing to avoid heap allocations
* Initial WASM extraction support
* Nicer assertion
* Drop obsolete comment
* Clarify that embedding the compiler version has shipped.
* Fixed section name for WASM
* Unified and more robust platform detection. Fixed wasm build process
* Initial WASM support
* More robust platform detection for picking the binary format
* Fix Windows CI to run both -msvc and -gnu
* Use the correct link.exe flag for preserving the specified symbol even if it is unused
* Fix Windows
* Fix tests on Rust 1.77
* Placate clippy
* Oopps, I meant components field
* Also remove the dependencies field if empty
* Use serde_json with order preservation feature to get a more compressible JSON after workarounds
* Work around cyclonedx-bom limitations to produce minified JSON
* Also record the dependency kind
* cyclonedx-bom: also record PURL
* Also write the dependency tree
* Clear the serial number in the minimal CycloneDX variant
* Prototype impl of auditable2cdx
* Fill in auditable2cdx dependencies
* Initial auditable2cdx boilerplace
* add #![forbid(unsafe_code)]
* Initial implementation of auditable-to-cyclonedx conversion
* Add the necessary dependencies to auditable-cyclonedx
* Initial dummy package for auditable-cyclonedx
- Update to version 0.6.2~0:
* Update the lockfile
* New releases of cargo-auditable and auditable-serde
* Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions
* Revert 'add commit hashes to git sources'
* Fix cyclic dependency graph being encoded
* Revert 'An unsuccessful attempt to fix cycles caused by dev-dependencies'
* An unsuccessful attempt to fix cycles caused by dev-dependencies
* Fix typo
* Add comment
* Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043
* Fix auditable-serde example not building
* upgrade dependency miniz_oxide to 0.6.0
* fix formatting errors
* apply clippy lints for --all-features
* improve the internal docs and comments
* apply clippy lints
* add missing sources for one of test fixtures
* add commit hashes to git sources
* Run all tests on CI
* cargo fmt
* Run `cargo clean` in tests to get rid of stale binaries
* Fix date in changelog
* Populate changelog
* Bump auditable-info version in rust-audit-info
* Add auditable-info changelog
* Bump versions following cargo-lock bump
* auditable-serde: bump `cargo-lock` to v9
* switch to UNRELEASED
* Update CHANGELOG.md
* Print a better error if calling rustc fails
* Drop unused import
* placate Clippy
* Don't inject audit info if --print argument is passed to rustc
* Reflect the version change in Cargo.lock
* Remove space from keywords
* bump version to 0.6.1
* Fix date in changelog
* Update CHANGELOG.md
* Add publish=false
* Commit the generated manpage
* Add the code for generating a manpage; rather rudimentary so far, but it's a starting point
* Explain relation to supply chain attacks
* Add keywords to the Cargo manifest
* Revert 'generate a man page for cargo auditable'
* fix formatting
* fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file
* generate a man page for cargo auditable
* Add Clippy suppression
* placate clippy
* commit Cargo.lock
* Sync to latest object file writing code from rustc
* Fix examples in docs
* Allow redundant field names
* Apply clippy suggestion: match -> if let
* Check for clippy and format in CI
* Apply clippy suggestions
* Run CI with --locked
- Update to version 0.6.0~0:
* README and documentation improvements
* Read the rustc path passed by Cargo; fixes #90
* Read location of Cargo from the environment variable Cargo sets for third-party subcommands
* Add a note on sccache version compatibility to CHANGELOG.md
* Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error
* Specifying the binary-scanning feature is no longer needed
* Pass options such as --offline to `cargo metadata`
* Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83
* Bump rust-audit-info to 0.5.2
* Bump auditable-serde version to 0.5.2
* Correctly fill in the source even in dependency entries when converting to cargo-lock data format
* Drop the roundtrip through str in semver::Version
* Release auditable-info 0.6.1
* Bump all the version requirements for things depending on auditable-info
* Fix audit_info_from_slice function signature
