govulncheck-vulndb-0.0.20250424T181457-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15033-1 Final 1 1 2025-04-26T00:00:00Z current 2025-04-26T00:00:00Z 2025-04-26T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250424T181457-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250424T181457-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15033 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ E-Mail link for openSUSE-SU-2025:15033-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-14992/ SUSE CVE CVE-2017-14992 page https://www.suse.com/security/cve/CVE-2017-9232/ SUSE CVE CVE-2017-9232 page https://www.suse.com/security/cve/CVE-2025-35965/ SUSE CVE CVE-2025-35965 page https://www.suse.com/security/cve/CVE-2025-41395/ SUSE CVE CVE-2025-41395 page https://www.suse.com/security/cve/CVE-2025-41423/ SUSE CVE CVE-2025-41423 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250424T181457-1.1 govulncheck-vulndb-0.0.20250424T181457-1.1 as a component of openSUSE Tumbleweed Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing. CVE-2017-14992 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250424T181457-1.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ https://www.suse.com/security/cve/CVE-2017-14992.html CVE-2017-14992 https://bugzilla.suse.com/1066210 SUSE Bug 1066210 Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root. CVE-2017-9232 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250424T181457-1.1 moderate 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ https://www.suse.com/security/cve/CVE-2017-9232.html CVE-2017-9232 Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition. CVE-2025-35965 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250424T181457-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ https://www.suse.com/security/cve/CVE-2025-35965.html CVE-2025-35965 Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users. CVE-2025-41395 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250424T181457-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ https://www.suse.com/security/cve/CVE-2025-41395.html CVE-2025-41395 Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions. CVE-2025-41423 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250424T181457-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FCMCOT6M37QF2P6G2RKTQYT3ZKNAKIUV/ https://www.suse.com/security/cve/CVE-2025-41423.html CVE-2025-41423