Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-45338 (GCVE-0-2024-45338)
Vulnerability from cvelistv5 – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
VLAI
EPSS
VEX
Title
Non-linear parsing of case-insensitive content in golang.org/x/net/html
Summary
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/html |
Affected:
0 , < 0.33.0
(semver)
|
Credits
Guido Vranken
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T19:51:42.228627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:55:04.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:32.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/html",
"product": "golang.org/x/net/html",
"programRoutines": [
{
"name": "parseDoctype"
},
{
"name": "htmlIntegrationPoint"
},
{
"name": "inTableIM"
},
{
"name": "inBodyIM"
},
{
"name": "Parse"
},
{
"name": "ParseFragment"
},
{
"name": "ParseFragmentWithOptions"
},
{
"name": "ParseWithOptions"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.33.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Guido Vranken"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T20:38:22.660Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/637536"
},
{
"url": "https://go.dev/issue/70906"
},
{
"url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-3333"
}
],
"title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45338",
"datePublished": "2024-12-18T20:38:22.660Z",
"dateReserved": "2024-08-27T19:41:58.555Z",
"dateUpdated": "2025-02-21T18:03:32.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-45338",
"date": "2026-07-19",
"epss": "0.00874",
"percentile": "0.54885"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"}, {\"lang\": \"es\", \"value\": \"Un atacante puede manipular una entrada para las funciones de an\\u00e1lisis que se procesar\\u00eda de forma no lineal con respecto a su longitud, lo que dar\\u00eda como resultado un an\\u00e1lisis extremadamente lento. Esto podr\\u00eda causar una denegaci\\u00f3n de servicio.\"}]",
"id": "CVE-2024-45338",
"lastModified": "2024-12-31T20:16:06.603",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-12-18T21:15:08.173",
"references": "[{\"url\": \"https://go.dev/cl/637536\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/issue/70906\", \"source\": \"security@golang.org\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\", \"source\": \"security@golang.org\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-3333\", \"source\": \"security@golang.org\"}]",
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1333\"}]}]"
},
"microsoft_vex": {
"current_release_date": "2026-02-18T14:48:18.000Z",
"cve": "CVE-2024-45338",
"id": "msrc_CVE-2024-45338",
"initial_release_date": "2024-12-02T00:00:00.000Z",
"product_status:fixed": "88",
"product_status:known_affected": "89",
"product_status:known_not_affected": "3",
"source": "Microsoft CSAF VEX",
"status": "final",
"title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
"url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-45338.json",
"version": "131"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45338\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2024-12-18T21:15:08.173\",\"lastModified\":\"2026-06-17T07:54:03.510\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"},{\"lang\":\"es\",\"value\":\"Un atacante puede manipular una entrada para las funciones de an\u00e1lisis que se procesar\u00eda de forma no lineal con respecto a su longitud, lo que dar\u00eda como resultado un an\u00e1lisis extremadamente lento. Esto podr\u00eda causar una denegaci\u00f3n de servicio.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"golang.org/x/net\",\"product\":\"golang.org/x/net/html\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"golang.org/x/net/html\",\"programRoutines\":[{\"name\":\"parseDoctype\"},{\"name\":\"htmlIntegrationPoint\"},{\"name\":\"inTableIM\"},{\"name\":\"inBodyIM\"},{\"name\":\"Parse\"},{\"name\":\"ParseFragment\"},{\"name\":\"ParseFragmentWithOptions\"},{\"name\":\"ParseWithOptions\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"0.33.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-12-31T19:51:42.228627Z\",\"id\":\"CVE-2024-45338\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://go.dev/cl/637536\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/70906\",\"source\":\"security@golang.org\"},{\"url\":\"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2024-3333\",\"source\":\"security@golang.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250221-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-19T16:32:43+00:00",
"cve": "CVE-2024-45338",
"id": "CVE-2024-45338",
"initial_release_date": "2024-12-18T20:38:22.660000+00:00",
"product_status:fixed": "2392",
"product_status:known_affected": "157",
"product_status:known_not_affected": "16030",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-45338.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250221-0001/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-02-21T18:03:32.301Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45338\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-31T19:51:42.228627Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333 Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-31T19:54:57.693Z\"}}], \"cna\": {\"title\": \"Non-linear parsing of case-insensitive content in golang.org/x/net/html\", \"credits\": [{\"lang\": \"en\", \"value\": \"Guido Vranken\"}], \"affected\": [{\"vendor\": \"golang.org/x/net\", \"product\": \"golang.org/x/net/html\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.33.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/net/html\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"parseDoctype\"}, {\"name\": \"htmlIntegrationPoint\"}, {\"name\": \"inTableIM\"}, {\"name\": \"inBodyIM\"}, {\"name\": \"Parse\"}, {\"name\": \"ParseFragment\"}, {\"name\": \"ParseFragmentWithOptions\"}, {\"name\": \"ParseWithOptions\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/637536\"}, {\"url\": \"https://go.dev/issue/70906\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-3333\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-405: Asymmetric Resource Consumption (Amplification)\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2024-12-18T20:38:22.660Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45338\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-21T18:03:32.301Z\", \"dateReserved\": \"2024-08-27T19:41:58.555Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2024-12-18T20:38:22.660Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2025:0056-1
Vulnerability from csaf_opensuse - Published: 2025-02-07 11:01 - Updated: 2025-02-07 11:01Summary
Security update for trivy
Severity
Moderate
Notes
Title of the patch: Security update for trivy
Description of the patch: This update for trivy fixes the following issues:
Update to version 0.58.2 (
boo#1234512, CVE-2024-45337,
boo#1235265, CVE-2024-45338):
* fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
* fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
* fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
* fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
* fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
* chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
* chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
* fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
* fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
* fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
* fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
* fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
* release: v0.58.0 [main] (#7874)
* fix(misconf): wrap AWS EnvVar to iac types (#7407)
* chore(deps): Upgrade trivy-checks (#8018)
* refactor(misconf): Remove unused options (#7896)
* docs: add terminology page to explain Trivy concepts (#7996)
* feat: add `workspaceRelationship` (#7889)
* refactor(sbom): simplify relationship generation (#7985)
* docs: improve databases documentation (#7732)
* refactor: remove support for custom Terraform checks (#7901)
* docs: drop AWS account scanning (#7997)
* fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
* fix(cli): Handle empty ignore files more gracefully (#7962)
* fix(misconf): load full Terraform module (#7925)
* fix(misconf): properly resolve local Terraform cache (#7983)
* refactor(k8s): add v prefix for Go packages (#7839)
* test: replace Go checks with Rego (#7867)
* feat(misconf): log causes of HCL file parsing errors (#7634)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
* chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
* chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
* chore: downgrade the failed block expand message to debug (#7964)
* fix(misconf): do not erase variable type for child modules (#7941)
* feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
* feat(go): construct dependencies in the parser (#7973)
* feat: add cvss v4 score and vector in scan response (#7968)
* docs: add `overview` page for `others` (#7972)
* fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
* feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
* chore(deps): bump the common group with 4 updates (#7949)
* feat(oracle): add `flavors` support (#7858)
* fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
* chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
* fix(k8s): check all results for vulnerabilities (#7946)
* ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
* feat(secret): Add built-in secrets rules for Private Packagist (#7826)
* docs: Fix broken links (#7900)
* docs: fix mistakes/typos (#7942)
* feat: Update registry fallbacks (#7679)
* fix(alpine): add `UID` for removed packages (#7887)
* chore(deps): bump the aws group with 6 updates (#7902)
* chore(deps): bump the common group with 6 updates (#7904)
* fix(debian): infinite loop (#7928)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
* docs: add note about temporary podman socket (#7921)
* docs: combine trivy.dev into trivy docs (#7884)
* test: change branch in spdx schema link to check in integration tests (#7935)
* docs: add Headlamp to the Trivy Ecosystem page (#7916)
* fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
* chore(k8s): enhance k8s scan log (#6997)
* fix(terraform): set null value as fallback for missing variables (#7669)
* fix(misconf): handle null properties in CloudFormation templates (#7813)
* fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
* chore(deps): bump the common group across 1 directory with 20 updates (#7876)
* chore: bump containerd to v2.0.0 (#7875)
* fix: Improve version comparisons when build identifiers are present (#7873)
* feat(k8s): add default commands for unknown platform (#7863)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
* refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
* test: save `containerd` image into archive and use in tests (#7816)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
* chore: bump golangci-lint to v1.61.0 (#7853)
- Update to version 0.57.1:
* release: v0.57.1 [release/v0.57] (#7943)
* feat: Update registry fallbacks [backport: release/v0.57] (#7944)
* fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
* test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
* release: v0.57.0 [main] (#7710)
* chore: lint `errors.Join` (#7845)
* feat(db): append errors (#7843)
* docs(java): add info about supported scopes (#7842)
* docs: add example of creating whitelist of checks (#7821)
* chore(deps): Bump trivy-checks (#7819)
* fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
* fix(k8s): skip resources without misconfigs (#7797)
* fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
* fix(cli): add config name to skip-policy-update alias (#7820)
* fix(helm): properly handle multiple archived dependencies (#7782)
* refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
* fix(k8s)!: support k8s multi container (#7444)
* fix(k8s): support kubernetes v1.31 (#7810)
* docs: add Windows install instructions (#7800)
* ci(helm): auto public Helm chart after PR merged (#7526)
* feat: add end of life date for Ubuntu 24.10 (#7787)
* feat(report): update gitlab template to populate operating_system value (#7735)
* feat(misconf): Show misconfig ID in output (#7762)
* feat(misconf): export unresolvable field of IaC types to Rego (#7765)
* refactor(k8s): scan config files as a folder (#7690)
* fix(license): fix license normalization for Universal Permissive License (#7766)
* fix: enable usestdlibvars linter (#7770)
* fix(misconf): properly expand dynamic blocks (#7612)
* feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
* fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
* refactor(misconf): simplify k8s scanner (#7717)
* feat(parser): ignore white space in pom.xml files (#7747)
* test: use forked images (#7755)
* fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
* fix(misconf): check if property is not nil before conversion (#7578)
* fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
* feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
* test: define constants for test images (#7739)
* docs: add note about disabled DS016 check (#7724)
* feat(misconf): public network support for Azure Storage Account (#7601)