Patchnames: SUSE-2026-514,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n\n- Update to version 0.6.4~0:\n\n * Release cargo-auditable v0.6.4\n * Correctly attribute changelog file addition in changelog\n * Add changelog for auditable-extract\n * Verify various feature combinations in CI\n * Upgrade wasmparser to remove dependencies with `unsafe`\n * Add LoongArch support\n * cargo fmt\n * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages\n * Expand on the note about WebAssembly parsing\n * Populate changelogs\n * Resume bragging about all dependencies being safe, now that there is a caveat below\n * drop fuzz Cargo.lock to always fuzz against latest versions\n * Bump `cargo auditable` version\n * Mention WASM support in README\n * Revert \u0027Be super duper extra sure both MinGW and MSVC are tested on CI\u0027\n * Be super duper extra sure both MinGW and MSVC are tested on CI\n * Add wasm32 targets to CI for more platforms\n * Don\u0027t pass --target twice in tests\n * Install WASM toolchain in CI\n * cargo fmt\n * Add WASM end-to-end test\n * cargo fmt\n * Update documentation to mention the WASM feature\n * cargo fmt\n * Plumb WASM parsing feature through the whole stack\n * Make WASM parsing an optional, non-default feature\n * Add a fuzzing harness for WASM parsing\n * Rewritten WASM parsing to avoid heap allocations\n * Initial WASM extraction support\n * Nicer assertion\n * Drop obsolete comment\n * Clarify that embedding the compiler version has shipped.\n * Fixed section name for WASM\n * Unified and more robust platform detection. Fixed wasm build process\n * Initial WASM support\n * More robust platform detection for picking the binary format\n * Fix Windows CI to run both -msvc and -gnu\n * Use the correct link.exe flag for preserving the specified symbol even if it is unused\n * Fix Windows\n * Fix tests on Rust 1.77\n * Placate clippy\n * Oopps, I meant components field\n * Also remove the dependencies field if empty\n * Use serde_json with order preservation feature to get a more compressible JSON after workarounds\n * Work around cyclonedx-bom limitations to produce minified JSON\n * Also record the dependency kind\n * cyclonedx-bom: also record PURL\n * Also write the dependency tree\n * Clear the serial number in the minimal CycloneDX variant\n * Prototype impl of auditable2cdx\n * Fill in auditable2cdx dependencies\n * Initial auditable2cdx boilerplace\n * add #![forbid(unsafe_code)]\n * Initial implementation of auditable-to-cyclonedx conversion\n * Add the necessary dependencies to auditable-cyclonedx\n * Initial dummy package for auditable-cyclonedx\n\n- Update to version 0.6.2~0:\n\n * Update the lockfile\n * New releases of cargo-auditable and auditable-serde\n * Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions\n * Revert \u0027add commit hashes to git sources\u0027\n * Fix cyclic dependency graph being encoded\n * Revert \u0027An unsuccessful attempt to fix cycles caused by dev-dependencies\u0027\n * An unsuccessful attempt to fix cycles caused by dev-dependencies\n * Fix typo\n * Add comment\n * Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043\n * Fix auditable-serde example not building\n * upgrade dependency miniz_oxide to 0.6.0\n * fix formatting errors\n * apply clippy lints for --all-features\n * improve the internal docs and comments\n * apply clippy lints\n * add missing sources for one of test fixtures\n * add commit hashes to git sources\n * Run all tests on CI\n * cargo fmt\n * Run `cargo clean` in tests to get rid of stale binaries\n * Fix date in changelog\n * Populate changelog\n * Bump auditable-info version in rust-audit-info\n * Add auditable-info changelog\n * Bump versions following cargo-lock bump\n * auditable-serde: bump `cargo-lock` to v9\n * switch to UNRELEASED\n * Update CHANGELOG.md\n * Print a better error if calling rustc fails\n * Drop unused import\n * placate Clippy\n * Don\u0027t inject audit info if --print argument is passed to rustc\n * Reflect the version change in Cargo.lock\n * Remove space from keywords\n * bump version to 0.6.1\n * Fix date in changelog\n * Update CHANGELOG.md\n * Add publish=false\n * Commit the generated manpage\n * Add the code for generating a manpage; rather rudimentary so far, but it\u0027s a starting point\n * Explain relation to supply chain attacks\n * Add keywords to the Cargo manifest\n * Revert \u0027generate a man page for cargo auditable\u0027\n * fix formatting\n * fix review feedback, relocate file to under OUT_DIR, don\u0027t use anyhow and also commit the lock file\n * generate a man page for cargo auditable\n * Add Clippy suppression\n * placate clippy\n * commit Cargo.lock\n * Sync to latest object file writing code from rustc\n * Fix examples in docs\n * Allow redundant field names\n * Apply clippy suggestion: match -\u003e if let\n * Check for clippy and format in CI\n * Apply clippy suggestions\n * Run CI with --locked\n\n- Update to version 0.6.0~0:\n\n * README and documentation improvements \n * Read the rustc path passed by Cargo; fixes #90\n * Read location of Cargo from the environment variable Cargo sets for third-party subcommands\n * Add a note on sccache version compatibility to CHANGELOG.md\n * Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error\n * Specifying the binary-scanning feature is no longer needed\n * Pass options such as --offline to `cargo metadata`\n * Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83\n * Bump rust-audit-info to 0.5.2\n * Bump auditable-serde version to 0.5.2\n * Correctly fill in the source even in dependency entries when converting to cargo-lock data format\n * Drop the roundtrip through str in semver::Version\n * Release auditable-info 0.6.1\n * Bump all the version requirements for things depending on auditable-info\n * Fix audit_info_from_slice function signature\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-514,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0514-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0514-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260514-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0514-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024235.