SUSE-IU-2025:1535-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1535-1 Interim 1 1 2026-03-11T09:20:16Z current 2025-06-10T01:00:00Z 2025-06-10T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1535-1 / google/sles-sap-15-sp4-hardened-v20250610-x86-64 This image update for google/sles-sap-15-sp4-hardened-v20250610-x86-64 contains the following changes: Package 000release-packages:SLES_SAP-release was updated: Package aaa_base was updated: - Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch * If a user switches the login shell respect the already set PATH environment (bsc#1235481) - add patch aaa_base-rc.status.patch (bsc#1236033) (no git, file is gone in factory/tumbleweed) update detection for systemd in rc.status, mountpoint for cgroup changed with cgroup2, so just check if pid 1 is systemd Package apparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package augeas was updated: - Add patch, fix for bsc#1239909 / CVE-2025-2588: * CVE-2025-2588.patch Package ca-certificates-mozilla was updated: - revert the distrusted certs for now. originally these only distrust &quot;new issued&quot; certs starting after a certain date, while old certs should still work. (bsc#1240343) - remove-distrusted.patch: removed Package cifs-utils was updated: - CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) * add New-mount-option-for-cifs.upcall-namespace-reso.patch Package cloud-netconfig was updated: - Update to version 1.15 + Add support for creating IPv6 default route in GCE (bsc#1240869) + Minor fix when looking up IPv6 default route Package cloud-regionsrv-client was updated: - Update version to 10.4.0 + Remove repositories when the package is being removed We do not want to leave repositories behind refering to the plugin that is being removed when the package gets removed (bsc#1240310, bsc#1240311) + Turn docker into an optional setup (jsc#PCT-560) Change the Requires into a Recommends and adapt the code accordingly + Support flexible licenses in GCE (jsc#PCT-531) + Drop the azure-addon package it is geting replaced by the license-watcher package which has a generic implementation of the same functionality. + Handle cache inconsistencies (bsc#1218345) + Properly handle the zypper root target argument (bsc#1240997) Package kernel-default was updated: - Update patches.suse/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch (git-fixes stable-5.14.19 CVE-2021-47671 bsc#1241421). - commit 855e2af - Update patches.suse/net-mana-Fix-error-handling-in-mana_create_txq-rxq-s.patch (bsc#1240195 CVE-2024-46784 bsc#1230771). - commit b86bfe4 - Revert &quot;exec: fix the racy usage of fs_struct-&gt;in_exec (CVE-2025-22029&quot; This reverts commit b68bd5953c15c3c2b21e60fbd6d8a52b0bbb030c. This turned out to be not an issue. See https://bugzilla.suse.com/show_bug.cgi?id=1241378#c4 - commit d9d19c1 - exec: fix the racy usage of fs_struct-&gt;in_exec (CVE-2025-22029 bsc#1241378). - commit b68bd59 - x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (CVE-2025-22045 bsc#1241433). - commit c4ca325 - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (bsc#1241280 CVE-2025-22020). - commit 0f74fae - drm/vkms: Fix use after free and double free on init error (CVE-2025-22097 bsc#1241541). - commit 02fe040 - net: fix geneve_opt length integer overflow (CVE-2025-22055 bsc#1241371). - commit 15ff527 - net: atm: fix use after free in lec_send() (CVE-2025-22004 bsc#1240835). - commit 889e26f - kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812 bsc#1238471). - commit 1d6ea68 - ax25: rcu protect dev-&gt;ax25_ptr (CVE-2025-21812 bsc#1238471). - Refresh patches.kabi/net-ax25_dev-kabi-workaround.patch. - commit 88b5c8e - Update patches.suse/fbdev-smscufx-fix-error-handling-code-in-ufx_usb_pro.patch (git-fixes CVE-2022-49741 bsc#1240747). - commit 0c9a431 - Update patches.suse/RDMA-mlx5-Fix-implicit-ODP-hang-on-parent-deregistra.patch (git-fixes CVE-2025-21886 bsc#1240188). - commit 6a0c1b0 - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785 bsc#1238747) - commit 2c96a9a - vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791 bsc#1238512). - commit 50bbf71 - Delete patches.suse/btrfs-defrag-don-t-use-merged-extent-map-for-their-generat.patch. - Delete patches.suse/btrfs-fix-defrag-not-merging-contiguous-extents-due-to-mer.patch. - Delete patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch. Reverting ineffective changes for bsc#1239968 and closing it as WONTFIX. - commit a1bc1ab - padata: avoid UAF for reorder_work (CVE-2025-21726 bsc#1238865). - commit bfab8c2 Package containerd was updated: - Update to containerd v1.7.27. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.27&gt; bsc#1239749 CVE-2024-40635 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.26. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.26&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.25. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.25&gt; &lt;https://github.com/containerd/containerd/releases/tag/v1.7.24&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package expat was updated: - version update to 2.7.1 Bug fixes: [#980] #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: [#976] #977 Autotools: Integrate files &quot;fuzz/xml_lpm_fuzzer.