govulncheck-vulndb-0.0.20250402T160203-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14970-1 Final 1 1 2025-04-04T00:00:00Z current 2025-04-04T00:00:00Z 2025-04-04T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250402T160203-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250402T160203-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14970 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ E-Mail link for openSUSE-SU-2025:14970-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-0312/ SUSE CVE CVE-2025-0312 page https://www.suse.com/security/cve/CVE-2025-23391/ SUSE CVE CVE-2025-23391 page https://www.suse.com/security/cve/CVE-2025-29072/ SUSE CVE CVE-2025-29072 page https://www.suse.com/security/cve/CVE-2025-29868/ SUSE CVE CVE-2025-29868 page https://www.suse.com/security/cve/CVE-2025-30223/ SUSE CVE CVE-2025-30223 page https://www.suse.com/security/cve/CVE-2025-31135/ SUSE CVE CVE-2025-31135 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250402T160203-1.1 govulncheck-vulndb-0.0.20250402T160203-1.1 as a component of openSUSE Tumbleweed A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS) attack via remote network. CVE-2025-0312 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-0312.html CVE-2025-0312 https://bugzilla.suse.com/1239838 SUSE Bug 1239838 A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4. CVE-2025-23391 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-23391.html CVE-2025-23391 https://bugzilla.suse.com/1239007 SUSE Bug 1239007 An integer overflow in Nethermind Juno before v.12.05 within the Sierra bytecode decompression logic within the "cairo-lang-starknet-classes" library could allow remote attackers to trigger an infinite loop (and high CPU usage) by submitting a malicious Declare v2/v3 transaction. This results in a denial-of-service condition for affected Starknet full-node implementations. CVE-2025-29072 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-29072.html CVE-2025-29072 Private Data Structure Returned From A Public Method vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.2. If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user. Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed. CVE-2025-29868 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-29868.html CVE-2025-29868 Beego is an open-source web framework for the Go programming language. Prior to 2.3.6, a Cross-Site Scripting (XSS) vulnerability exists in Beego's RenderForm() function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's RenderForm() function with user-provided data. Since it is a high-level function generating an entire form markup, many developers would assume it automatically escapes attributes (the way most frameworks do). This vulnerability is fixed in 2.3.6. CVE-2025-30223 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-30223.html CVE-2025-30223 Go-Guerrilla SMTP Daemon is a lightweight SMTP server written in Go. Prior to 1.6.7, when ProxyOn is enabled, the PROXY command will be accepted multiple times, with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. This vulnerability is fixed in 1.6.7. CVE-2025-31135 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250402T160203-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZBHJANMC5TN4MHLVGPYKJGT774IKFUQ3/ https://www.suse.com/security/cve/CVE-2025-31135.html CVE-2025-31135