govulncheck-vulndb-0.0.20250515T200012-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15135-1 Final 1 1 2025-05-20T00:00:00Z current 2025-05-20T00:00:00Z 2025-05-20T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250515T200012-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250515T200012-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15135 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ E-Mail link for openSUSE-SU-2025:15135-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-52290/ SUSE CVE CVE-2024-52290 page https://www.suse.com/security/cve/CVE-2024-8063/ SUSE CVE CVE-2024-8063 page https://www.suse.com/security/cve/CVE-2025-3757/ SUSE CVE CVE-2025-3757 page https://www.suse.com/security/cve/CVE-2025-3931/ SUSE CVE CVE-2025-3931 page https://www.suse.com/security/cve/CVE-2025-4432/ SUSE CVE CVE-2025-4432 page https://www.suse.com/security/cve/CVE-2025-46331/ SUSE CVE CVE-2025-46331 page https://www.suse.com/security/cve/CVE-2025-4658/ SUSE CVE CVE-2025-4658 page https://www.suse.com/security/cve/CVE-2025-46721/ SUSE CVE CVE-2025-46721 page https://www.suse.com/security/cve/CVE-2025-46735/ SUSE CVE CVE-2025-46735 page https://www.suse.com/security/cve/CVE-2025-46815/ SUSE CVE CVE-2025-46815 page https://www.suse.com/security/cve/CVE-2025-46816/ SUSE CVE CVE-2025-46816 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250515T200012-1.1 govulncheck-vulndb-0.0.20250515T200012-1.1 as a component of openSUSE Tumbleweed LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue. CVE-2024-52290 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2024-52290.html CVE-2024-52290 A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it to crash. CVE-2024-8063 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2024-8063.html CVE-2024-8063 https://bugzilla.suse.com/1239831 SUSE Bug 1239831 Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. CVE-2025-3757 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-3757.html CVE-2025-3757 A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data. CVE-2025-3931 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-3931.html CVE-2025-3931 A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received. CVE-2025-4432 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-4432.html CVE-2025-4432 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. This issue has been patched in version 1.8.11. CVE-2025-46331 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-46331.html CVE-2025-46331 Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. CVE-2025-4658 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-4658.html CVE-2025-4658 nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user's behalf. Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the request). CVE-2025-46721 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-46721.html CVE-2025-46721 Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authenticated command injection in the underlyding powershell command prompt. Version 1.0.5 contains a fix for the issue. CVE-2025-46735 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-46735.html CVE-2025-46735 The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application's URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. CVE-2025-46815 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-46815.html CVE-2025-46815 goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. CVE-2025-46816 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250515T200012-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QOPKRPL75SZMLT3YSQAZEDWH7RBRXGJK/ https://www.suse.com/security/cve/CVE-2025-46816.html CVE-2025-46816