* feat(cli): rename `trivy auth` to `trivy registry` (#7727)
* docs: apt-transport-https is a transitional package (#7678)
* refactor(misconf): introduce generic scanner (#7515)
* fix(cli): `clean --all` deletes only relevant dirs (#7704)
* feat(cli): add `trivy auth` (#7664)
* fix(sbom): add options for DBs in private registries (#7660)
* docs(report): fix reporting doc format (#7671)
* fix(repo): `git clone` output to Stderr (#7561)
* fix(redhat): include arch in PURL qualifiers (#7654)
* fix(report): Fix invalid URI in SARIF report (#7645)
* docs(report): Improve SARIF reporting doc (#7655)
* fix(db): fix javadb downloading error handling (#7642)
* feat(cli): error out when ignore file cannot be found (#7624)
- Update to version 0.56.2:
* release: v0.56.2 [release/v0.56] (#7694)
* fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
* fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
- Update to version 0.56.1:
* release: v0.56.1 [release/v0.56] (#7648)
* fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
* release: v0.56.0 [main] (#7447)
* fix(misconf): not to warn about missing selectors of libraries (#7638)
* feat: support RPM archives (#7628)
* fix(secret): change grafana token regex to find them without unquoted (#7627)
* fix(misconf): Disable deprecated checks by default (#7632)
* chore: add prefixes to log messages (#7625)
* feat(misconf): Support `--skip-*` for all included modules (#7579)
* feat: support multiple DB repositories for vulnerability and Java DB (#7605)
* ci: don't use cache for `setup-go` (#7622)
* test: use loaded image names (#7617)
* feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520)
* feat(secret): enhance secret scanning for python binary files (#7223)
* refactor: fix auth error handling (#7615)
* ci: split `save` and `restore` cache actions (#7614)
* fix(misconf): disable DS016 check for image history analyzer (#7540)
* feat(suse): added SUSE Linux Enterprise Micro support (#7294)
* feat(misconf): add ability to disable checks by ID (#7536)
* fix(misconf): escape all special sequences (#7558)
* test: use a local registry for remote scanning (#7607)
* fix: allow access to '..' in mapfs (#7575)
* fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)
* chore(deps): bump the common group across 1 directory with 20 updates (#7604)
* ci: add `workflow_dispatch` trigger for test workflow. (#7606)
* ci: cache test images for `integration`, `VM` and `module` tests (#7599)
* chore(deps): remove broken replaces for opa and discovery (#7600)
* docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)
* fix(misconf): Fixed scope for China Cloud (#7560)
* perf(misconf): use port ranges instead of enumeration (#7549)
* fix(sbom): export bom-ref when converting a package to a component (#7340)
* refactor(misconf): pass options to Rego scanner as is (#7529)
* fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)
* chore(deps): bump go-ebs-file (#7513)
* fix(misconf): Fix logging typo (#7473)
* feat(misconf): Register checks only when needed (#7435)
* refactor: split `.egg` and `packaging` analyzers (#7514)
* fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497)
* chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)
* chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)
* chore(vex): suppress openssl vulnerabilities (#7500)
* revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)
* docs(db): add a manifest example (#7485)
* feat(license): improve license normalization (#7131)
* docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)
* fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)
* fix(report): change a receiver of MarshalJSON (#7483)
* fix(oracle): Update EOL date for Oracle 7 (#7480)
* chore(deps): bump the aws group with 6 updates (#7468)
* chore(deps): bump the common group across 1 directory with 19 updates (#7436)
* chore(helm): bump up Trivy Helm chart (#7441)
* refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)
* fix(license): stop spliting a long license text (#7336)
* release: v0.55.0 [main] (#7271)
* feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)
* fix(license): add license handling to JUnit template (#7409)
* feat(java): add `test` scope support for `pom.xml` files (#7414)
* chore(deps): Bump trivy-checks and pin OPA (#7427)
* fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)
* feat(sbom): set User-Agent header on requests to Rekor (#7396)
* test: add integration plugin tests (#7299)
* fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)
* fix: logger initialization before flags parsing (#7372)
* fix(aws): handle ECR repositories in different regions (#6217)
* fix(misconf): fix infer type for null value (#7424)
* fix(secret): use `.eyJ` keyword for JWT secret (#7410)
* fix(misconf): do not recreate filesystem map (#7416)
* chore(deps): Bump trivy-checks (#7417)
* fix(misconf): do not register Rego libs in checks registry (#7420)
* fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)
* feat(report): export modified findings in JSON (#7383)
* feat(server): Make Trivy Server Multiplexer Exported (#7389)
* chore: update CODEOWNERS (#7398)
* fix(secret): use only line with secret for long secret lines (#7412)
* chore: fix allow rule of ignoring test files to make it case insensitive (#7415)
* feat(misconf): port and protocol support for EC2 networks (#7146)
* fix(misconf): do not filter Terraform plan JSON by name (#7406)
* feat(misconf): support for ignore by nested attributes (#7205)
* fix(misconf): use module to log when metadata retrieval fails (#7405)
* fix(report): escape `Message` field in `asff.tpl` template (#7401)
* feat(misconf): Add support for using spec from on-disk bundle (#7179)
* docs: add pkg flags to config file page (#7370)
* feat(python): use minimum version for pip packages (#7348)
* fix(misconf): support deprecating for Go checks (#7377)
* fix(misconf): init frameworks before updating them (#7376)
* feat(misconf): ignore duplicate checks (#7317)
* refactor(misconf): use slog (#7295)
* chore(deps): bump trivy-checks (#7350)
* feat(server): add internal `--path-prefix` flag for client/server mode (#7321)
* chore(deps): bump the aws group across 1 directory with 7 updates (#7358)
* fix: safely check if the directory exists (#7353)
* feat(misconf): variable support for Terraform Plan (#7228)
* feat(misconf): scanning support for YAML and JSON (#7311)
* fix(misconf): wrap Azure PortRange in iac types (#7357)
* refactor(misconf): highlight only affected rows (#7310)
* fix(misconf): change default TLS values for the Azure storage account (#7345)
* chore(deps): bump the common group with 9 updates (#7333)
* docs(misconf): Update callsites to use correct naming (#7335)
* docs: update air-gapped docs (#7160)
* refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)
* perf(misconf): optimize work with context (#6968)
* docs: update links to packaging.python.org (#7318)
* docs: update client/server docs for misconf and license scanning (#7277)
* chore(deps): bump the common group across 1 directory with 7 updates (#7305)
* feat(misconf): iterator argument support for dynamic blocks (#7236)
* fix(misconf): do not set default value for default_cache_behavior (#7234)
* feat(misconf): support for policy and bucket grants (#7284)
* fix(misconf): load only submodule if it is specified in source (#7112)
* perf(misconf): use json.Valid to check validity of JSON (#7308)
* refactor(misconf): remove unused universal scanner (#7293)
* perf(misconf): do not convert contents of a YAML file to string (#7292)
* fix(terraform): add aws_region name to presets (#7184)
* docs: add auto-generated config (#7261)
* feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)
* refactor(misconf): remove file filtering from parsers (#7289)
* fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)
* fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)
* fix(plugin): do not call GitHub content API for releases and tags (#7274)
* feat(vm): support the Ext2/Ext3 filesystems (#6983)
* feat(cli)!: delete deprecated SBOM flags (#7266)
* feat(vm): Support direct filesystem (#7058)
- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):
Patchnames: openSUSE-2025-56
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
8.1 (High)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for trivy fixes the following issues:\n\nUpdate to version 0.58.2 (\n\n boo#1234512, CVE-2024-45337,\n boo#1235265, CVE-2024-45338):\n\n * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)\n * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)\n * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)\n * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)\n * fix(python): skip dev group\u0027s deps for poetry [backport: release/v0.58] (#8158)\n * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)\n * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)\n * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)\n * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)\n * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)\n * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)\n * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)\n * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)\n * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)\n * release: v0.58.0 [main] (#7874)\n * fix(misconf): wrap AWS EnvVar to iac types (#7407)\n * chore(deps): Upgrade trivy-checks (#8018)\n * refactor(misconf): Remove unused options (#7896)\n * docs: add terminology page to explain Trivy concepts (#7996)\n * feat: add `workspaceRelationship` (#7889)\n * refactor(sbom): simplify relationship generation (#7985)\n * docs: improve databases documentation (#7732)\n * refactor: remove support for custom Terraform checks (#7901)\n * docs: drop AWS account scanning (#7997)\n * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)\n * fix(cli): Handle empty ignore files more gracefully (#7962)\n * fix(misconf): load full Terraform module (#7925)\n * fix(misconf): properly resolve local Terraform cache (#7983)\n * refactor(k8s): add v prefix for Go packages (#7839)\n * test: replace Go checks with Rego (#7867)\n * feat(misconf): log causes of HCL file parsing errors (#7634)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)\n * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)\n * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)\n * chore: downgrade the failed block expand message to debug (#7964)\n * fix(misconf): do not erase variable type for child modules (#7941)\n * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)\n * feat(go): construct dependencies in the parser (#7973)\n * feat: add cvss v4 score and vector in scan response (#7968)\n * docs: add `overview` page for `others` (#7972)\n * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)\n * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)\n * chore(deps): bump the common group with 4 updates (#7949)\n * feat(oracle): add `flavors` support (#7858)\n * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)\n * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)\n * fix(k8s): check all results for vulnerabilities (#7946)\n * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)\n * feat(secret): Add built-in secrets rules for Private Packagist (#7826)\n * docs: Fix broken links (#7900)\n * docs: fix mistakes/typos (#7942)\n * feat: Update registry fallbacks (#7679)\n * fix(alpine): add `UID` for removed packages (#7887)\n * chore(deps): bump the aws group with 6 updates (#7902)\n * chore(deps): bump the common group with 6 updates (#7904)\n * fix(debian): infinite loop (#7928)\n * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)\n * docs: add note about temporary podman socket (#7921)\n * docs: combine trivy.dev into trivy docs (#7884)\n * test: change branch in spdx schema link to check in integration tests (#7935)\n * docs: add Headlamp to the Trivy Ecosystem page (#7916)\n * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)\n * chore(k8s): enhance k8s scan log (#6997)\n * fix(terraform): set null value as fallback for missing variables (#7669)\n * fix(misconf): handle null properties in CloudFormation templates (#7813)\n * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)\n * chore(deps): bump the common group across 1 directory with 20 updates (#7876)\n * chore: bump containerd to v2.0.0 (#7875)\n * fix: Improve version comparisons when build identifiers are present (#7873)\n * feat(k8s): add default commands for unknown platform (#7863)\n * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)\n * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)\n * test: save `containerd` image into archive and use in tests (#7816)\n * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)\n * chore: bump golangci-lint to v1.61.0 (#7853)\n\n- Update to version 0.57.1:\n * release: v0.57.1 [release/v0.57] (#7943)\n * feat: Update registry fallbacks [backport: release/v0.57] (#7944)\n * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)\n * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)\n * release: v0.57.0 [main] (#7710)\n * chore: lint `errors.Join` (#7845)\n * feat(db): append errors (#7843)\n * docs(java): add info about supported scopes (#7842)\n * docs: add example of creating whitelist of