trivy-0.65.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16516 Final 1 1 2025-08-15T00:00:00Z current 2025-08-15T00:00:00Z 2025-08-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z trivy-0.65.0-1.1 on GA media These are all security issues fixed in the trivy-0.65.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16516 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-22868/ SUSE CVE CVE-2025-22868 page https://www.suse.com/security/cve/CVE-2025-22869/ SUSE CVE CVE-2025-22869 page https://www.suse.com/security/cve/CVE-2025-22872/ SUSE CVE CVE-2025-22872 page https://www.suse.com/security/cve/CVE-2025-30204/ SUSE CVE CVE-2025-30204 page https://www.suse.com/security/cve/CVE-2025-47291/ SUSE CVE CVE-2025-47291 page openSUSE Tumbleweed trivy-0.65.0-1.1 trivy-0.65.0-1.1 as a component of openSUSE Tumbleweed An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 openSUSE Tumbleweed:trivy-0.65.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22868.html CVE-2025-22868 https://bugzilla.suse.com/1239185 SUSE Bug 1239185 https://bugzilla.suse.com/1239186 SUSE Bug 1239186 SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 openSUSE Tumbleweed:trivy-0.65.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22869.html CVE-2025-22869 https://bugzilla.suse.com/1239322 SUSE Bug 1239322 The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 openSUSE Tumbleweed:trivy-0.65.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22872.html CVE-2025-22872 https://bugzilla.suse.com/1241710 SUSE Bug 1241710 golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. CVE-2025-30204 openSUSE Tumbleweed:trivy-0.65.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-30204.html CVE-2025-30204 https://bugzilla.suse.com/1240441 SUSE Bug 1240441 https://bugzilla.suse.com/1240442 SUSE Bug 1240442 containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily. CVE-2025-47291 openSUSE Tumbleweed:trivy-0.65.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47291.html CVE-2025-47291 https://bugzilla.suse.com/1243632 SUSE Bug 1243632