{cpp,proto}&quot; with Automake that were missing from 2.7.0 release tarballs [#983] #984 Fix printf format specifiers for 32bit Emscripten [#992] docs: Promote OpenSSF Best Practices self-certification [#978] tests/benchmark: Resolve mistaken double close [#986] Address compiler warnings [#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: [#982] CI: Start running Perl XML::Parser integration tests [#987] CI: Enforce Clang Static Analyzer clean code [#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy [#981] CI: Cover compilation with musl [#983] #984 CI: Cover compilation with 32bit Emscripten [#976] #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 for SLE-15-SP4 - deleted patches - expat-CVE-2022-25235.patch (upstreamed) - expat-CVE-2022-25236-relax-fix.patch (upstreamed) - expat-CVE-2022-25236.patch (upstreamed) - expat-CVE-2022-25313-fix-regression.patch (upstreamed) - expat-CVE-2022-25313.patch (upstreamed) - expat-CVE-2022-25314.patch (upstreamed) - expat-CVE-2022-25315.patch (upstreamed) - expat-CVE-2022-40674.patch (upstreamed) - expat-CVE-2022-43680.patch (upstreamed) - expat-CVE-2023-52425-1.patch (upstreamed) - expat-CVE-2023-52425-2.patch (upstreamed) - expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed) - expat-CVE-2023-52425-fix-tests.patch (upstreamed) - expat-CVE-2024-28757.patch (upstreamed) - expat-CVE-2024-45490.patch (upstreamed) - expat-CVE-2024-45491.patch (upstreamed) - expat-CVE-2024-45492.patch (upstreamed) - expat-CVE-2024-50602.patch (upstreamed) - version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: [#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data (&quot;&lt;e&gt;&amp;g1;&lt;/e&gt;&quot;) - general entities in attribute values (&quot;&lt;e k1='&amp;g1;'/&gt;&quot;) - parameter entities (&quot;%p1;&quot;) Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: [#935] #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS [#925] Autotools: Sync CMake templates with CMake 3.29 [#945] #962 #966 CMake: Drop support for CMake &lt;3.13 [#942] CMake: Small fuzzing related improvements [#921] docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 [#941] docs: Document need for C++11 compiler for use from C++ [#959] tests/benchmark: Fix a (harmless) TOCTTOU [#944] Windows: Fix installer target location of file xmlwf.xml for CMake [#953] Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW [#971] Address Cppcheck warnings [#969] #970 Mass-migrate links from http:// to https:// [#947] #958 .. [#974] #975 Document changes since the previous release [#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - no source changes, just adding jira reference: jsc#SLE-21253 Package glib2 was updated: - Add glib2-CVE-2025-3360.patch: Backport 8d60d7dc from upstream, Fix integer overflow when parsing very long ISO8601 inputs. This will only happen with invalid (or maliciously invalid) potential ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust against that. (CVE-2025-3360, bsc#1240897) Package glibc was updated: - static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (CVE-2025-4802, bsc#1243317) - pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ [#25847]) Package google-cloud-sap-agent was updated: - Update to version v3.7: (bsc#1238831, bsc#1238833) * No public description * Moving CG disk validation to CheckPreConditions * Fix issue with filling in ha_hosts in HANA systems * Use updated UAP method for Guest Actions * Fix grep command used for landscape ID discovery * Correct arguments used by HANA disk discovery. * Add tagged disks to discovery data sent to Data Warehouse * Identify disks by mount point in SAP System data. * Auto updated compiled protocol buffers * Add collection for WLM Pacemaker alias IP setting. * Add the Maintenance Events Sample Dashboard * Auto updated compiled protocol buffers * Remove obsolete events proto from sapagent * Auto updated compiled protocol buffers * Add collection for WLM Pacemaker health check and internal load balancer metrics. * Auto updated compiled protocol buffers * Add collection for WLM Pacemaker SAPInstance automatic recover and monitor settings. * Remove restart logic used in configure OTE. Rely on config poller. * fixing TypedValue * migrating from the platform integration/common/shared to sharedlibraries * Default topology to SCALE_UP for non-HANA DBs. * Remove restarting from guestactions Package google-guest-agent was updated: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) * Make sure agent added connections are activated by NM (#534) - from version 20250506.00 * wrap NSS cache refresh in a goroutine (#533) - from version 20250502.01 * Wicked: Only reload interfaces for which configurations are written or changed. (#524) - from version 20250502.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) - from version 20250418.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250414.