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:57:18Z",
"generator": {
"date": "2026-02-13T14:57:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0514-1",
"initial_release_date": "2026-02-13T14:57:18Z",
"revision_history": [
{
"date": "2026-02-13T14:57:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:57:18Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0582-1
Vulnerability from csaf_suse - Published: 2026-02-20 10:02 - Updated: 2026-02-20 10:02Summary
Security update for snpguest
Severity
Important
Notes
Title of the patch: Security update for snpguest
Description of the patch: This update for snpguest fixes the following issues:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257927).
Patchnames: SUSE-2026-582,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-582,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-582,openSUSE-SLE-15.6-2026-582
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:snpguest-0.3.2-150600.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:snpguest-0.3.2-150600.3.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:snpguest-0.3.2-150600.3.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for snpguest",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for snpguest fixes the following issues:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257927).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-582,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-582,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-582,openSUSE-SLE-15.6-2026-582",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0582-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0582-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260582-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0582-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024364.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257927",
"url": "https://bugzilla.suse.com/1257927"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for snpguest",
"tracking": {
"current_release_date": "2026-02-20T10:02:23Z",
"generator": {
"date": "2026-02-20T10:02:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0582-1",
"initial_release_date": "2026-02-20T10:02:23Z",
"revision_history": [
{
"date": "2026-02-20T10:02:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.3.2-150600.3.9.1.x86_64",
"product": {
"name": "snpguest-0.3.2-150600.3.9.1.x86_64",
"product_id": "snpguest-0.3.2-150600.3.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.3.2-150600.3.9.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:snpguest-0.3.2-150600.3.9.1.x86_64"
},
"product_reference": "snpguest-0.3.2-150600.3.9.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.3.2-150600.3.9.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:snpguest-0.3.2-150600.3.9.1.x86_64"
},
"product_reference": "snpguest-0.3.2-150600.3.9.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.3.2-150600.3.9.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:snpguest-0.3.2-150600.3.9.1.x86_64"
},
"product_reference": "snpguest-0.3.2-150600.3.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:snpguest-0.3.2-150600.3.9.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:snpguest-0.3.2-150600.3.9.1.x86_64",
"openSUSE Leap 15.6:snpguest-0.3.2-150600.3.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:snpguest-0.3.2-150600.3.9.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:snpguest-0.3.2-150600.3.9.1.x86_64",
"openSUSE Leap 15.6:snpguest-0.3.2-150600.3.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:snpguest-0.3.2-150600.3.9.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:snpguest-0.3.2-150600.3.9.1.x86_64",
"openSUSE Leap 15.6:snpguest-0.3.2-150600.3.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-20T10:02:23Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0620-1
Vulnerability from csaf_suse - Published: 2026-02-24 16:36 - Updated: 2026-02-24 16:36Summary
Security update for snpguest
Severity
Important
Notes
Title of the patch: Security update for snpguest
Description of the patch: This update for snpguest fixes the following issues:
Update to version 0.10.0.