checks (#7821)\n * chore(deps): Bump trivy-checks (#7819)\n * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)\n * fix(k8s): skip resources without misconfigs (#7797)\n * fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)\n * fix(cli): add config name to skip-policy-update alias (#7820)\n * fix(helm): properly handle multiple archived dependencies (#7782)\n * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)\n * fix(k8s)!: support k8s multi container (#7444)\n * fix(k8s): support kubernetes v1.31 (#7810)\n * docs: add Windows install instructions (#7800)\n * ci(helm): auto public Helm chart after PR merged (#7526)\n * feat: add end of life date for Ubuntu 24.10 (#7787)\n * feat(report): update gitlab template to populate operating_system value (#7735)\n * feat(misconf): Show misconfig ID in output (#7762)\n * feat(misconf): export unresolvable field of IaC types to Rego (#7765)\n * refactor(k8s): scan config files as a folder (#7690)\n * fix(license): fix license normalization for Universal Permissive License (#7766)\n * fix: enable usestdlibvars linter (#7770)\n * fix(misconf): properly expand dynamic blocks (#7612)\n * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)\n * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)\n * refactor(misconf): simplify k8s scanner (#7717)\n * feat(parser): ignore white space in pom.xml files (#7747)\n * test: use forked images (#7755)\n * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)\n * fix(misconf): check if property is not nil before conversion (#7578)\n * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)\n * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)\n * test: define constants for test images (#7739)\n * docs: add note about disabled DS016 check (#7724)\n * feat(misconf): public network support for Azure Storage Account (#7601)\n * feat(cli): rename `trivy auth` to `trivy registry` (#7727)\n * docs: apt-transport-https is a transitional package (#7678)\n * refactor(misconf): introduce generic scanner (#7515)\n * fix(cli): `clean --all` deletes only relevant dirs (#7704)\n * feat(cli): add `trivy auth` (#7664)\n * fix(sbom): add options for DBs in private registries (#7660)\n * docs(report): fix reporting doc format (#7671)\n * fix(repo): `git clone` output to Stderr (#7561)\n * fix(redhat): include arch in PURL qualifiers (#7654)\n * fix(report): Fix invalid URI in SARIF report (#7645)\n * docs(report): Improve SARIF reporting doc (#7655)\n * fix(db): fix javadb downloading error handling (#7642)\n * feat(cli): error out when ignore file cannot be found (#7624)\n\n- Update to version 0.56.2:\n * release: v0.56.2 [release/v0.56] (#7694)\n * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)\n * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)\n\n- Update to version 0.56.1:\n * release: v0.56.1 [release/v0.56] (#7648)\n * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)\n * release: v0.56.0 [main] (#7447)\n * fix(misconf): not to warn about missing selectors of libraries (#7638)\n * feat: support RPM archives (#7628)\n * fix(secret): change grafana token regex to find them without unquoted (#7627)\n * fix(misconf): Disable deprecated checks by default (#7632)\n * chore: add prefixes to log messages (#7625)\n * feat(misconf): Support `--skip-*` for all included modules (#7579)\n * feat: support multiple DB repositories for vulnerability and Java DB (#7605)\n * ci: don\u0027t use cache for `setup-go` (#7622)\n * test: use loaded image names (#7617)\n * feat(java): add empty versions if `pom.xml` dependency versions can\u0027t be detected (#7520)\n * feat(secret): enhance secret scanning for python binary files (#7223)\n * refactor: fix auth error handling (#7615)\n * ci: split `save` and `restore` cache actions (#7614)\n * fix(misconf): disable DS016 check for image history analyzer (#7540)\n * feat(suse): added SUSE Linux Enterprise Micro support (#7294)\n * feat(misconf): add ability to disable checks by ID (#7536)\n * fix(misconf): escape all special sequences (#7558)\n * test: use a local registry for remote scanning (#7607)\n * fix: allow access to \u0027..\u0027 in mapfs (#7575)\n * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)\n * chore(deps): bump the common group across 1 directory with 20 updates (#7604)\n * ci: add `workflow_dispatch` trigger for test workflow. (#7606)\n * ci: cache test images for `integration`, `VM` and `module` tests (#7599)\n * chore(deps): remove broken replaces for opa and discovery (#7600)\n * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)\n * fix(misconf): Fixed scope for China Cloud (#7560)\n * perf(misconf): use port ranges instead of enumeration (#7549)\n * fix(sbom): export bom-ref when converting a package to a component (#7340)\n * refactor(misconf): pass options to Rego scanner as is (#7529)\n * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)\n * chore(deps): bump go-ebs-file (#7513)\n * fix(misconf): Fix logging typo (#7473)\n * feat(misconf): Register checks only when needed (#7435)\n * refactor: split `.egg` and `packaging` analyzers (#7514)\n * fix(java): use `dependencyManagement` from root/child pom\u0027s for dependencies from parents (#7497)\n * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)\n * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)\n * chore(vex): suppress openssl vulnerabilities (#7500)\n * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)\n * docs(db): add a manifest example (#7485)\n * feat(license): improve license normalization (#7131)\n * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)\n * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)\n * fix(report): change a receiver of MarshalJSON (#7483)\n * fix(oracle): Update EOL date for Oracle 7 (#7480)\n * chore(deps): bump the aws group with 6 updates (#7468)\n * chore(deps): bump the common group across 1 directory with 19 updates (#7436)\n * chore(helm): bump up Trivy Helm chart (#7441)\n * refactor(java): add error/statusCode for logs when we can\u0027t get pom.xml/maven-metadata.xml from remote repo (#7451)\n * fix(license): stop spliting a long license text (#7336)\n * release: v0.55.0 [main] (#7271)\n * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)\n * fix(license): add license handling to JUnit template (#7409)\n * feat(java): add `test` scope support for `pom.xml` files (#7414)\n * chore(deps): Bump trivy-checks and pin OPA (#7427)\n * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)\n * feat(sbom): set User-Agent header on requests to Rekor (#7396)\n * test: add integration plugin tests (#7299)\n * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)\n * fix: logger initialization before flags parsing (#7372)\n * fix(aws): handle ECR repositories in different regions (#6217)\n * fix(misconf): fix infer type for null value (#7424)\n * fix(secret): use `.eyJ` keyword for JWT secret (#7410)\n * fix(misconf): do not recreate filesystem map (#7416)\n * chore(deps): Bump trivy-checks (#7417)\n * fix(misconf): do not register Rego libs in checks registry (#7420)\n * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)\n * feat(report): export modified findings in JSON (#7383)\n * feat(server): Make Trivy Server Multiplexer Exported (#7389)\n * chore: update CODEOWNERS (#7398)\n * fix(secret): use only line with secret for long secret lines (#7412)\n * chore: fix allow rule of ignoring test files to make it case insensitive (#7415)\n * feat(misconf): port and protocol support for EC2 networks (#7146)\n * fix(misconf): do not filter Terraform plan JSON by name (#7406)\n * feat(misconf): support for ignore by nested attributes (#7205)\n * fix(misconf): use module to log when metadata retrieval fails (#7405)\n * fix(report): escape `Message` field in `asff.tpl` template (#7401)\n * feat(misconf): Add support for using spec from on-disk bundle (#7179)\n * docs: add pkg flags to config file page (#7370)\n * feat(python): use minimum version for pip packages (#7348)\n * fix(misconf): support deprecating for Go checks (#7377)\n * fix(misconf): init frameworks before updating them (#7376)\n * feat(misconf): ignore duplicate checks (#7317)\n * refactor(misconf): use slog (#7295)\n * chore(deps): bump trivy-checks (#7350)\n * feat(server): add internal `--path-prefix` flag for client/server mode (#7321)\n * chore(deps): bump the aws group across 1 directory with 7 updates (#7358)\n * fix: safely check if the directory exists (#7353)\n * feat(misconf): variable support for Terraform Plan (#7228)\n * feat(misconf): scanning support for YAML and JSON (#7311)\n * fix(misconf): wrap Azure PortRange in iac types (#7357)\n * refactor(misconf): highlight only affected rows (#7310)\n * fix(misconf): change default TLS values for the Azure storage account (#7345)\n * chore(deps): bump the common group with 9 updates (#7333)\n * docs(misconf): Update callsites to use correct naming (#7335)\n * docs: update air-gapped docs (#7160)\n * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)\n * perf(misconf): optimize work with context (#6968)\n * docs: update links to packaging.python.org (#7318)\n * docs: update client/server docs for misconf and license scanning (#7277)\n * chore(deps): bump the common group across 1 directory with 7 updates (#7305)\n * feat(misconf): iterator argument support for dynamic blocks (#7236)\n * fix(misconf): do not set default value for default_cache_behavior (#7234)\n * feat(misconf): support for policy and bucket grants (#7284)\n * fix(misconf): load only submodule if it is specified in source (#7112)\n * perf(misconf): use json.Valid to check validity of JSON (#7308)\n * refactor(misconf): remove unused universal scanner (#7293)\n * perf(misconf): do not convert contents of a YAML file to string (#7292)\n * fix(terraform): add aws_region name to presets (#7184)\n * docs: add auto-generated config (#7261)\n * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)\n * refactor(misconf): remove file filtering from parsers (#7289)\n * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)\n * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)\n * fix(plugin): do not call GitHub content API for releases and tags (#7274)\n * feat(vm): support the Ext2/Ext3 filesystems (#6983)\n * feat(cli)!: delete deprecated SBOM flags (#7266)\n * feat(vm): Support direct filesystem (#7058)\n\n- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2025-56",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0056-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:0056-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:0056-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/"
},
{
"category": "self",
"summary": "SUSE Bug 1227010",
"url": "https://bugzilla.suse.com/1227010"
},
{
"category": "self",
"summary": "SUSE Bug 1234512",
"url": "https://bugzilla.suse.com/1234512"
},
{
"category": "self",
"summary": "SUSE Bug 1235265",
"url": "https://bugzilla.suse.com/1235265"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-34155 page",
"url": "https://www.suse.com/security/cve/CVE-2024-34155/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-34156 page",
"url": "https://www.suse.com/security/cve/CVE-2024-34156/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-34158 page",
"url": "https://www.suse.com/security/cve/CVE-2024-34158/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-3817 page",
"url": "https://www.suse.com/security/cve/CVE-2024-3817/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21613 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21613/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21614 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21614/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2025-02-07T11:01:31Z",
"generator": {
"date": "2025-02-07T11:01:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:0056-1",
"initial_release_date": "2025-02-07T11:01:31Z",
"revision_history": [
{
"date": "2025-02-07T11:01:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.58.2-bp156.2.6.1.aarch64",
"product": {
"name": "trivy-0.58.2-bp156.2.6.1.aarch64",
"product_id": "trivy-0.58.2-bp156.2.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.58.2-bp156.2.6.1.i586",
"product": {
"name": "trivy-0.58.2-bp156.2.6.1.i586",
"product_id": "trivy-0.58.2-bp156.2.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.58.2-bp156.2.6.1.ppc64le",
"product": {
"name": "trivy-0.58.2-bp156.2.6.1.ppc64le",
"product_id": "trivy-0.58.2-bp156.2.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.58.2-bp156.2.6.1.s390x",
"product": {
"name": "trivy-0.58.2-bp156.2.6.1.s390x",
"product_id": "trivy-0.58.2-bp156.2.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.58.2-bp156.2.6.1.x86_64",
"product": {
"name": "trivy-0.58.2-bp156.2.6.1.x86_64",
"product_id": "trivy-0.58.2-bp156.2.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.58.2-bp156.2.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
},
"product_reference": "trivy-0.58.2-bp156.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-34155",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-34155"
}
],
"notes": [
{
"category": "general",
"text": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-34155",
"url": "https://www.suse.com/security/cve/CVE-2024-34155"
},
{
"category": "external",