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) Package hwinfo was updated: - merge gh#openSUSE/hwinfo#156- fix network card detection on aarch64 (bsc#1240648) - 21.88 Package icewm was updated: - Add icewm-translation-update.patch: Update the latest translation from https://l10n.opensuse.org/projects/icewm/icewm-1-4-branch/. Package iproute2 was updated: - avoid spurious cgroup warning (bsc#1234383): - ss-Tone-down-cgroup-path-resolution.patch Package iputils was updated: - Fix bsc#1243284 - ping on s390x prints invalid ttl * Add iputils-invalid-ttl-s390x.patch * Fix ipv4 ttl value when using SOCK_DGRAM on big endian systems - Security fix [bsc#1242300, CVE-2025-47268] * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch Package kbd was updated: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230, kbd-ignore-working-directory-1.patch, kbd-ignore-working-directory-2.patch, kbd-ignore-working-directory-3.patch). Package resource-agents was updated: - L3: fuser returning unexpected list of PIDs to Filesystem RA (bsc#1241867) Apply upstream patch: 0001-Filesystem-fix-getting-the-wrong-block-device-when-d.patch - L3: DB2 resource agent forcefully shuts down database, risking data loss — ref:_00D1igLOd._500TrYJM7l:ref (bsc#1241692) Add patch: bsc-1241692.patch Package libapparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package freetype2 was updated: Package mozjs60 was updated: - Add libtheora-avoid-negative-shift.patch: avoid negative shift in huffdec.c (bsc#1234837 CVE-2024-56431). - Explicitly require libicu-devel, rather than using pkgconfig, to avoid unintentionally building against icu 73. Package ncurses was updated: - Modify patch ncurses-5.9-ibm327x.dif * Backport sclp terminfo description entry if for s390 sclp terminal lines * Add a further sclp entry for qemu s390 based systems * Make use of dumb Package pacemaker was updated: - pacemaker-attrd: use %PRIu32 format specifier instead of %u for node id (bsc#1239629, gh#ClusterLabs/pacemaker#3860) * bsc#1239629-0004-Log-pacemaker-attrd-use-PRIu32-format-specifier-inst.patch - libcrmcluster: correctly log node id (bsc#1239629, gh#ClusterLabs/pacemaker#3860) * bsc#1239629-0003-Log-libcrmcluster-correctly-log-node-id.patch - pacemaker-attrd: log the cluster layer id of the changed peer (bsc#1239629, gh#ClusterLabs/pacemaker#3860) * bsc#1239629-0002-Log-pacemaker-attrd-log-the-cluster-layer-id-of-the-.patch - pacemaker-attrd: prevent segfault if a peer leaves when its name is unknown yet (bsc#1239629, gh#ClusterLabs/pacemaker#3860) * bsc#1239629-0001-Fix-pacemaker-attrd-prevent-segfault-if-a-peer-leave.patch - spec: create a temporary file in /run directory (bsc#1239770) - libcrmservices: Unref the dbus connection... (gh#ClusterLabs/pacemaker#3841) * pacemaker#3841-0002-Refactor-libcrmservices-Unref-the-dbus-connection.patch - libcrmservices: Don't leak msg if systemd_proxy is NULL. (gh#ClusterLabs/pacemaker#3841) * pacemaker#3841-0001-Low-libcrmservices-Don-t-leak-msg-if-systemd_proxy-i.patch - cts-scheduler: update tests for considering parents of an unmanaged resource active on the node (gh#ClusterLabs/pacemaker#3842, bsc#1238519) * bsc#1238519-0002-Test-cts-scheduler-update-tests-for-considering-pare.patch - libpe_status: consider parents of an unmanaged resource active on the node (gh#ClusterLabs/pacemaker#3842, bsc#1238519) * bsc#1238519-0001-Fix-libpe_status-consider-parents-of-an-unmanaged-re.patch - various: address format-overflow warnings (gh#ClusterLabs/pacemaker#3795) * pacemaker#3795-0001-Low-various-address-format-overflow-warnings.patch - libpacemaker: set fail-count to INFINITY for fatal failures (gh#ClusterLabs/pacemaker#3772) * pacemaker#3772-0002-Fix-libpacemaker-set-fail-count-to-INFINITY-for-fata.patch - libpacemaker: add PCMK__XA_FAILED_START_OFFSET and PCMK__XA_FAILED_STOP_OFFSET (gh#ClusterLabs/pacemaker#3772) * pacemaker#3772-0001-Refactor-libpacemaker-add-PCMK__XA_FAILED_START_OFFS.patch Package librdkafka was updated: - 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch: avoid endless loops (bsc#1242842) Package ruby2.5 was updated: - update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6 - fix ReDoS in CGI::Util#escapeElement bsc#1237806 CVE-2025-27220 - fix denial of service in CGI::Cookie.parse bsc#1237804 CVE-2025-27219 - update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41 - move the request smuggling patch to the correct place actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773 Package libsolv was updated: - build both static and dynamic libraries on new suse distros- support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - bump version to 0.7.32 - Provide a symbol specific for the ruby-version so yast does not break across updates (boo#1235598) Package sqlite3 was updated: - Sync version 3.49.1 from Factory (jsc#SLE-16032): * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could lead to a memory error if the separator string is very large (hundreds of megabytes). * CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against misuse. * Obsoletes sqlite3-rtree-i686.patch Package libxml2 was updated: - security update- added patches CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API + libxml2-CVE-2025-32414.patch CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read + libxml2-CVE-2025-32415.patch Package libzypp was updated: - fixed build with boost 1.88.- XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more &lt;repo&gt; related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - version 17.36.7 (35) - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} &gt;= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - version 17.36.6 (35) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - version 17.36.5 (35) - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - version 17.36.4 (35) Package openssh was updated: - Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045) from upstream, which allows KEX hashes greater than 256 bits. Thanks to Ali Abdallah &lt;ali.abdallah@suse.com&gt;. - Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728). This fixes an upstream logic error handling the DisableForwarding option. - Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533), fixing failures with very large MOTDs. Thanks to Ali Abdallah &lt;ali.abdallah@suse.com&gt;. - Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname being left out of the audit output. Package pam was updated: - pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234, CVE-2024-10041] - Do not reject the user with a hash assuming it's non-empty. [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch] Package patterns-base was updated: Package python3-setuptools was updated: - Add patch CVE-2025-47273.patch to fix A path traversal vulnerability. (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f) Package rubygem-bundler was updated: - also includes VUL-0: CVE-2020-36327: Bundler chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen (bsc#1185842) - updated to version 2.2.34 VUL-0: CVE-2021-43809: rubygem-bundler: remote execution via Gemfile argument injection (bsc#1193578) - removed 7416.patch and CVE-2021-43809.patch which are included in suse.patch now - removed series as it is unused Package rubygem-rack was updated: - security update- added patches fix CVE-2025-32441 [bsc#1242899], Rack Session Reuse Vulnerability + rubygem-rack-CVE-2025-32441.patch - security update - added patches fix CVE-2025-46727 [bsc#1242894], Unbounded-Parameter DoS in Rack:QueryParser + rubygem-rack-CVE-2025-46727.patch Package scap-security-guide was updated: - creation of a new request - removed tables reference related to almalinux9 builds - fix a bug in redhad package description for almalinux9 builds - updates redhat package to include almalinux9 builds - added build support for almalinux9 - removed ssg-reproducable.patch: upstream - updated to 0.1.76 (jsc#ECO-3319) - Add new product for Ubuntu 24.04 and draft CIS profiles - Add pyproject.toml for the ssg package - AlmaLinux OS 9 as a new product - Documentation for ssg library - Extend SSG library to more easily collect profile selections - Extend SSG with functions to manage variables Package 000release-packages:sle-ha-release was updated: Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-live-patching-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-python3-release was updated: Package 000release-packages:sle-module-sap-applications-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:sle-module-web-scripting-release was updated: Package sysstat was updated: - Remove cron dependency (bsc#1239297).- Introduce systemd timers. - Delete sysstat.cron.suse. Package timezone was updated: - Update to 2025b: * New zone for Aysén Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches * revert-philippines-historical-data.patch * tzdata-china.diff Package zypper was updated: - Updated translations (bsc#1230267)- version 1.14.89 - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - version 1.14.88 - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - BuildRequires: libzypp-devel &gt;= 17.36.4. - version 1.14.87 - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - version 1.14.86 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-sap-15-sp4-hardened-v20250610-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.28.2 apparmor-abstractions-3.0.4-150400.5.18.1 apparmor-parser-3.0.4-150400.5.18.1 augeas-1.12.0-150400.3.8.1 augeas-lenses-1.12.0-150400.3.8.1 ca-certificates-mozilla-2.74-150200.41.1 cifs-utils-6.15-150400.3.12.1 cloud-netconfig-gce-1.15-150000.25.26.1 cloud-regionsrv-client-10.4.0-150300.13.24.1 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.24.1 cluster-md-kmp-default-5.14.21-150400.24.164.1 containerd-1.7.27-150000.123.1 dlm-kmp-default-5.14.21-150400.24.164.1 drbd-9.0.30~1+git.10bee2d5-150400.3.6.1 drbd-kmp-default-9.0.30~1+git.10bee2d5_k5.14.21_150400.24.161-150400.3.6.1 expat-2.7.1-150400.3.28.1 gfs2-kmp-default-5.14.21-150400.24.164.1 glib2-tools-2.70.5-150400.3.20.1 glibc-2.31-150300.95.1 glibc-32bit-2.31-150300.95.1 glibc-i18ndata-2.31-150300.95.1 glibc-locale-2.31-150300.95.1 glibc-locale-base-2.31-150300.95.1 google-cloud-sap-agent-3.7-150100.3.47.1 google-guest-agent-20250506.01-150000.1.63.1 google-guest-oslogin-20240311.00-150000.1.50.1 grub2-2.06-150400.11.60.1 grub2-i386-pc-2.06-150400.11.60.1 grub2-x86_64-efi-2.06-150400.11.60.1 hwinfo-21.88-150400.3.18.1 icewm-1.4.2-150000.7.18.1 icewm-lite-1.4.2-150000.7.18.1 iproute2-5.14-150400.3.3.1 iputils-20211215-150400.3.19.1 kbd-2.4.0-150400.5.9.1 