incus-6.14-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16379 Final 1 1 2025-07-07T00:00:00Z current 2025-07-07T00:00:00Z 2025-07-07T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z incus-6.14-1.1 on GA media These are all security issues fixed in the incus-6.14-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16379 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-52889/ SUSE CVE CVE-2025-52889 page https://www.suse.com/security/cve/CVE-2025-52890/ SUSE CVE CVE-2025-52890 page openSUSE Tumbleweed incus-6.14-1.1 incus-bash-completion-6.14-1.1 incus-fish-completion-6.14-1.1 incus-tools-6.14-1.1 incus-zsh-completion-6.14-1.1 incus-6.14-1.1 as a component of openSUSE Tumbleweed incus-bash-completion-6.14-1.1 as a component of openSUSE Tumbleweed incus-fish-completion-6.14-1.1 as a component of openSUSE Tumbleweed incus-tools-6.14-1.1 as a component of openSUSE Tumbleweed incus-zsh-completion-6.14-1.1 as a component of openSUSE Tumbleweed Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214. CVE-2025-52889 openSUSE Tumbleweed:incus-6.14-1.1 openSUSE Tumbleweed:incus-bash-completion-6.14-1.1 openSUSE Tumbleweed:incus-fish-completion-6.14-1.1 openSUSE Tumbleweed:incus-tools-6.14-1.1 openSUSE Tumbleweed:incus-zsh-completion-6.14-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52889.html CVE-2025-52889 https://bugzilla.suse.com/1245365 SUSE Bug 1245365 Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue. CVE-2025-52890 openSUSE Tumbleweed:incus-6.14-1.1 openSUSE Tumbleweed:incus-bash-completion-6.14-1.1 openSUSE Tumbleweed:incus-fish-completion-6.14-1.1 openSUSE Tumbleweed:incus-tools-6.14-1.1 openSUSE Tumbleweed:incus-zsh-completion-6.14-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52890.html CVE-2025-52890 https://bugzilla.suse.com/1245367 SUSE Bug 1245367