Security issues fixed:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257927).
- CVE-2025-3416: openssl: Use-After-Free in Md::fetch and Cipher::fetch in rust-openssl crate (bsc#1242601).
- CVE-2024-12224: idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded (bcs#1243869).
Other updates and bugfixes:
- Update to version 0.10.0
* fails to generate attestation reports on SEV-SNP guests with firmware API (bsc#1257877).
* chore: updating tool version to 0.10.0
* refactor(certs): remove redundant branch in file-write logic
* Docs: Adding verify measure, host-data, report-data to docs
* verify: verify measurent, host data, and report data attributes from the attestation report.
* library: Updating sev library to 7.1.0
* ci: replace deprecated gh actions
* feat: multi-format integer parsing for key subcommand arguments
* chore(main): remove unused import `clap::arg`
* feat(fetch): add fetch crl subcommand
* .github/lint: Bump toolchain version to 1.86
* Bump rust version to 1.86
* feat: bumping tool to version 0.9.2
* fix(verify): silence mismatched_lifetime_syntaxes in SnpOid::oid
* feat: support SEV-SNP ABI Spec 1.58 (bump sev to v6.3.0)
* docs: restore and clarify Global Options section
* doc: fix CL argument orders + address recent changes
* fix(hyperv): downgrade VMPL check from error to warning
* fix(report.rs): remove conflict check between --random flag and Hyper-V
* fix(report.rs): Decouple runtime behavior from hyperv build feature
* refactor: clarify --platform error message
* docs: add Azure/Hyper-V build note for --platform
* report: Writing Req Data as Binary (#101)
* deps: bump virtee/sev to 6.2.1 (fix TCB-serialization bug) (#99)
* Updating SEV library to 6.1.0 and updating version to 0.9.1
* Update version (0.9.0)
* HyperV: Fixing report command failure on Azure confidential VM
* Removing intird and append requirement for kernel measurements (#93)
* Updating to version 6 of library and fixing attestation (#89)
* CI: Fixing create_release workflow (#91)
* Minor update (0.8.3)
* Adding build script
* Update preattestation.rs
* Fix certificate fetch bug for Turin
* Minor update
* Update bitfield to 0.15.0
* Update to 0.8.1
* Update asn1-rs and x509-parser
* Update to 0.8.0
* key: Fix guest_field_select typo
* Adding Turin support and updating ASK cn
Patchnames: SUSE-2026-620,SUSE-SLE-Module-Server-Applications-15-SP7-2026-620
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.2 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for snpguest",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for snpguest fixes the following issues:\n\nUpdate to version 0.10.0.\n\nSecurity issues fixed: \n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257927).\n- CVE-2025-3416: openssl: Use-After-Free in Md::fetch and Cipher::fetch in rust-openssl crate (bsc#1242601).\n- CVE-2024-12224: idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded (bcs#1243869).\n\nOther updates and bugfixes:\n\n- Update to version 0.10.0 \n\n * fails to generate attestation reports on SEV-SNP guests with firmware API (bsc#1257877).\n * chore: updating tool version to 0.10.0\n * refactor(certs): remove redundant branch in file-write logic\n * Docs: Adding verify measure, host-data, report-data to docs\n * verify: verify measurent, host data, and report data attributes from the attestation report.\n * library: Updating sev library to 7.1.0\n * ci: replace deprecated gh actions\n * feat: multi-format integer parsing for key subcommand arguments\n * chore(main): remove unused import `clap::arg`\n * feat(fetch): add fetch crl subcommand\n * .github/lint: Bump toolchain version to 1.86\n * Bump rust version to 1.86\n * feat: bumping tool to version 0.9.2\n * fix(verify): silence mismatched_lifetime_syntaxes in SnpOid::oid\n * feat: support SEV-SNP ABI Spec 1.58 (bump sev to v6.3.0)\n * docs: restore and clarify Global Options section\n * doc: fix CL argument orders + address recent changes\n * fix(hyperv): downgrade VMPL check from error to warning\n * fix(report.rs): remove conflict check between --random flag and Hyper-V\n * fix(report.rs): Decouple runtime behavior from hyperv build feature\n * refactor: clarify --platform error message\n * docs: add Azure/Hyper-V build note for --platform\n * report: Writing Req Data as Binary (#101)\n * deps: bump virtee/sev to 6.2.1 (fix TCB-serialization bug) (#99)\n * Updating SEV library to 6.1.0 and updating version to 0.9.1\n * Update version (0.9.0)\n * HyperV: Fixing report command failure on Azure confidential VM\n * Removing intird and append requirement for kernel