"summary": "SUSE Bug 1230252 for CVE-2024-34155",
"url": "https://bugzilla.suse.com/1230252"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "moderate"
}
],
"title": "CVE-2024-34155"
},
{
"cve": "CVE-2024-34156",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-34156"
}
],
"notes": [
{
"category": "general",
"text": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-34156",
"url": "https://www.suse.com/security/cve/CVE-2024-34156"
},
{
"category": "external",
"summary": "SUSE Bug 1230253 for CVE-2024-34156",
"url": "https://bugzilla.suse.com/1230253"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "moderate"
}
],
"title": "CVE-2024-34156"
},
{
"cve": "CVE-2024-34158",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-34158"
}
],
"notes": [
{
"category": "general",
"text": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-34158",
"url": "https://www.suse.com/security/cve/CVE-2024-34158"
},
{
"category": "external",
"summary": "SUSE Bug 1230254 for CVE-2024-34158",
"url": "https://bugzilla.suse.com/1230254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "moderate"
}
],
"title": "CVE-2024-34158"
},
{
"cve": "CVE-2024-3817",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-3817"
}
],
"notes": [
{
"category": "general",
"text": "HashiCorp\u0027s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-3817",
"url": "https://www.suse.com/security/cve/CVE-2024-3817"
},
{
"category": "external",
"summary": "SUSE Bug 1226999 for CVE-2024-3817",
"url": "https://bugzilla.suse.com/1226999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "low"
}
],
"title": "CVE-2024-3817"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-21613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21613"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21613",
"url": "https://www.suse.com/security/cve/CVE-2025-21613"
},
{
"category": "external",
"summary": "SUSE Bug 1235572 for CVE-2025-21613",
"url": "https://bugzilla.suse.com/1235572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "important"
}
],
"title": "CVE-2025-21613"
},
{
"cve": "CVE-2025-21614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21614",
"url": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
"openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-07T11:01:31Z",
"details": "important"
}
],
"title": "CVE-2025-21614"
}
]
}
OPENSUSE-SU-2025:0094-1
Vulnerability from csaf_opensuse - Published: 2025-03-20 13:01 - Updated: 2025-03-20 13:01Summary
Security update for gitea-tea
Severity
Moderate
Notes
Title of the patch: Security update for gitea-tea
Description of the patch: This update for gitea-tea fixes the following issues:
- gitea-te: update newer dependencies to fix security issues (boo#1235367 boo#1239493 boo#1234598)
Patchnames: openSUSE-2025-94
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for gitea-tea",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for gitea-tea fixes the following issues:\n\n- gitea-te: update newer dependencies to fix security issues (boo#1235367 boo#1239493 boo#1234598)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2025-94",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0094-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:0094-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LKOLRH73CIQLMQ327IYGUHNSFKCU5MPI/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:0094-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LKOLRH73CIQLMQ327IYGUHNSFKCU5MPI/"
},
{
"category": "self",
"summary": "SUSE Bug 1234598",
"url": "https://bugzilla.suse.com/1234598"
},
{
"category": "self",
"summary": "SUSE Bug 1235367",
"url": "https://bugzilla.suse.com/1235367"
},
{
"category": "self",
"summary": "SUSE Bug 1239493",
"url": "https://bugzilla.suse.com/1239493"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
}
],
"title": "Security update for gitea-tea",
"tracking": {
"current_release_date": "2025-03-20T13:01:19Z",
"generator": {
"date": "2025-03-20T13:01:19Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:0094-1",
"initial_release_date": "2025-03-20T13:01:19Z",
"revision_history": [
{
"date": "2025-03-20T13:01:19Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.9.2-bp156.5.1.aarch64",
"product": {
"name": "gitea-tea-0.9.2-bp156.5.1.aarch64",
"product_id": "gitea-tea-0.9.2-bp156.5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.9.2-bp156.5.1.i586",
"product": {
"name": "gitea-tea-0.9.2-bp156.5.1.i586",
"product_id": "gitea-tea-0.9.2-bp156.5.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"product": {
"name": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"product_id": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch"
}
},
{
"category": "product_version",
"name": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"product": {
"name": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"product_id": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.9.2-bp156.5.1.ppc64le",
"product": {
"name": "gitea-tea-0.9.2-bp156.5.1.ppc64le",
"product_id": "gitea-tea-0.9.2-bp156.5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.9.2-bp156.5.1.s390x",
"product": {
"name": "gitea-tea-0.9.2-bp156.5.1.s390x",
"product_id": "gitea-tea-0.9.2-bp156.5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gitea-tea-0.9.2-bp156.5.1.x86_64",
"product": {
"name": "gitea-tea-0.9.2-bp156.5.1.x86_64",
"product_id": "gitea-tea-0.9.2-bp156.5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch"
},
"product_reference": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
},
"product_reference": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-0.9.2-bp156.5.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64"
},
"product_reference": "gitea-tea-0.9.2-bp156.5.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch"
},
"product_reference": "gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
},
"product_reference": "gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-20T13:01:19Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-20T13:01:19Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.i586",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.s390x",
"SUSE Package Hub 15 SP6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"SUSE Package Hub 15 SP6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"SUSE Package Hub 15 SP6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.aarch64",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.i586",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.ppc64le",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.s390x",
"openSUSE Leap 15.6:gitea-tea-0.9.2-bp156.5.1.x86_64",
"openSUSE Leap 15.6:gitea-tea-bash-completion-0.9.2-bp156.5.1.noarch",
"openSUSE Leap 15.6:gitea-tea-zsh-completion-0.9.2-bp156.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-20T13:01:19Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
}
]
}
OPENSUSE-SU-2025:14612-1
Vulnerability from csaf_opensuse - Published: 2025-01-01 00:00 - Updated: 2025-01-01 00:00Summary
sops-3.9.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: sops-3.9.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the sops-3.9.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14612
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:sops-3.9.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:sops-3.9.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:sops-3.9.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:sops-3.9.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "sops-3.9.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the sops-3.9.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14612",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14612-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "sops-3.9.3-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-01T00:00:00Z",
"generator": {
"date": "2025-01-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14612-1",
"initial_release_date": "2025-01-01T00:00:00Z",
"revision_history": [
{
"date": "2025-01-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "sops-3.9.3-1.1.aarch64",
"product": {
"name": "sops-3.9.3-1.1.aarch64",
"product_id": "sops-3.9.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "sops-3.9.3-1.1.ppc64le",
"product": {
"name": "sops-3.9.3-1.1.ppc64le",
"product_id": "sops-3.9.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "sops-3.9.3-1.1.s390x",
"product": {
"name": "sops-3.9.3-1.1.s390x",
"product_id": "sops-3.9.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "sops-3.9.3-1.1.x86_64",
"product": {
"name": "sops-3.9.3-1.1.x86_64",
"product_id": "sops-3.9.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "sops-3.9.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sops-3.9.3-1.1.aarch64"
},
"product_reference": "sops-3.9.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sops-3.9.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sops-3.9.3-1.1.ppc64le"
},
"product_reference": "sops-3.9.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sops-3.9.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sops-3.9.3-1.1.s390x"
},
"product_reference": "sops-3.9.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sops-3.9.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sops-3.9.3-1.1.x86_64"
},
"product_reference": "sops-3.9.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:sops-3.9.3-1.1.aarch64",
"openSUSE Tumbleweed:sops-3.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:sops-3.9.3-1.1.s390x",
"openSUSE Tumbleweed:sops-3.9.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:sops-3.9.3-1.1.aarch64",
"openSUSE Tumbleweed:sops-3.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:sops-3.9.3-1.1.s390x",
"openSUSE Tumbleweed:sops-3.9.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:sops-3.9.3-1.1.aarch64",
"openSUSE Tumbleweed:sops-3.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:sops-3.9.3-1.1.s390x",
"openSUSE Tumbleweed:sops-3.9.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-01T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14613-1
Vulnerability from csaf_opensuse - Published: 2025-01-01 00:00 - Updated: 2025-01-01 00:00Summary
velero-1.15.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: velero-1.15.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the velero-1.15.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14613
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "velero-1.15.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the velero-1.15.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14613",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14613-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14613-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/72PNSQCBBGVVNI7VQE3WSCUAIHCZLRVQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14613-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/72PNSQCBBGVVNI7VQE3WSCUAIHCZLRVQ/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "velero-1.15.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-01T00:00:00Z",
"generator": {
"date": "2025-01-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14613-1",
"initial_release_date": "2025-01-01T00:00:00Z",
"revision_history": [
{
"date": "2025-01-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "velero-1.15.1-1.1.aarch64",
"product": {
"name": "velero-1.15.1-1.1.aarch64",
"product_id": "velero-1.15.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "velero-bash-completion-1.15.1-1.1.aarch64",
"product": {
"name": "velero-bash-completion-1.15.1-1.1.aarch64",
"product_id": "velero-bash-completion-1.15.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "velero-fish-completion-1.15.1-1.1.aarch64",
"product": {
"name": "velero-fish-completion-1.15.1-1.1.aarch64",
"product_id": "velero-fish-completion-1.15.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "velero-zsh-completion-1.15.1-1.1.aarch64",
"product": {
"name": "velero-zsh-completion-1.15.1-1.1.aarch64",
"product_id": "velero-zsh-completion-1.15.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "velero-1.15.1-1.1.ppc64le",
"product": {
"name": "velero-1.15.1-1.1.ppc64le",
"product_id": "velero-1.15.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "velero-bash-completion-1.15.1-1.1.ppc64le",
"product": {
"name": "velero-bash-completion-1.15.1-1.1.ppc64le",
"product_id": "velero-bash-completion-1.15.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "velero-fish-completion-1.15.1-1.1.ppc64le",
"product": {
"name": "velero-fish-completion-1.15.1-1.1.ppc64le",
"product_id": "velero-fish-completion-1.15.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "velero-zsh-completion-1.15.1-1.1.ppc64le",
"product": {
"name": "velero-zsh-completion-1.15.1-1.1.ppc64le",
"product_id": "velero-zsh-completion-1.15.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "velero-1.15.1-1.1.s390x",
"product": {
"name": "velero-1.15.1-1.1.s390x",
"product_id": "velero-1.15.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "velero-bash-completion-1.15.1-1.1.s390x",
"product": {
"name": "velero-bash-completion-1.15.1-1.1.s390x",
"product_id": "velero-bash-completion-1.15.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "velero-fish-completion-1.15.1-1.1.s390x",
"product": {
"name": "velero-fish-completion-1.15.1-1.1.s390x",