kbd-legacy-2.4.0-150400.5.9.1 kernel-default-5.14.21-150400.24.164.1 ldirectord-4.10.0+git40.0f4de473-150400.3.39.1 libapparmor1-3.0.4-150400.5.18.1 libaugeas0-1.12.0-150400.3.8.1 libexpat1-2.7.1-150400.3.28.1 libfreetype6-2.10.4-150000.4.22.1 libgio-2_0-0-2.70.5-150400.3.20.1 libglib-2_0-0-2.70.5-150400.3.20.1 libgmodule-2_0-0-2.70.5-150400.3.20.1 libgobject-2_0-0-2.70.5-150400.3.20.1 libgthread-2_0-0-2.70.5-150400.3.20.1 libmozjs-60-60.9.0-150200.6.3.1 libncurses6-6.1-150000.5.30.1 libpacemaker3-2.1.2+20211124.ada5c3b36-150400.4.26.1 librdkafka1-0.11.6-150000.1.11.1 libruby2_5-2_5-2.5.9-150000.4.41.1 libsolv-tools-0.7.32-150400.3.35.1 libsolv-tools-base-0.7.32-150400.3.35.1 libsqlite3-0-3.49.1-150000.3.27.1 libxml2-2-2.9.14-150400.5.41.1 libxml2-tools-2.9.14-150400.5.41.1 libzypp-17.36.7-150400.3.119.1 ncurses-utils-6.1-150000.5.30.1 nscd-2.31-150300.95.1 ocfs2-kmp-default-5.14.21-150400.24.164.1 openssh-8.4p1-150300.3.49.1 openssh-clients-8.4p1-150300.3.49.1 openssh-common-8.4p1-150300.3.49.1 openssh-server-8.4p1-150300.3.49.1 pacemaker-2.1.2+20211124.ada5c3b36-150400.4.26.1 pacemaker-cli-2.1.2+20211124.ada5c3b36-150400.4.26.1 pam-1.3.0-150000.6.76.1 patterns-base-base-20200124-150400.20.13.1 patterns-base-basesystem-20200124-150400.20.13.1 patterns-base-minimal_base-20200124-150400.20.13.1 python3-setuptools-44.1.1-150400.9.12.1 python3-solv-0.7.32-150400.3.35.1 resource-agents-4.10.0+git40.0f4de473-150400.3.39.1 ruby-solv-0.7.32-150400.3.35.1 ruby2.5-2.5.9-150000.4.41.1 ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1 ruby2.5-rubygem-rack-2.0.8-150000.3.31.1 ruby2.5-stdlib-2.5.9-150000.4.41.1 scap-security-guide-0.1.76-150000.1.92.1 sqlite3-3.49.1-150000.3.27.1 sqlite3-tcl-3.49.1-150000.3.27.1 sysstat-12.0.2-150000.3.40.1 terminfo-6.1-150000.5.30.1 terminfo-base-6.1-150000.5.30.1 timezone-2025b-150000.75.34.2 zypper-1.14.89-150400.3.82.1 aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.28.2 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 apparmor-abstractions-3.0.4-150400.5.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 apparmor-parser-3.0.4-150400.5.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 augeas-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 augeas-lenses-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ca-certificates-mozilla-2.74-150200.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 cifs-utils-6.15-150400.3.12.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 cloud-netconfig-gce-1.15-150000.25.26.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 cloud-regionsrv-client-10.4.0-150300.13.24.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.24.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 cluster-md-kmp-default-5.14.21-150400.24.164.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 containerd-1.7.27-150000.123.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 dlm-kmp-default-5.14.21-150400.24.164.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 drbd-9.0.30~1+git.10bee2d5-150400.3.6.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 drbd-kmp-default-9.0.30~1+git.10bee2d5_k5.14.21_150400.24.161-150400.3.6.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 expat-2.7.1-150400.3.28.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 gfs2-kmp-default-5.14.21-150400.24.164.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glib2-tools-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glibc-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glibc-32bit-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glibc-i18ndata-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glibc-locale-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 glibc-locale-base-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 google-cloud-sap-agent-3.7-150100.3.47.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 google-guest-agent-20250506.01-150000.1.63.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 google-guest-oslogin-20240311.00-150000.1.50.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 grub2-2.06-150400.11.60.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 grub2-i386-pc-2.06-150400.11.60.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 grub2-x86_64-efi-2.06-150400.11.60.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 hwinfo-21.88-150400.3.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 icewm-1.4.2-150000.7.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 icewm-lite-1.4.2-150000.7.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 iproute2-5.14-150400.3.3.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 iputils-20211215-150400.3.19.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 kbd-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 kbd-legacy-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 kernel-default-5.14.21-150400.24.164.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ldirectord-4.10.0+git40.0f4de473-150400.3.39.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libapparmor1-3.0.4-150400.5.18.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libaugeas0-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libexpat1-2.7.1-150400.3.28.