measurements (#93)\n * Updating to version 6 of library and fixing attestation (#89)\n * CI: Fixing create_release workflow (#91)\n * Minor update (0.8.3)\n * Adding build script\n * Update preattestation.rs\n * Fix certificate fetch bug for Turin\n * Minor update\n * Update bitfield to 0.15.0\n * Update to 0.8.1\n * Update asn1-rs and x509-parser\n * Update to 0.8.0\n * key: Fix guest_field_select typo\n * Adding Turin support and updating ASK cn\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-620,SUSE-SLE-Module-Server-Applications-15-SP7-2026-620",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0620-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0620-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260620-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0620-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024385.html"
},
{
"category": "self",
"summary": "SUSE Bug 1242601",
"url": "https://bugzilla.suse.com/1242601"
},
{
"category": "self",
"summary": "SUSE Bug 1243869",
"url": "https://bugzilla.suse.com/1243869"
},
{
"category": "self",
"summary": "SUSE Bug 1257877",
"url": "https://bugzilla.suse.com/1257877"
},
{
"category": "self",
"summary": "SUSE Bug 1257927",
"url": "https://bugzilla.suse.com/1257927"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-12224 page",
"url": "https://www.suse.com/security/cve/CVE-2024-12224/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-3416 page",
"url": "https://www.suse.com/security/cve/CVE-2025-3416/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for snpguest",
"tracking": {
"current_release_date": "2026-02-24T16:36:35Z",
"generator": {
"date": "2026-02-24T16:36:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0620-1",
"initial_release_date": "2026-02-24T16:36:35Z",
"revision_history": [
{
"date": "2026-02-24T16:36:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.10.0-150700.3.3.1.x86_64",
"product": {
"name": "snpguest-0.10.0-150700.3.3.1.x86_64",
"product_id": "snpguest-0.10.0-150700.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Server Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Server Applications 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-server-applications:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.10.0-150700.3.3.1.x86_64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
},
"product_reference": "snpguest-0.10.0-150700.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-12224",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-12224"
}
],
"notes": [
{
"category": "general",
"text": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-12224",
"url": "https://www.suse.com/security/cve/CVE-2024-12224"
},
{
"category": "external",
"summary": "SUSE Bug 1243848 for CVE-2024-12224",
"url": "https://bugzilla.suse.com/1243848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T16:36:35Z",
"details": "moderate"
}
],
"title": "CVE-2024-12224"
},
{
"cve": "CVE-2025-3416",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-3416"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in OpenSSL\u0027s handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-3416",
"url": "https://www.suse.com/security/cve/CVE-2025-3416"
},
{
"category": "external",
"summary": "SUSE Bug 1242599 for CVE-2025-3416",
"url": "https://bugzilla.suse.com/1242599"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T16:36:35Z",
"details": "low"
}
],
"title": "CVE-2025-3416"
},
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Server Applications 15 SP7:snpguest-0.10.0-150700.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T16:36:35Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0806-1
Vulnerability from csaf_suse - Published: 2026-03-04 15:46 - Updated: 2026-03-04 15:46Summary
Security update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration
Severity
Important
Notes
Title of the patch: Security update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration
Description of the patch: This update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration fixes the following issues:
Changes for SLES16-SAP_Migration:
- Bump version: 2.1.30
Changes for SLES16-Migration:
- Bump version: 2.1.30
Changes for suse-migration-sle16-activation:
- Move script package to the main migration provider
- Create lib file for common network-prereq tasks
- Refactor mount_system service
Changes for suse-migration-services:
- Bump to version: 2.1.30:
* Update docinfo
* Update doc/adoc/user_guide.adoc
* Update documentation for 12-to-15 in pubclouds
Fix information about default service pack target.
