gnutls-3.8.10-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15411-1 Final 1 1 2025-08-05T00:00:00Z current 2025-08-05T00:00:00Z 2025-08-05T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gnutls-3.8.10-1.1 on GA media These are all security issues fixed in the gnutls-3.8.10-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15411 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-32988/ SUSE CVE CVE-2025-32988 page https://www.suse.com/security/cve/CVE-2025-32989/ SUSE CVE CVE-2025-32989 page https://www.suse.com/security/cve/CVE-2025-32990/ SUSE CVE CVE-2025-32990 page https://www.suse.com/security/cve/CVE-2025-6395/ SUSE CVE CVE-2025-6395 page openSUSE Tumbleweed gnutls-3.8.10-1.1 libgnutls-dane-devel-3.8.10-1.1 libgnutls-dane0-3.8.10-1.1 libgnutls-devel-3.8.10-1.1 libgnutls-devel-32bit-3.8.10-1.1 libgnutls-devel-doc-3.8.10-1.1 libgnutls30-3.8.10-1.1 libgnutls30-32bit-3.8.10-1.1 libgnutlsxx-devel-3.8.10-1.1 libgnutlsxx30-3.8.10-1.1 gnutls-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls-dane-devel-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls-dane0-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls-devel-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls-devel-32bit-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls-devel-doc-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls30-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutls30-32bit-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutlsxx-devel-3.8.10-1.1 as a component of openSUSE Tumbleweed libgnutlsxx30-3.8.10-1.1 as a component of openSUSE Tumbleweed A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. CVE-2025-32988 openSUSE Tumbleweed:gnutls-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane0-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-doc-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx30-3.8.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-32988.html CVE-2025-32988 https://bugzilla.suse.com/1246232 SUSE Bug 1246232 A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. CVE-2025-32989 openSUSE Tumbleweed:gnutls-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane0-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-doc-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx30-3.8.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-32989.html CVE-2025-32989 https://bugzilla.suse.com/1246233 SUSE Bug 1246233 A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. CVE-2025-32990 openSUSE Tumbleweed:gnutls-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane0-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-doc-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx30-3.8.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-32990.html CVE-2025-32990 https://bugzilla.suse.com/1246267 SUSE Bug 1246267 A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). CVE-2025-6395 openSUSE Tumbleweed:gnutls-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-dane0-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutls-devel-doc-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-3.8.10-1.1 openSUSE Tumbleweed:libgnutls30-32bit-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx-devel-3.8.10-1.1 openSUSE Tumbleweed:libgnutlsxx30-3.8.10-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6395.html CVE-2025-6395 https://bugzilla.suse.com/1246299 SUSE Bug 1246299