libsuricata8_0_0-8.0.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15394-1 Final 1 1 2025-07-28T00:00:00Z current 2025-07-28T00:00:00Z 2025-07-28T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsuricata8_0_0-8.0.0-1.1 on GA media These are all security issues fixed in the libsuricata8_0_0-8.0.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15394 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-10728/ SUSE CVE CVE-2016-10728 page https://www.suse.com/security/cve/CVE-2018-14568/ SUSE CVE CVE-2018-14568 page https://www.suse.com/security/cve/CVE-2019-10050/ SUSE CVE CVE-2019-10050 page https://www.suse.com/security/cve/CVE-2019-10053/ SUSE CVE CVE-2019-10053 page https://www.suse.com/security/cve/CVE-2024-23835/ SUSE CVE CVE-2024-23835 page https://www.suse.com/security/cve/CVE-2024-23836/ SUSE CVE CVE-2024-23836 page https://www.suse.com/security/cve/CVE-2024-23839/ SUSE CVE CVE-2024-23839 page https://www.suse.com/security/cve/CVE-2024-24568/ SUSE CVE CVE-2024-24568 page https://www.suse.com/security/cve/CVE-2024-32663/ SUSE CVE CVE-2024-32663 page https://www.suse.com/security/cve/CVE-2024-32664/ SUSE CVE CVE-2024-32664 page https://www.suse.com/security/cve/CVE-2024-32867/ SUSE CVE CVE-2024-32867 page https://www.suse.com/security/cve/CVE-2024-37151/ SUSE CVE CVE-2024-37151 page https://www.suse.com/security/cve/CVE-2024-38534/ SUSE CVE CVE-2024-38534 page https://www.suse.com/security/cve/CVE-2024-38535/ SUSE CVE CVE-2024-38535 page https://www.suse.com/security/cve/CVE-2024-38536/ SUSE CVE CVE-2024-38536 page https://www.suse.com/security/cve/CVE-2024-45795/ SUSE CVE CVE-2024-45795 page https://www.suse.com/security/cve/CVE-2024-45796/ SUSE CVE CVE-2024-45796 page https://www.suse.com/security/cve/CVE-2024-45797/ SUSE CVE CVE-2024-45797 page https://www.suse.com/security/cve/CVE-2024-47187/ SUSE CVE CVE-2024-47187 page https://www.suse.com/security/cve/CVE-2024-47188/ SUSE CVE CVE-2024-47188 page https://www.suse.com/security/cve/CVE-2024-47522/ SUSE CVE CVE-2024-47522 page https://www.suse.com/security/cve/CVE-2024-55605/ SUSE CVE CVE-2024-55605 page https://www.suse.com/security/cve/CVE-2024-55626/ SUSE CVE CVE-2024-55626 page https://www.suse.com/security/cve/CVE-2024-55627/ SUSE CVE CVE-2024-55627 page https://www.suse.com/security/cve/CVE-2024-55628/ SUSE CVE CVE-2024-55628 page https://www.suse.com/security/cve/CVE-2024-55629/ SUSE CVE CVE-2024-55629 page https://www.suse.com/security/cve/CVE-2025-29915/ SUSE CVE CVE-2025-29915 page https://www.suse.com/security/cve/CVE-2025-29916/ SUSE CVE CVE-2025-29916 page https://www.suse.com/security/cve/CVE-2025-29917/ SUSE CVE CVE-2025-29917 page https://www.suse.com/security/cve/CVE-2025-29918/ SUSE CVE CVE-2025-29918 page openSUSE Tumbleweed libsuricata8_0_0-8.0.0-1.1 suricata-8.0.0-1.1 suricata-devel-8.0.0-1.1 libsuricata8_0_0-8.0.0-1.1 as a component of openSUSE Tumbleweed suricata-8.0.0-1.1 as a component of openSUSE Tumbleweed suricata-devel-8.0.0-1.1 as a component of openSUSE Tumbleweed An issue was discovered in Suricata before 3.1.2. If an ICMPv4 error packet is received as the first packet on a flow in the to_client direction, it confuses the rule grouping lookup logic. The toclient inspection will then continue with the wrong rule group. This can lead to missed detection. CVE-2016-10728 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10728.html CVE-2016-10728 https://bugzilla.suse.com/1102402 SUSE Bug 1102402 Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. This allows detection bypass because Windows TCP clients proceed with normal processing of TCP data that arrives shortly after an RST (i.e., they act as if the RST had not yet been received). CVE-2018-14568 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14568.html CVE-2018-14568 https://bugzilla.suse.com/1102334 SUSE Bug 1102334 A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash. CVE-2019-10050 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10050.html CVE-2019-10050 https://bugzilla.suse.com/1134991 SUSE Bug 1134991 An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow. CVE-2019-10053 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10053.html CVE-2019-10053 https://bugzilla.suse.com/1134993 SUSE Bug 1134993 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the pgsql app layer parser. CVE-2024-23835 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23835.html CVE-2024-23835 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value helps reduce the severity of the issue. CVE-2024-23836 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23836.html CVE-2024-23836 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The vulnerability has been patched in 7.0.3. To work around the vulnerability, avoid the http.request_header and http.response_header keywords. CVE-2024-23839 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23839.html CVE-2024-23839 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3. CVE-2024-24568 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24568.html CVE-2024-24568 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536). CVE-2024-32663 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32663.html CVE-2024-32663 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false. CVE-2024-32664 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32664.html CVE-2024-32664 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19. CVE-2024-32867 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-32867.html CVE-2024-32867 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem. CVE-2024-37151 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-37151.html CVE-2024-37151 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue. CVE-2024-38534 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-38534.html CVE-2024-38534 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6. CVE-2024-38535 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-38535.html CVE-2024-38535 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6. CVE-2024-38536 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-38536.html CVE-2024-38536 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets. CVE-2024-45795 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45795.html CVE-2024-45795 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7. CVE-2024-45796 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45796.html CVE-2024-45796 LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is addressed in 0.5.49. CVE-2024-45797 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45797.html CVE-2024-45797 https://bugzilla.suse.com/1231746 SUSE Bug 1231746 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. Avoid dataset rules that track traffic in rules. CVE-2024-47187 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-47187.html CVE-2024-47187 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7. CVE-2024-47188 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-47188.html CVE-2024-47188 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround. CVE-2024-47522 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-47522.html CVE-2024-47522 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8. CVE-2024-55605 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55605.html CVE-2024-55605 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8. CVE-2024-55626 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55626.html CVE-2024-55626 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8. CVE-2024-55627 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55627.html CVE-2024-55627 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8. CVE-2024-55628 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55628.html CVE-2024-55628 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set. CVE-2024-55629 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55629.html CVE-2024-55629 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues. CVE-2025-29915 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-29915.html CVE-2025-29915 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9. CVE-2025-29916 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-29916.html CVE-2025-29916 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread. This vulnerability is fixed in 7.0.9. CVE-2025-29917 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-29917.html CVE-2025-29917 Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9. CVE-2025-29918 openSUSE Tumbleweed:libsuricata8_0_0-8.0.0-1.1 openSUSE Tumbleweed:suricata-8.0.0-1.1 openSUSE Tumbleweed:suricata-devel-8.0.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-29918.html CVE-2025-29918