* Apply make black
* Added black for code formatting
* refactor: add `Zypper.install` wrapper
Add `Zypper.install` wrapper method for package installation
* Fixed get_migration_target return behavior
* fix: ensure NetworkManager is installed on the target system
Changes for wicked2nm:
- Update to version v1.4.1.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257911).
Other updates and bugfixes:
- update bytes from 1.10.1 to 1.11.1
- update time to 0.3.47
Patchnames: SUSE-2026-806,SUSE-SLE-Module-Basesystem-15-SP7-2026-806,SUSE-SLE-Module-SAP-Applications-15-SP7-2026-806
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-migration-2.1.30-150700.15.21.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-scripts-2.1.30-150700.15.21.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration fixes the following issues:\n\nChanges for SLES16-SAP_Migration:\n \n- Bump version: 2.1.30 \n \nChanges for SLES16-Migration: \n\n- Bump version: 2.1.30 \n \nChanges for suse-migration-sle16-activation:\n \n- Move script package to the main migration provider\n- Create lib file for common network-prereq tasks\n- Refactor mount_system service\n \nChanges for suse-migration-services:\n\n- Bump to version: 2.1.30:\n * Update docinfo\n * Update doc/adoc/user_guide.adoc\n * Update documentation for 12-to-15 in pubclouds\n Fix information about default service pack target.\n * Apply make black\n * Added black for code formatting\n * refactor: add `Zypper.install` wrapper\n Add `Zypper.install` wrapper method for package installation\n * Fixed get_migration_target return behavior\n * fix: ensure NetworkManager is installed on the target system\n\nChanges for wicked2nm: \n \n- Update to version v1.4.1.\n\nSecurity issues fixed:\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257911).\n\nOther updates and bugfixes:\n- update bytes from 1.10.1 to 1.11.1\n- update time to 0.3.47 \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-806,SUSE-SLE-Module-Basesystem-15-SP7-2026-806,SUSE-SLE-Module-SAP-Applications-15-SP7-2026-806",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0806-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0806-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260806-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0806-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024566.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257911",
"url": "https://bugzilla.suse.com/1257911"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for wicked2nm,suse-migration-services,suse-migration-sle16-activation,SLES16-Migration,SLES16-SAP_Migration",
"tracking": {
"current_release_date": "2026-03-04T15:46:27Z",
"generator": {
"date": "2026-03-04T15:46:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0806-1",
"initial_release_date": "2026-03-04T15:46:27Z",
"revision_history": [
{
"date": "2026-03-04T15:46:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "SLES16-Migration-2.1.30-15.26.4.aarch64",
"product": {
"name": "SLES16-Migration-2.1.30-15.26.4.aarch64",
"product_id": "SLES16-Migration-2.1.30-15.26.4.aarch64"
}
},
{
"category": "product_version",
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.aarch64",
"product": {
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.aarch64",
"product_id": "suse-migration-rpm-1.0.1-150700.15.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"product": {
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"product_id": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "wicked2nm-1.4.1-150700.15.16.1.aarch64",
"product": {
"name": "wicked2nm-1.4.1-150700.15.16.1.aarch64",
"product_id": "wicked2nm-1.4.1-150700.15.16.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.i586",
"product": {
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.i586",
"product_id": "suse-migration-rpm-1.0.1-150700.15.11.1.i586"
}
},
{
"category": "product_version",
"name": "wicked2nm-1.4.1-150700.15.16.1.i586",
"product": {
"name": "wicked2nm-1.4.1-150700.15.16.1.i586",
"product_id": "wicked2nm-1.4.1-150700.15.16.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-migration-2.1.30-150700.15.21.1.noarch",
"product": {
"name": "python3-migration-2.1.30-150700.15.21.1.noarch",
"product_id": "python3-migration-2.1.30-150700.15.21.1.noarch"
}
},
{
"category": "product_version",
"name": "suse-migration-2.1.30-150700.15.21.1.noarch",
"product": {
"name": "suse-migration-2.1.30-150700.15.21.1.noarch",
"product_id": "suse-migration-2.1.30-150700.15.21.1.noarch"
}
},
{
"category": "product_version",
"name": "suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"product": {
"name": "suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"product_id": "suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch"
}
},
{
"category": "product_version",
"name": "suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"product": {
"name": "suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"product_id": "suse-migration-scripts-2.1.30-150700.15.21.1.noarch"
}
},
{
"category": "product_version",
"name": "suse-migration-services-2.1.30-150700.15.21.1.noarch",
"product": {
"name": "suse-migration-services-2.1.30-150700.15.21.1.noarch",
