libsuricata8_0_1-8.0.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16654 Final 1 1 2025-10-01T00:00:00Z current 2025-10-01T00:00:00Z 2025-10-01T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsuricata8_0_1-8.0.1-1.1 on GA media These are all security issues fixed in the libsuricata8_0_1-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16654 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-59147/ SUSE CVE CVE-2025-59147 page https://www.suse.com/security/cve/CVE-2025-59148/ SUSE CVE CVE-2025-59148 page https://www.suse.com/security/cve/CVE-2025-59149/ SUSE CVE CVE-2025-59149 page https://www.suse.com/security/cve/CVE-2025-59150/ SUSE CVE CVE-2025-59150 page openSUSE Tumbleweed libsuricata8_0_1-8.0.1-1.1 suricata-8.0.1-1.1 suricata-devel-8.0.1-1.1 libsuricata8_0_1-8.0.1-1.1 as a component of openSUSE Tumbleweed suricata-8.0.1-1.1 as a component of openSUSE Tumbleweed suricata-devel-8.0.1-1.1 as a component of openSUSE Tumbleweed Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1. CVE-2025-59147 openSUSE Tumbleweed:libsuricata8_0_1-8.0.1-1.1 openSUSE Tumbleweed:suricata-8.0.1-1.1 openSUSE Tumbleweed:suricata-devel-8.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59147.html CVE-2025-59147 https://bugzilla.suse.com/1250920 SUSE Bug 1250920 Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. This issue is fixed in version 8.0.1. To workaround this issue, users can disable rules using the entropy keyword, or validate they are anchored to a sticky buffer. CVE-2025-59148 openSUSE Tumbleweed:libsuricata8_0_1-8.0.1-1.1 openSUSE Tumbleweed:suricata-8.0.1-1.1 openSUSE Tumbleweed:suricata-devel-8.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59148.html CVE-2025-59148 https://bugzilla.suse.com/1250921 SUSE Bug 1250921 Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Suricata startup or during a rule reload. This issue is fixed in version 8.0.1. To workaround this issue, users can disable rules with ldap.responses.attribute_type and transforms. CVE-2025-59149 openSUSE Tumbleweed:libsuricata8_0_1-8.0.1-1.1 openSUSE Tumbleweed:suricata-8.0.1-1.1 openSUSE Tumbleweed:suricata-devel-8.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59149.html CVE-2025-59149 https://bugzilla.suse.com/1250925 SUSE Bug 1250925 Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword. CVE-2025-59150 openSUSE Tumbleweed:libsuricata8_0_1-8.0.1-1.1 openSUSE Tumbleweed:suricata-8.0.1-1.1 openSUSE Tumbleweed:suricata-devel-8.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59150.html CVE-2025-59150 https://bugzilla.suse.com/1250922 SUSE Bug 1250922