govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14644-1 Final 1 1 2025-01-14T00:00:00Z current 2025-01-14T00:00:00Z 2025-01-14T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250109T194159-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250109T194159-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14644 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/ E-Mail link for openSUSE-SU-2025:14644-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-20033/ SUSE CVE CVE-2025-20033 page https://www.suse.com/security/cve/CVE-2025-22149/ SUSE CVE CVE-2025-22149 page https://www.suse.com/security/cve/CVE-2025-22445/ SUSE CVE CVE-2025-22445 page https://www.suse.com/security/cve/CVE-2025-22449/ SUSE CVE CVE-2025-22449 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250109T194159-1.1 govulncheck-vulndb-0.0.20250109T194159-1.1 as a component of openSUSE Tumbleweed Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. CVE-2025-20033 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/ https://www.suse.com/security/cve/CVE-2025-20033.html CVE-2025-20033 JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). CVE-2025-22149 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/ https://www.suse.com/security/cve/CVE-2025-22149.html CVE-2025-22149 Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. CVE-2025-22445 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/ https://www.suse.com/security/cve/CVE-2025-22445.html CVE-2025-22445 Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. CVE-2025-22449 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250109T194159-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L4N4W6VRBQ6LXRMKE4XQATP6QUUXHQOR/ https://www.suse.com/security/cve/CVE-2025-22449.html CVE-2025-22449