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libfreetype6-2.10.4-150000.4.22.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libgio-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libglib-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libgmodule-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libgobject-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libgthread-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libmozjs-60-60.9.0-150200.6.3.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libncurses6-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libpacemaker3-2.1.2+20211124.ada5c3b36-150400.4.26.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 librdkafka1-0.11.6-150000.1.11.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libruby2_5-2_5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libsolv-tools-0.7.32-150400.3.35.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libsolv-tools-base-0.7.32-150400.3.35.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libsqlite3-0-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libxml2-2-2.9.14-150400.5.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libxml2-tools-2.9.14-150400.5.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 libzypp-17.36.7-150400.3.119.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ncurses-utils-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 nscd-2.31-150300.95.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ocfs2-kmp-default-5.14.21-150400.24.164.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 openssh-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 openssh-clients-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 openssh-common-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 openssh-server-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 pacemaker-2.1.2+20211124.ada5c3b36-150400.4.26.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 pacemaker-cli-2.1.2+20211124.ada5c3b36-150400.4.26.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 pam-1.3.0-150000.6.76.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 patterns-base-base-20200124-150400.20.13.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 patterns-base-basesystem-20200124-150400.20.13.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 patterns-base-minimal_base-20200124-150400.20.13.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 python3-setuptools-44.1.1-150400.9.12.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 python3-solv-0.7.32-150400.3.35.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 resource-agents-4.10.0+git40.0f4de473-150400.3.39.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ruby-solv-0.7.32-150400.3.35.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ruby2.5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ruby2.5-rubygem-bundler-2.2.34-150000.3.11.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ruby2.5-rubygem-rack-2.0.8-150000.3.31.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 ruby2.5-stdlib-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 scap-security-guide-0.1.76-150000.1.92.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 sqlite3-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 sqlite3-tcl-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 sysstat-12.0.2-150000.3.40.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 terminfo-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 terminfo-base-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 timezone-2025b-150000.75.34.2 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 zypper-1.14.89-150400.3.82.1 as a component of Public Cloud Image google/sles-sap-15-sp4-hardened-v20250610-x86-64 Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product. CVE-2020-36327 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code. CVE-2021-43809 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path In es58x_rx_err_msg(), if can->do_set_mode() fails, the function directly returns without calling netif_rx(skb). This means that the skb previously allocated by alloc_can_err_skb() is not freed. In other terms, this is a memory leak. This patch simply removes the return statement in the error branch and let the function continue. Issue was found with GCC -fanalyzer, please follow the link below for details. CVE-2021-47671 moderate xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVE-2022-25235 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25313 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25314 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVE-2022-25315 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. CVE-2022-40674 important In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 important In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: fix error handling code in ufx_usb_probe The current error handling code in ufx_usb_probe have many unmatching issues, e.g., missing ufx_free_usb_list, destroy_modedb label should only include framebuffer_release, fb_dealloc_cmap only matches fb_alloc_cmap. My local syzkaller reports a memory leak bug: memory leak in ufx_usb_probe BUG: memory leak unreferenced object 0xffff88802f879580 (size 128): comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s) hex dump (first 32 bytes): 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|............. 