"product_id": "velero-fish-completion-1.15.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "velero-zsh-completion-1.15.1-1.1.s390x",
"product": {
"name": "velero-zsh-completion-1.15.1-1.1.s390x",
"product_id": "velero-zsh-completion-1.15.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "velero-1.15.1-1.1.x86_64",
"product": {
"name": "velero-1.15.1-1.1.x86_64",
"product_id": "velero-1.15.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "velero-bash-completion-1.15.1-1.1.x86_64",
"product": {
"name": "velero-bash-completion-1.15.1-1.1.x86_64",
"product_id": "velero-bash-completion-1.15.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "velero-fish-completion-1.15.1-1.1.x86_64",
"product": {
"name": "velero-fish-completion-1.15.1-1.1.x86_64",
"product_id": "velero-fish-completion-1.15.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "velero-zsh-completion-1.15.1-1.1.x86_64",
"product": {
"name": "velero-zsh-completion-1.15.1-1.1.x86_64",
"product_id": "velero-zsh-completion-1.15.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-1.15.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64"
},
"product_reference": "velero-1.15.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-1.15.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le"
},
"product_reference": "velero-1.15.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-1.15.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-1.15.1-1.1.s390x"
},
"product_reference": "velero-1.15.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-1.15.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64"
},
"product_reference": "velero-1.15.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-bash-completion-1.15.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64"
},
"product_reference": "velero-bash-completion-1.15.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-bash-completion-1.15.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le"
},
"product_reference": "velero-bash-completion-1.15.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-bash-completion-1.15.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x"
},
"product_reference": "velero-bash-completion-1.15.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-bash-completion-1.15.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64"
},
"product_reference": "velero-bash-completion-1.15.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-fish-completion-1.15.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64"
},
"product_reference": "velero-fish-completion-1.15.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-fish-completion-1.15.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le"
},
"product_reference": "velero-fish-completion-1.15.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-fish-completion-1.15.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x"
},
"product_reference": "velero-fish-completion-1.15.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-fish-completion-1.15.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64"
},
"product_reference": "velero-fish-completion-1.15.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-zsh-completion-1.15.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64"
},
"product_reference": "velero-zsh-completion-1.15.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-zsh-completion-1.15.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le"
},
"product_reference": "velero-zsh-completion-1.15.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-zsh-completion-1.15.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x"
},
"product_reference": "velero-zsh-completion-1.15.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velero-zsh-completion-1.15.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
},
"product_reference": "velero-zsh-completion-1.15.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-01T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velero-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-bash-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-fish-completion-1.15.1-1.1.x86_64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.aarch64",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.ppc64le",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.s390x",
"openSUSE Tumbleweed:velero-zsh-completion-1.15.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-01T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14634-1
Vulnerability from csaf_opensuse - Published: 2025-01-12 00:00 - Updated: 2025-01-12 00:00Summary
operator-sdk-1.39.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: operator-sdk-1.39.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the operator-sdk-1.39.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14634
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "operator-sdk-1.39.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the operator-sdk-1.39.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14634",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14634-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14634-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VCY3UOSZNLMH6IOLEYWFNO3UOF3DLF3P/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14634-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VCY3UOSZNLMH6IOLEYWFNO3UOF3DLF3P/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21614 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21614/"
}
],
"title": "operator-sdk-1.39.0-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-12T00:00:00Z",
"generator": {
"date": "2025-01-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14634-1",
"initial_release_date": "2025-01-12T00:00:00Z",
"revision_history": [
{
"date": "2025-01-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "operator-sdk-1.39.0-1.1.aarch64",
"product": {
"name": "operator-sdk-1.39.0-1.1.aarch64",
"product_id": "operator-sdk-1.39.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"product": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"product_id": "operator-sdk-bash-completion-1.39.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"product": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"product_id": "operator-sdk-fish-completion-1.39.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"product": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"product_id": "operator-sdk-zsh-completion-1.39.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "operator-sdk-1.39.0-1.1.ppc64le",
"product": {
"name": "operator-sdk-1.39.0-1.1.ppc64le",
"product_id": "operator-sdk-1.39.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"product": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"product_id": "operator-sdk-bash-completion-1.39.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"product": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"product_id": "operator-sdk-fish-completion-1.39.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"product": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"product_id": "operator-sdk-zsh-completion-1.39.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "operator-sdk-1.39.0-1.1.s390x",
"product": {
"name": "operator-sdk-1.39.0-1.1.s390x",
"product_id": "operator-sdk-1.39.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "operator-sdk-bash-completion-1.39.0-1.1.s390x",
"product": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.s390x",
"product_id": "operator-sdk-bash-completion-1.39.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "operator-sdk-fish-completion-1.39.0-1.1.s390x",
"product": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.s390x",
"product_id": "operator-sdk-fish-completion-1.39.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"product": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"product_id": "operator-sdk-zsh-completion-1.39.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "operator-sdk-1.39.0-1.1.x86_64",
"product": {
"name": "operator-sdk-1.39.0-1.1.x86_64",
"product_id": "operator-sdk-1.39.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"product": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"product_id": "operator-sdk-bash-completion-1.39.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"product": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"product_id": "operator-sdk-fish-completion-1.39.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "operator-sdk-zsh-completion-1.39.0-1.1.x86_64",
"product": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.x86_64",
"product_id": "operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-1.39.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64"
},
"product_reference": "operator-sdk-1.39.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-1.39.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le"
},
"product_reference": "operator-sdk-1.39.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-1.39.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x"
},
"product_reference": "operator-sdk-1.39.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-1.39.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64"
},
"product_reference": "operator-sdk-1.39.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64"
},
"product_reference": "operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le"
},
"product_reference": "operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x"
},
"product_reference": "operator-sdk-bash-completion-1.39.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-bash-completion-1.39.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64"
},
"product_reference": "operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64"
},
"product_reference": "operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le"
},
"product_reference": "operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x"
},
"product_reference": "operator-sdk-fish-completion-1.39.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-fish-completion-1.39.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64"
},
"product_reference": "operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64"
},
"product_reference": "operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le"
},
"product_reference": "operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x"
},
"product_reference": "operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "operator-sdk-zsh-completion-1.39.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
},
"product_reference": "operator-sdk-zsh-completion-1.39.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2025-21614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21614",
"url": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-bash-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-fish-completion-1.39.0-1.1.x86_64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.aarch64",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.ppc64le",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.s390x",
"openSUSE Tumbleweed:operator-sdk-zsh-completion-1.39.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-21614"
}
]
}
OPENSUSE-SU-2025:14639-1
Vulnerability from csaf_opensuse - Published: 2025-01-12 00:00 - Updated: 2025-01-12 00:00Summary
yq-4.44.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: yq-4.44.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the yq-4.44.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14639
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:yq-4.44.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-4.44.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-4.44.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-4.44.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "yq-4.44.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the yq-4.44.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14639",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14639-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14639-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UHS4NHWGXZ2TKRE7FZUZI5JIQDOZ4E4E/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14639-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UHS4NHWGXZ2TKRE7FZUZI5JIQDOZ4E4E/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "yq-4.44.6-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-12T00:00:00Z",
"generator": {
"date": "2025-01-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14639-1",
"initial_release_date": "2025-01-12T00:00:00Z",
"revision_history": [
{
"date": "2025-01-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "yq-4.44.6-1.1.aarch64",
"product": {
"name": "yq-4.44.6-1.1.aarch64",
"product_id": "yq-4.44.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "yq-bash-completion-4.44.6-1.1.aarch64",
"product": {
"name": "yq-bash-completion-4.44.6-1.1.aarch64",
"product_id": "yq-bash-completion-4.44.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "yq-fish-completion-4.44.6-1.1.aarch64",
"product": {
"name": "yq-fish-completion-4.44.6-1.1.aarch64",
"product_id": "yq-fish-completion-4.44.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "yq-zsh-completion-4.44.6-1.1.aarch64",
"product": {
"name": "yq-zsh-completion-4.44.6-1.1.aarch64",
"product_id": "yq-zsh-completion-4.44.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "yq-4.44.6-1.1.ppc64le",
