openbao-2.4.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16725 Final 1 1 2025-10-23T00:00:00Z current 2025-10-23T00:00:00Z 2025-10-23T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z openbao-2.4.3-1.1 on GA media These are all security issues fixed in the openbao-2.4.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16725 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-62513/ SUSE CVE CVE-2025-62513 page https://www.suse.com/security/cve/CVE-2025-62705/ SUSE CVE CVE-2025-62705 page openSUSE Tumbleweed openbao-2.4.3-1.1 openbao-agent-2.4.3-1.1 openbao-cassandra-database-plugin-2.4.3-1.1 openbao-influxdb-database-plugin-2.4.3-1.1 openbao-mysql-database-plugin-2.4.3-1.1 openbao-mysql-legacy-database-plugin-2.4.3-1.1 openbao-postgresql-database-plugin-2.4.3-1.1 openbao-server-2.4.3-1.1 openbao-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-agent-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-cassandra-database-plugin-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-influxdb-database-plugin-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-mysql-database-plugin-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-mysql-legacy-database-plugin-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-postgresql-database-plugin-2.4.3-1.1 as a component of openSUSE Tumbleweed openbao-server-2.4.3-1.1 as a component of openSUSE Tumbleweed OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, resulting in short-lived ACME verification challenge codes being leaked in the audit logs. Additionally, this impacts those using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use. This issue has been patched in OpenBao 2.4.2. CVE-2025-62513 openSUSE Tumbleweed:openbao-2.4.3-1.1 openSUSE Tumbleweed:openbao-agent-2.4.3-1.1 openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-mysql-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-server-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62513.html CVE-2025-62513 https://bugzilla.suse.com/1252506 SUSE Bug 1252506 OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched in OpenBao 2.4.2. CVE-2025-62705 openSUSE Tumbleweed:openbao-2.4.3-1.1 openSUSE Tumbleweed:openbao-agent-2.4.3-1.1 openSUSE Tumbleweed:openbao-cassandra-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-influxdb-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-mysql-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-mysql-legacy-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-postgresql-database-plugin-2.4.3-1.1 openSUSE Tumbleweed:openbao-server-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62705.html CVE-2025-62705 https://bugzilla.suse.com/1252505 SUSE Bug 1252505