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................ backtrace: [<ffffffff814c99a0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045 [<ffffffff824d219c>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff824d219c>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff824d219c>] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline] [<ffffffff824d219c>] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655 [<ffffffff82d17927>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 [<ffffffff827132da>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808 [<ffffffff82713c27>] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936 [<ffffffff82710137>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff827136b5>] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008 [<ffffffff82711d36>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff8270e242>] device_add+0x642/0xdc0 drivers/base/core.c:3517 [<ffffffff82d14d5f>] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d2576c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d16ffc>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 Fix this bug by rewriting the error handling code in ufx_usb_probe. CVE-2022-49741 moderate libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 moderate A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. CVE-2024-10041 moderate libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 important containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2024-40635 moderate An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80 CVE-2024-46784 moderate An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." CVE-2024-47220 important An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 moderate oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash. CVE-2024-56431 moderate A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 important In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. CVE-2025-21726 important In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 important In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 important In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated--- CVE-2025-21812 important In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP hang on parent deregistration Fix the destroy_unused_implicit_child_mr() to prevent hanging during parent deregistration as of below [1]. Upon entering destroy_unused_implicit_child_mr(), the reference count for the implicit MR parent is incremented using: refcount_inc_not_zero(). A corresponding decrement must be performed if free_implicit_child_mr_work() is not called. The code has been updated to properly manage the reference count that was incremented. [1] INFO: task python3:2157 blocked for more than 120 seconds. Not tainted 6.12.0-rc7+ #1633 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 __mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib] ? __pfx_autoremove_wake_function+0x10/0x10 ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 ? kmem_cache_free+0x221/0x400 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f20f21f017b RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60 R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890 R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0 </TASK> CVE-2025-21886 moderate In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. CVE-2025-22004 important In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated--- CVE-2025-22020 important This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-22029 important In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse. CVE-2025-22045 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies. CVE-2025-22055 important In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded. CVE-2025-22097 important A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 moderate A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVE-2025-2588 low In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. CVE-2025-27219 moderate In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. CVE-2025-27220 moderate In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. CVE-2025-29087 moderate In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. CVE-2025-29088 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. CVE-2025-32414 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2025-32415 low Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began. CVE-2025-32441 moderate In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. CVE-2025-32728 moderate A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function. CVE-2025-3360 moderate Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. CVE-2025-46727 important ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVE-2025-47268 moderate setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. CVE-2025-47273 important Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). CVE-2025-4802 important