"product": {
"name": "yq-4.44.6-1.1.ppc64le",
"product_id": "yq-4.44.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "yq-bash-completion-4.44.6-1.1.ppc64le",
"product": {
"name": "yq-bash-completion-4.44.6-1.1.ppc64le",
"product_id": "yq-bash-completion-4.44.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "yq-fish-completion-4.44.6-1.1.ppc64le",
"product": {
"name": "yq-fish-completion-4.44.6-1.1.ppc64le",
"product_id": "yq-fish-completion-4.44.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "yq-zsh-completion-4.44.6-1.1.ppc64le",
"product": {
"name": "yq-zsh-completion-4.44.6-1.1.ppc64le",
"product_id": "yq-zsh-completion-4.44.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "yq-4.44.6-1.1.s390x",
"product": {
"name": "yq-4.44.6-1.1.s390x",
"product_id": "yq-4.44.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "yq-bash-completion-4.44.6-1.1.s390x",
"product": {
"name": "yq-bash-completion-4.44.6-1.1.s390x",
"product_id": "yq-bash-completion-4.44.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "yq-fish-completion-4.44.6-1.1.s390x",
"product": {
"name": "yq-fish-completion-4.44.6-1.1.s390x",
"product_id": "yq-fish-completion-4.44.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "yq-zsh-completion-4.44.6-1.1.s390x",
"product": {
"name": "yq-zsh-completion-4.44.6-1.1.s390x",
"product_id": "yq-zsh-completion-4.44.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "yq-4.44.6-1.1.x86_64",
"product": {
"name": "yq-4.44.6-1.1.x86_64",
"product_id": "yq-4.44.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "yq-bash-completion-4.44.6-1.1.x86_64",
"product": {
"name": "yq-bash-completion-4.44.6-1.1.x86_64",
"product_id": "yq-bash-completion-4.44.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "yq-fish-completion-4.44.6-1.1.x86_64",
"product": {
"name": "yq-fish-completion-4.44.6-1.1.x86_64",
"product_id": "yq-fish-completion-4.44.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "yq-zsh-completion-4.44.6-1.1.x86_64",
"product": {
"name": "yq-zsh-completion-4.44.6-1.1.x86_64",
"product_id": "yq-zsh-completion-4.44.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-4.44.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-4.44.6-1.1.aarch64"
},
"product_reference": "yq-4.44.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-4.44.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-4.44.6-1.1.ppc64le"
},
"product_reference": "yq-4.44.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-4.44.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-4.44.6-1.1.s390x"
},
"product_reference": "yq-4.44.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-4.44.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-4.44.6-1.1.x86_64"
},
"product_reference": "yq-4.44.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-bash-completion-4.44.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.aarch64"
},
"product_reference": "yq-bash-completion-4.44.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-bash-completion-4.44.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.ppc64le"
},
"product_reference": "yq-bash-completion-4.44.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-bash-completion-4.44.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.s390x"
},
"product_reference": "yq-bash-completion-4.44.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-bash-completion-4.44.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.x86_64"
},
"product_reference": "yq-bash-completion-4.44.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-fish-completion-4.44.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.aarch64"
},
"product_reference": "yq-fish-completion-4.44.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-fish-completion-4.44.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.ppc64le"
},
"product_reference": "yq-fish-completion-4.44.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-fish-completion-4.44.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.s390x"
},
"product_reference": "yq-fish-completion-4.44.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-fish-completion-4.44.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.x86_64"
},
"product_reference": "yq-fish-completion-4.44.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-zsh-completion-4.44.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.aarch64"
},
"product_reference": "yq-zsh-completion-4.44.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-zsh-completion-4.44.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.ppc64le"
},
"product_reference": "yq-zsh-completion-4.44.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-zsh-completion-4.44.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.s390x"
},
"product_reference": "yq-zsh-completion-4.44.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yq-zsh-completion-4.44.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.x86_64"
},
"product_reference": "yq-zsh-completion-4.44.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:yq-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:yq-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:yq-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-bash-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-fish-completion-4.44.6-1.1.x86_64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.aarch64",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.ppc64le",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.s390x",
"openSUSE Tumbleweed:yq-zsh-completion-4.44.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14640-1
Vulnerability from csaf_opensuse - Published: 2025-01-13 00:00 - Updated: 2025-01-13 00:00Summary
kepler-0.7.11-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: kepler-0.7.11-2.1 on GA media
Description of the patch: These are all security issues fixed in the kepler-0.7.11-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14640
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kepler-0.7.11-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kepler-0.7.11-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kepler-0.7.11-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kepler-0.7.11-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "kepler-0.7.11-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the kepler-0.7.11-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14640",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14640-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "kepler-0.7.11-2.1 on GA media",
"tracking": {
"current_release_date": "2025-01-13T00:00:00Z",
"generator": {
"date": "2025-01-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14640-1",
"initial_release_date": "2025-01-13T00:00:00Z",
"revision_history": [
{
"date": "2025-01-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.7.11-2.1.aarch64",
"product": {
"name": "kepler-0.7.11-2.1.aarch64",
"product_id": "kepler-0.7.11-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.7.11-2.1.ppc64le",
"product": {
"name": "kepler-0.7.11-2.1.ppc64le",
"product_id": "kepler-0.7.11-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.7.11-2.1.s390x",
"product": {
"name": "kepler-0.7.11-2.1.s390x",
"product_id": "kepler-0.7.11-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kepler-0.7.11-2.1.x86_64",
"product": {
"name": "kepler-0.7.11-2.1.x86_64",
"product_id": "kepler-0.7.11-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.7.11-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kepler-0.7.11-2.1.aarch64"
},
"product_reference": "kepler-0.7.11-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.7.11-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kepler-0.7.11-2.1.ppc64le"
},
"product_reference": "kepler-0.7.11-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.7.11-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kepler-0.7.11-2.1.s390x"
},
"product_reference": "kepler-0.7.11-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kepler-0.7.11-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kepler-0.7.11-2.1.x86_64"
},
"product_reference": "kepler-0.7.11-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kepler-0.7.11-2.1.aarch64",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.ppc64le",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.s390x",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kepler-0.7.11-2.1.aarch64",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.ppc64le",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.s390x",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kepler-0.7.11-2.1.aarch64",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.ppc64le",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.s390x",
"openSUSE Tumbleweed:kepler-0.7.11-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14641-1
Vulnerability from csaf_opensuse - Published: 2025-01-13 00:00 - Updated: 2025-01-13 00:00Summary
rclone-1.69.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: rclone-1.69.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the rclone-1.69.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14641
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "rclone-1.69.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the rclone-1.69.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14641",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14641-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14641-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MCLAZVPDAT5UFMI67YRTRQBKGNJYHBIS/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14641-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MCLAZVPDAT5UFMI67YRTRQBKGNJYHBIS/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "rclone-1.69.0-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-13T00:00:00Z",
"generator": {
"date": "2025-01-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14641-1",
"initial_release_date": "2025-01-13T00:00:00Z",
"revision_history": [
{
"date": "2025-01-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.69.0-1.1.aarch64",
"product": {
"name": "rclone-1.69.0-1.1.aarch64",
"product_id": "rclone-1.69.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.69.0-1.1.aarch64",
"product": {
"name": "rclone-bash-completion-1.69.0-1.1.aarch64",
"product_id": "rclone-bash-completion-1.69.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.69.0-1.1.aarch64",
"product": {
"name": "rclone-zsh-completion-1.69.0-1.1.aarch64",
"product_id": "rclone-zsh-completion-1.69.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.69.0-1.1.ppc64le",
"product": {
"name": "rclone-1.69.0-1.1.ppc64le",
"product_id": "rclone-1.69.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.69.0-1.1.ppc64le",
"product": {
"name": "rclone-bash-completion-1.69.0-1.1.ppc64le",
"product_id": "rclone-bash-completion-1.69.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.69.0-1.1.ppc64le",
"product": {
"name": "rclone-zsh-completion-1.69.0-1.1.ppc64le",
"product_id": "rclone-zsh-completion-1.69.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.69.0-1.1.s390x",
"product": {
"name": "rclone-1.69.0-1.1.s390x",
"product_id": "rclone-1.69.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.69.0-1.1.s390x",
"product": {
"name": "rclone-bash-completion-1.69.0-1.1.s390x",
"product_id": "rclone-bash-completion-1.69.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.69.0-1.1.s390x",
"product": {
"name": "rclone-zsh-completion-1.69.0-1.1.s390x",
"product_id": "rclone-zsh-completion-1.69.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rclone-1.69.0-1.1.x86_64",
"product": {
"name": "rclone-1.69.0-1.1.x86_64",
"product_id": "rclone-1.69.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "rclone-bash-completion-1.69.0-1.1.x86_64",
"product": {
"name": "rclone-bash-completion-1.69.0-1.1.x86_64",
"product_id": "rclone-bash-completion-1.69.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "rclone-zsh-completion-1.69.0-1.1.x86_64",
"product": {
"name": "rclone-zsh-completion-1.69.0-1.1.x86_64",
"product_id": "rclone-zsh-completion-1.69.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.69.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64"
},
"product_reference": "rclone-1.69.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.69.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le"
},
"product_reference": "rclone-1.69.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.69.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x"
},
"product_reference": "rclone-1.69.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-1.69.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64"
},
"product_reference": "rclone-1.69.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.69.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64"
},
"product_reference": "rclone-bash-completion-1.69.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.69.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le"
},
"product_reference": "rclone-bash-completion-1.69.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.69.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x"
},
"product_reference": "rclone-bash-completion-1.69.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-bash-completion-1.69.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64"