"product_id": "suse-migration-services-2.1.30-150700.15.21.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "SLES16-Migration-2.1.30-15.26.4.ppc64le",
"product": {
"name": "SLES16-Migration-2.1.30-15.26.4.ppc64le",
"product_id": "SLES16-Migration-2.1.30-15.26.4.ppc64le"
}
},
{
"category": "product_version",
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"product": {
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"product_id": "SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le"
}
},
{
"category": "product_version",
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.ppc64le",
"product": {
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.ppc64le",
"product_id": "suse-migration-rpm-1.0.1-150700.15.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"product": {
"name": "wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"product_id": "wicked2nm-1.4.1-150700.15.16.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "SLES16-Migration-2.1.30-15.26.4.s390x",
"product": {
"name": "SLES16-Migration-2.1.30-15.26.4.s390x",
"product_id": "SLES16-Migration-2.1.30-15.26.4.s390x"
}
},
{
"category": "product_version",
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.s390x",
"product": {
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.s390x",
"product_id": "suse-migration-rpm-1.0.1-150700.15.11.1.s390x"
}
},
{
"category": "product_version",
"name": "wicked2nm-1.4.1-150700.15.16.1.s390x",
"product": {
"name": "wicked2nm-1.4.1-150700.15.16.1.s390x",
"product_id": "wicked2nm-1.4.1-150700.15.16.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "SLES16-Migration-2.1.30-15.26.4.x86_64",
"product": {
"name": "SLES16-Migration-2.1.30-15.26.4.x86_64",
"product_id": "SLES16-Migration-2.1.30-15.26.4.x86_64"
}
},
{
"category": "product_version",
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.x86_64",
"product": {
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.x86_64",
"product_id": "SLES16-SAP_Migration-2.1.30-15.18.4.x86_64"
}
},
{
"category": "product_version",
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.x86_64",
"product": {
"name": "suse-migration-rpm-1.0.1-150700.15.11.1.x86_64",
"product_id": "suse-migration-rpm-1.0.1-150700.15.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"product": {
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"product_id": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "wicked2nm-1.4.1-150700.15.16.1.x86_64",
"product": {
"name": "wicked2nm-1.4.1-150700.15.16.1.x86_64",
"product_id": "wicked2nm-1.4.1-150700.15.16.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for SAP Applications 15 SP7",
"product_id": "SUSE Linux Enterprise Module for SAP Applications 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-sap-applications:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-Migration-2.1.30-15.26.4.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.aarch64"
},
"product_reference": "SLES16-Migration-2.1.30-15.26.4.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-Migration-2.1.30-15.26.4.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.ppc64le"
},
"product_reference": "SLES16-Migration-2.1.30-15.26.4.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-Migration-2.1.30-15.26.4.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.s390x"
},
"product_reference": "SLES16-Migration-2.1.30-15.26.4.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-Migration-2.1.30-15.26.4.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.x86_64"
},
"product_reference": "SLES16-Migration-2.1.30-15.26.4.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-migration-2.1.30-150700.15.21.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-migration-2.1.30-150700.15.21.1.noarch"
},
"product_reference": "python3-migration-2.1.30-150700.15.21.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch"
},
"product_reference": "suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "suse-migration-scripts-2.1.30-150700.15.21.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-scripts-2.1.30-150700.15.21.1.noarch"
},
"product_reference": "suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64"
},
"product_reference": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64"
},
"product_reference": "suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wicked2nm-1.4.1-150700.15.16.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.aarch64"
},
"product_reference": "wicked2nm-1.4.1-150700.15.16.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wicked2nm-1.4.1-150700.15.16.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.ppc64le"
},
"product_reference": "wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wicked2nm-1.4.1-150700.15.16.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.s390x"
},
"product_reference": "wicked2nm-1.4.1-150700.15.16.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wicked2nm-1.4.1-150700.15.16.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.x86_64"
},
"product_reference": "wicked2nm-1.4.1-150700.15.16.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le as component of SUSE Linux Enterprise Module for SAP Applications 15 SP7",
"product_id": "SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le"
},
