Security update for hawk2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20025-1 Final 1 1 2026-01-13T12:41:42Z current 2026-01-13T12:41:42Z 2026-01-13T12:41:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for hawk2 This update for hawk2 fixes the following issues: - Bump ruby gem rack to 3.1.18 (bsc#1251939). - Bump ruby gem uri to 1.0.4. - Fix the mtime in manifest.json (bsc#1230275). - Make builds determinitstic (bsc#1230275). - Bump rails version from 8.0.2 to 8.0.2.1 (bsc#1248100). - Require openssl explicitly (bsc#1247899). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-134 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230275 SUSE Bug 1230275 https://bugzilla.suse.com/1247899 SUSE Bug 1247899 https://bugzilla.suse.com/1248100 SUSE Bug 1248100 https://bugzilla.suse.com/1251939 SUSE Bug 1251939 https://www.suse.com/security/cve/CVE-2025-55193/ SUSE CVE CVE-2025-55193 page https://www.suse.com/security/cve/CVE-2025-61919/ SUSE CVE CVE-2025-61919 page openSUSE Leap 16.0 hawk2-2.7.0+git.1742310530.bfcd0e2c-160000.3.1 hawk2-2.7.0+git.1742310530.bfcd0e2c-160000.3.1 as a component of openSUSE Leap 16.0 Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1. CVE-2025-55193 openSUSE Leap 16.0:hawk2-2.7.0+git.1742310530.bfcd0e2c-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55193.html CVE-2025-55193 https://bugzilla.suse.com/1248099 SUSE Bug 1248099 Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`). CVE-2025-61919 openSUSE Leap 16.0:hawk2-2.7.0+git.1742310530.bfcd0e2c-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61919.html CVE-2025-61919 https://bugzilla.suse.com/1251934 SUSE Bug 1251934