},
"product_reference": "rclone-bash-completion-1.69.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.69.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64"
},
"product_reference": "rclone-zsh-completion-1.69.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.69.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le"
},
"product_reference": "rclone-zsh-completion-1.69.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.69.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x"
},
"product_reference": "rclone-zsh-completion-1.69.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rclone-zsh-completion-1.69.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
},
"product_reference": "rclone-zsh-completion-1.69.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rclone-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-bash-completion-1.69.0-1.1.x86_64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.aarch64",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.ppc64le",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.s390x",
"openSUSE Tumbleweed:rclone-zsh-completion-1.69.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
OPENSUSE-SU-2025:14663-1
Vulnerability from csaf_opensuse - Published: 2025-01-17 00:00 - Updated: 2025-01-17 00:00Summary
velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media
Description of the patch: These are all security issues fixed in the velociraptor-0.7.0.4.git142.862ef23-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14663
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.3 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
74 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the velociraptor-0.7.0.4.git142.862ef23-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14663",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14663-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14663-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IL7QOYRPFRGRS6UKU6ZYHI76FWFFUJNK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14663-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IL7QOYRPFRGRS6UKU6ZYHI76FWFFUJNK/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1732 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1732/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-44270 page",
"url": "https://www.suse.com/security/cve/CVE-2023-44270/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45133 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45133/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45683 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45683/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-46234 page",
"url": "https://www.suse.com/security/cve/CVE-2023-46234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-21538 page",
"url": "https://www.suse.com/security/cve/CVE-2024-21538/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-23331 page",
"url": "https://www.suse.com/security/cve/CVE-2024-23331/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24786 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24786/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28180 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28180/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-31207 page",
"url": "https://www.suse.com/security/cve/CVE-2024-31207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-37298 page",
"url": "https://www.suse.com/security/cve/CVE-2024-37298/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-4067 page",
"url": "https://www.suse.com/security/cve/CVE-2024-4067/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-4068 page",
"url": "https://www.suse.com/security/cve/CVE-2024-4068/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-42459 page",
"url": "https://www.suse.com/security/cve/CVE-2024-42459/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-42460 page",
"url": "https://www.suse.com/security/cve/CVE-2024-42460/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-42461 page",
"url": "https://www.suse.com/security/cve/CVE-2024-42461/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45296 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45296/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45811 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45811/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45812 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45812/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-47068 page",
"url": "https://www.suse.com/security/cve/CVE-2024-47068/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-47875 page",
"url": "https://www.suse.com/security/cve/CVE-2024-47875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-48948 page",
"url": "https://www.suse.com/security/cve/CVE-2024-48948/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-48949 page",
"url": "https://www.suse.com/security/cve/CVE-2024-48949/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-51744 page",
"url": "https://www.suse.com/security/cve/CVE-2024-51744/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55565 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6104 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6104/"
}
],
"title": "velociraptor-0.7.0.4.git142.862ef23-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-17T00:00:00Z",
"generator": {
"date": "2025-01-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14663-1",
"initial_release_date": "2025-01-17T00:00:00Z",
"revision_history": [
{
"date": "2025-01-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"product": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"product_id": "velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"product": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"product_id": "velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"product": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"product_id": "velociraptor-0.7.0.4.git142.862ef23-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64",
"product": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64",
"product_id": "velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64"
},
"product_reference": "velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le"
},
"product_reference": "velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x"
},
"product_reference": "velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
},
"product_reference": "velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1732",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1732"
}
],
"notes": [
{
"category": "general",
"text": "When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret.\n\nThe tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1732",
"url": "https://www.suse.com/security/cve/CVE-2023-1732"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-1732"
},
{
"cve": "CVE-2023-44270",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-44270"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-44270",
"url": "https://www.suse.com/security/cve/CVE-2023-44270"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-44270"
},
{
"cve": "CVE-2023-45133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45133"
}
],
"notes": [
{
"category": "general",
"text": "Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45133",
"url": "https://www.suse.com/security/cve/CVE-2023-45133"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2023-45133"
},
{
"cve": "CVE-2023-45683",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45683"
}
],
"notes": [
{
"category": "general",
"text": "github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim\u0027s browser loaded the SAML IdP initiated SSO link for the malicious service provider. Note: SP registration is commonly an unrestricted operation in IdPs, hence not requiring particular permissions or publicly accessible to ease the IdP interoperability. This issue is fixed in version 0.4.14. Users unable to upgrade may perform external validation of URLs provided in SAML metadata, or restrict the ability for end-users to upload arbitrary metadata.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45683",
"url": "https://www.suse.com/security/cve/CVE-2023-45683"
},
{
"category": "external",
"summary": "SUSE Bug 1216308 for CVE-2023-45683",
"url": "https://bugzilla.suse.com/1216308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-45683"
},
{
"cve": "CVE-2023-46234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-46234"
}
],
"notes": [
{
"category": "general",
"text": "browserify-sign is a package to duplicate the functionality of node\u0027s crypto public key functions, much of this is based on Fedor Indutny\u0027s work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-46234",
"url": "https://www.suse.com/security/cve/CVE-2023-46234"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-46234"
},
{
"cve": "CVE-2024-21538",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-21538"
}
],
"notes": [
{
"category": "general",
"text": "Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-21538",
"url": "https://www.suse.com/security/cve/CVE-2024-21538"
},
{
"category": "external",
"summary": "SUSE Bug 1233843 for CVE-2024-21538",
"url": "https://bugzilla.suse.com/1233843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-21538"
},
{
"cve": "CVE-2024-23331",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-23331"
}
],
"notes": [
{
"category": "general",
"text": "Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn\u0027t discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-23331",
"url": "https://www.suse.com/security/cve/CVE-2024-23331"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-23331"
},
{
"cve": "CVE-2024-24786",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24786"
}
],
"notes": [
{
"category": "general",
"text": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24786",
"url": "https://www.suse.com/security/cve/CVE-2024-24786"
},
{
"category": "external",
"summary": "SUSE Bug 1226136 for CVE-2024-24786",
"url": "https://bugzilla.suse.com/1226136"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-24786"
},
{
"cve": "CVE-2024-28180",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28180"
}
],
"notes": [
{
"category": "general",
"text": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28180",
"url": "https://www.suse.com/security/cve/CVE-2024-28180"
},
{
"category": "external",
"summary": "SUSE Bug 1234984 for CVE-2024-28180",
"url": "https://bugzilla.suse.com/1234984"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-28180"
},
{
"cve": "CVE-2024-31207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-31207"
}
],
"notes": [
{
"category": "general",
"text": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-31207",
"url": "https://www.suse.com/security/cve/CVE-2024-31207"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-31207"
},
{
"cve": "CVE-2024-37298",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-37298"
}
],
"notes": [
{
"category": "general",
"text": "gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-37298",
"url": "https://www.suse.com/security/cve/CVE-2024-37298"
},
{
"category": "external",
"summary": "SUSE Bug 1227309 for CVE-2024-37298",
"url": "https://bugzilla.suse.com/1227309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-37298"
},
{
"cve": "CVE-2024-4067",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-4067"
}
],
"notes": [
{
"category": "general",
"text": "The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn\u0027t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won\u0027t start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-4067",
"url": "https://www.suse.com/security/cve/CVE-2024-4067"
},
{
"category": "external",
"summary": "SUSE Bug 1224255 for CVE-2024-4067",
"url": "https://bugzilla.suse.com/1224255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-4067"
},
{
"cve": "CVE-2024-4068",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-4068"
}
],
"notes": [
{
"category": "general",
"text": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-4068",
"url": "https://www.suse.com/security/cve/CVE-2024-4068"
},
{
"category": "external",
"summary": "SUSE Bug 1224256 for CVE-2024-4068",
"url": "https://bugzilla.suse.com/1224256"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-4068"
},
{
"cve": "CVE-2024-42459",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-42459"
}
],
"notes": [
{
"category": "general",
"text": "In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-42459",
"url": "https://www.suse.com/security/cve/CVE-2024-42459"
},
{
"category": "external",
"summary": "SUSE Bug 1232538 for CVE-2024-42459",
"url": "https://bugzilla.suse.com/1232538"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-42459"
},
{
"cve": "CVE-2024-42460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-42460"
}
],
"notes": [
{
"category": "general",
"text": "In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-42460",
"url": "https://www.suse.com/security/cve/CVE-2024-42460"
},
{
"category": "external",
"summary": "SUSE Bug 1232538 for CVE-2024-42460",
"url": "https://bugzilla.suse.com/1232538"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-42460"
},