"product_reference": "SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for SAP Applications 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "SLES16-SAP_Migration-2.1.30-15.18.4.x86_64 as component of SUSE Linux Enterprise Module for SAP Applications 15 SP7",
"product_id": "SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.x86_64"
},
"product_reference": "SLES16-SAP_Migration-2.1.30-15.18.4.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for SAP Applications 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-migration-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.x86_64",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-migration-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.x86_64",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:SLES16-Migration-2.1.30-15.26.4.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-migration-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-pre-checks-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-scripts-2.1.30-150700.15.21.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:suse-migration-sle16-activation-2.1.30-150700.15.13.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:wicked2nm-1.4.1-150700.15.16.1.x86_64",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.ppc64le",
"SUSE Linux Enterprise Module for SAP Applications 15 SP7:SLES16-SAP_Migration-2.1.30-15.18.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-04T15:46:27Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0816-1
Vulnerability from csaf_suse - Published: 2026-03-05 09:50 - Updated: 2026-03-05 09:50Summary
Security update for virtiofsd
Severity
Important
Notes
Title of the patch: Security update for virtiofsd
Description of the patch: This update for virtiofsd fixes the following issue:
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257912).
Patchnames: SUSE-2026-816,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-816,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-816,openSUSE-SLE-15.6-2026-816
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for virtiofsd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for virtiofsd fixes the following issue:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257912).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-816,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-816,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-816,openSUSE-SLE-15.6-2026-816",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0816-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0816-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260816-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0816-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024582.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257912",
"url": "https://bugzilla.suse.com/1257912"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for virtiofsd",
"tracking": {
"current_release_date": "2026-03-05T09:50:59Z",
"generator": {
"date": "2026-03-05T09:50:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0816-1",
"initial_release_date": "2026-03-05T09:50:59Z",
"revision_history": [
{
"date": "2026-03-05T09:50:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "virtiofsd-1.10.1-150600.4.6.1.aarch64",
"product": {
"name": "virtiofsd-1.10.1-150600.4.6.1.aarch64",
"product_id": "virtiofsd-1.10.1-150600.4.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"product": {
"name": "virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"product_id": "virtiofsd-1.10.1-150600.4.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "virtiofsd-1.10.1-150600.4.6.1.s390x",
"product": {
"name": "virtiofsd-1.10.1-150600.4.6.1.s390x",
"product_id": "virtiofsd-1.10.1-150600.4.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "virtiofsd-1.10.1-150600.4.6.1.x86_64",
"product": {
"name": "virtiofsd-1.10.1-150600.4.6.1.x86_64",
"product_id": "virtiofsd-1.10.1-150600.4.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.aarch64"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.ppc64le"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.s390x"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.x86_64"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.ppc64le"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.x86_64"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.aarch64"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.ppc64le"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.s390x"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virtiofsd-1.10.1-150600.4.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.x86_64"
},
"product_reference": "virtiofsd-1.10.1-150600.4.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.s390x",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.s390x",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:virtiofsd-1.10.1-150600.4.6.1.x86_64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.aarch64",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.ppc64le",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.s390x",
"openSUSE Leap 15.6:virtiofsd-1.10.1-150600.4.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T09:50:59Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…