alloy-1.11.2-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15631-1 Final 1 1 2025-10-14T00:00:00Z current 2025-10-14T00:00:00Z 2025-10-14T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z alloy-1.11.2-2.1 on GA media These are all security issues fixed in the alloy-1.11.2-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15631 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-11065/ SUSE CVE CVE-2025-11065 page https://www.suse.com/security/cve/CVE-2025-58058/ SUSE CVE CVE-2025-58058 page openSUSE Tumbleweed alloy-1.11.2-2.1 alloy-1.11.2-2.1 as a component of openSUSE Tumbleweed unknown CVE-2025-11065 openSUSE Tumbleweed:alloy-1.11.2-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11065.html CVE-2025-11065 https://bugzilla.suse.com/1250608 SUSE Bug 1250608 xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14. CVE-2025-58058 openSUSE Tumbleweed:alloy-1.11.2-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58058.html CVE-2025-58058 https://bugzilla.suse.com/1248889 SUSE Bug 1248889