{
"cve": "CVE-2024-42461",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-42461"
}
],
"notes": [
{
"category": "general",
"text": "In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-42461",
"url": "https://www.suse.com/security/cve/CVE-2024-42461"
},
{
"category": "external",
"summary": "SUSE Bug 1232538 for CVE-2024-42461",
"url": "https://bugzilla.suse.com/1232538"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-42461"
},
{
"cve": "CVE-2024-45296",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45296"
}
],
"notes": [
{
"category": "general",
"text": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45296",
"url": "https://www.suse.com/security/cve/CVE-2024-45296"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45296"
},
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
},
{
"cve": "CVE-2024-45811",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45811"
}
],
"notes": [
{
"category": "general",
"text": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import\u0026raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45811",
"url": "https://www.suse.com/security/cve/CVE-2024-45811"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45811"
},
{
"cve": "CVE-2024-45812",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45812"
}
],
"notes": [
{
"category": "general",
"text": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser\u0027s named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45812",
"url": "https://www.suse.com/security/cve/CVE-2024-45812"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45812"
},
{
"cve": "CVE-2024-47068",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-47068"
}
],
"notes": [
{
"category": "general",
"text": "Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-47068",
"url": "https://www.suse.com/security/cve/CVE-2024-47068"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-47068"
},
{
"cve": "CVE-2024-47875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-47875"
}
],
"notes": [
{
"category": "general",
"text": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-47875",
"url": "https://www.suse.com/security/cve/CVE-2024-47875"
},
{
"category": "external",
"summary": "SUSE Bug 1231571 for CVE-2024-47875",
"url": "https://bugzilla.suse.com/1231571"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-47875"
},
{
"cve": "CVE-2024-48948",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-48948"
}
],
"notes": [
{
"category": "general",
"text": "The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve\u0027s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-48948",
"url": "https://www.suse.com/security/cve/CVE-2024-48948"
},
{
"category": "external",
"summary": "SUSE Bug 1231681 for CVE-2024-48948",
"url": "https://bugzilla.suse.com/1231681"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-48948"
},
{
"cve": "CVE-2024-48949",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-48949"
}
],
"notes": [
{
"category": "general",
"text": "The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits \"sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()\" validation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-48949",
"url": "https://www.suse.com/security/cve/CVE-2024-48949"
},
{
"category": "external",
"summary": "SUSE Bug 1231557 for CVE-2024-48949",
"url": "https://bugzilla.suse.com/1231557"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-48949"
},
{
"cve": "CVE-2024-51744",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-51744"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-51744",
"url": "https://www.suse.com/security/cve/CVE-2024-51744"
},
{
"category": "external",
"summary": "SUSE Bug 1232936 for CVE-2024-51744",
"url": "https://bugzilla.suse.com/1232936"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2024-51744"
},
{
"cve": "CVE-2024-55565",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55565"
}
],
"notes": [
{
"category": "general",
"text": "nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55565",
"url": "https://www.suse.com/security/cve/CVE-2024-55565"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-55565"
},
{
"cve": "CVE-2024-6104",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6104"
}
],
"notes": [
{
"category": "general",
"text": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6104",
"url": "https://www.suse.com/security/cve/CVE-2024-6104"
},
{
"category": "external",
"summary": "SUSE Bug 1227024 for CVE-2024-6104",
"url": "https://bugzilla.suse.com/1227024"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.aarch64",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.ppc64le",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.s390x",
"openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-6104"
}
]
}
OPENSUSE-SU-2025:14666-1
Vulnerability from csaf_opensuse - Published: 2025-01-21 00:00 - Updated: 2025-01-21 00:00Summary
helmfile-0.170.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: helmfile-0.170.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the helmfile-0.170.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-14666
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.170.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.170.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.170.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.170.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helmfile-0.170.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helmfile-0.170.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14666",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14666-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14666-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VI6PLACYTL73MKICQUXPS2F2JPQOB565/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14666-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VI6PLACYTL73MKICQUXPS2F2JPQOB565/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45338 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45338/"
}
],
"title": "helmfile-0.170.0-1.1 on GA media",
"tracking": {
"current_release_date": "2025-01-21T00:00:00Z",
"generator": {
"date": "2025-01-21T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14666-1",
"initial_release_date": "2025-01-21T00:00:00Z",
"revision_history": [
{
"date": "2025-01-21T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.170.0-1.1.aarch64",
"product": {
"name": "helmfile-0.170.0-1.1.aarch64",
"product_id": "helmfile-0.170.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helmfile-bash-completion-0.170.0-1.1.aarch64",
"product": {
"name": "helmfile-bash-completion-0.170.0-1.1.aarch64",
"product_id": "helmfile-bash-completion-0.170.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helmfile-fish-completion-0.170.0-1.1.aarch64",
"product": {
"name": "helmfile-fish-completion-0.170.0-1.1.aarch64",
"product_id": "helmfile-fish-completion-0.170.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helmfile-zsh-completion-0.170.0-1.1.aarch64",
"product": {
"name": "helmfile-zsh-completion-0.170.0-1.1.aarch64",
"product_id": "helmfile-zsh-completion-0.170.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.170.0-1.1.ppc64le",
"product": {
"name": "helmfile-0.170.0-1.1.ppc64le",
"product_id": "helmfile-0.170.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helmfile-bash-completion-0.170.0-1.1.ppc64le",
"product": {
"name": "helmfile-bash-completion-0.170.0-1.1.ppc64le",
"product_id": "helmfile-bash-completion-0.170.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helmfile-fish-completion-0.170.0-1.1.ppc64le",
"product": {
"name": "helmfile-fish-completion-0.170.0-1.1.ppc64le",
"product_id": "helmfile-fish-completion-0.170.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"product": {
"name": "helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"product_id": "helmfile-zsh-completion-0.170.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.170.0-1.1.s390x",
"product": {
"name": "helmfile-0.170.0-1.1.s390x",
"product_id": "helmfile-0.170.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helmfile-bash-completion-0.170.0-1.1.s390x",
"product": {
"name": "helmfile-bash-completion-0.170.0-1.1.s390x",
"product_id": "helmfile-bash-completion-0.170.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helmfile-fish-completion-0.170.0-1.1.s390x",
"product": {
"name": "helmfile-fish-completion-0.170.0-1.1.s390x",
"product_id": "helmfile-fish-completion-0.170.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helmfile-zsh-completion-0.170.0-1.1.s390x",
"product": {
"name": "helmfile-zsh-completion-0.170.0-1.1.s390x",
"product_id": "helmfile-zsh-completion-0.170.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.170.0-1.1.x86_64",
"product": {
"name": "helmfile-0.170.0-1.1.x86_64",
"product_id": "helmfile-0.170.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helmfile-bash-completion-0.170.0-1.1.x86_64",
"product": {
"name": "helmfile-bash-completion-0.170.0-1.1.x86_64",
"product_id": "helmfile-bash-completion-0.170.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helmfile-fish-completion-0.170.0-1.1.x86_64",
"product": {
"name": "helmfile-fish-completion-0.170.0-1.1.x86_64",
"product_id": "helmfile-fish-completion-0.170.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helmfile-zsh-completion-0.170.0-1.1.x86_64",
"product": {
"name": "helmfile-zsh-completion-0.170.0-1.1.x86_64",
"product_id": "helmfile-zsh-completion-0.170.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.170.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.170.0-1.1.aarch64"
},
"product_reference": "helmfile-0.170.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.170.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.170.0-1.1.ppc64le"
},
"product_reference": "helmfile-0.170.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.170.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.170.0-1.1.s390x"
},
"product_reference": "helmfile-0.170.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.170.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.170.0-1.1.x86_64"
},
"product_reference": "helmfile-0.170.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-bash-completion-0.170.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.aarch64"
},
"product_reference": "helmfile-bash-completion-0.170.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-bash-completion-0.170.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.ppc64le"
},
"product_reference": "helmfile-bash-completion-0.170.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-bash-completion-0.170.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.s390x"
},
"product_reference": "helmfile-bash-completion-0.170.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-bash-completion-0.170.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.x86_64"
},
"product_reference": "helmfile-bash-completion-0.170.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-fish-completion-0.170.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.aarch64"
},
"product_reference": "helmfile-fish-completion-0.170.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-fish-completion-0.170.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.ppc64le"
},
"product_reference": "helmfile-fish-completion-0.170.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-fish-completion-0.170.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.s390x"
},
"product_reference": "helmfile-fish-completion-0.170.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-fish-completion-0.170.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.x86_64"
},
"product_reference": "helmfile-fish-completion-0.170.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-zsh-completion-0.170.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.aarch64"
},
"product_reference": "helmfile-zsh-completion-0.170.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-zsh-completion-0.170.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.ppc64le"
},
"product_reference": "helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-zsh-completion-0.170.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.s390x"
},
"product_reference": "helmfile-zsh-completion-0.170.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-zsh-completion-0.170.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.x86_64"
},
"product_reference": "helmfile-zsh-completion-0.170.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45338"
}
],
"notes": [
{
"category": "general",
"text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45338",
"url": "https://www.suse.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "SUSE Bug 1234794 for CVE-2024-45338",
"url": "https://bugzilla.suse.com/1234794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-bash-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-fish-completion-0.170.0-1.1.x86_64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.aarch64",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.ppc64le",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.s390x",
"openSUSE Tumbleweed:helmfile-zsh-completion-0.170.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-21T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45338"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…