openbao-2.3.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15254-1 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z openbao-2.3.1-1.1 on GA media These are all security issues fixed in the openbao-2.3.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15254 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-4656/ SUSE CVE CVE-2025-4656 page https://www.suse.com/security/cve/CVE-2025-52893/ SUSE CVE CVE-2025-52893 page https://www.suse.com/security/cve/CVE-2025-52894/ SUSE CVE CVE-2025-52894 page openSUSE Tumbleweed openbao-2.3.1-1.1 openbao-agent-2.3.1-1.1 openbao-cassandra-database-plugin-2.3.1-1.1 openbao-influxdb-database-plugin-2.3.1-1.1 openbao-mysql-database-plugin-2.3.1-1.1 openbao-mysql-legacy-database-plugin-2.3.1-1.1 openbao-postgresql-database-plugin-2.3.1-1.1 openbao-server-2.3.1-1.1 openbao-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-agent-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-cassandra-database-plugin-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-influxdb-database-plugin-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-mysql-database-plugin-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-mysql-legacy-database-plugin-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-postgresql-database-plugin-2.3.1-1.1 as a component of openSUSE Tumbleweed openbao-server-2.3.1-1.1 as a component of openSUSE Tumbleweed Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22. CVE-2025-4656 openSUSE Tumbleweed:openbao-2.3.1-1.1 openSUSE Tumbleweed:openbao-agent-2.3.1-1.1 openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-server-2.3.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-4656.html CVE-2025-4656 OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients. CVE-2025-52893 openSUSE Tumbleweed:openbao-2.3.1-1.1 openSUSE Tumbleweed:openbao-agent-2.3.1-1.1 openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-server-2.3.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52893.html CVE-2025-52893 https://bugzilla.suse.com/1245381 SUSE Bug 1245381 OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to `true` for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges. CVE-2025-52894 openSUSE Tumbleweed:openbao-2.3.1-1.1 openSUSE Tumbleweed:openbao-agent-2.3.1-1.1 openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.3.1-1.1 openSUSE Tumbleweed:openbao-server-2.3.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52894.html CVE-2025-52894 https://bugzilla.suse.com/1245389 SUSE Bug 1245389