Security update for gnutls SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02595-1 Final 1 1 2025-08-01T15:14:01Z current 2025-08-01T15:14:01Z 2025-08-01T15:14:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gnutls This update for gnutls fixes the following issues: - CVE-2025-6395: Fix NULL pointer dereference when 2nd Client Hello omits PSK (bsc#1246299) - CVE-2025-32988: Fix double-free due to incorrect ownership handling in the export logic of SAN entries containing an otherName (bsc#1246232) - CVE-2025-32989: Fix heap buffer overread when handling the CT SCT extension during X.509 certificate parsing (bsc#1246233) - CVE-2025-32990: Fix 1-byte heap buffer overflow when parsing templates with certtool (bsc#1246267) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/php-apache:latest-2025-2595,Container bci/spack:latest-2025-2595,Container suse/samba-client:latest-2025-2595,Container suse/samba-server:latest-2025-2595,Container suse/samba-toolbox:latest-2025-2595,SUSE-2025-2595,SUSE-SLE-Module-Basesystem-15-SP6-2025-2595,SUSE-SLE-Module-Basesystem-15-SP7-2025-2595,openSUSE-SLE-15.6-2025-2595 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502595-1/ Link for SUSE-SU-2025:02595-1 https://lists.suse.com/pipermail/sle-updates/2025-August/040997.html E-Mail link for SUSE-SU-2025:02595-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246232 SUSE Bug 1246232 https://bugzilla.suse.com/1246233 SUSE Bug 1246233 https://bugzilla.suse.com/1246267 SUSE Bug 1246267 https://bugzilla.suse.com/1246299 SUSE Bug 1246299 https://www.suse.com/security/cve/CVE-2025-32988/ SUSE CVE CVE-2025-32988 page https://www.suse.com/security/cve/CVE-2025-32989/ SUSE CVE CVE-2025-32989 page https://www.suse.com/security/cve/CVE-2025-32990/ SUSE CVE CVE-2025-32990 page https://www.suse.com/security/cve/CVE-2025-6395/ SUSE CVE CVE-2025-6395 page Container bci/php-apache:latest Container bci/spack:latest Container suse/samba-client:latest Container suse/samba-server:latest Container suse/samba-toolbox:latest SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP7 openSUSE Leap 15.6 libgnutls30-3.8.3-150600.4.9.1 gnutls-3.8.3-150600.4.9.1 libgnutls-devel-3.8.3-150600.4.9.1 libgnutls-devel-32bit-3.8.3-150600.4.9.1 libgnutls-devel-64bit-3.8.3-150600.4.9.1 libgnutls30-32bit-3.8.3-150600.4.9.1 libgnutls30-64bit-3.8.3-150600.4.9.1 libgnutlsxx-devel-3.8.3-150600.4.9.1 libgnutlsxx30-3.8.3-150600.4.9.1 libgnutls30-3.8.3-150600.4.9.1 as a component of Container bci/php-apache:latest libgnutls30-3.8.3-150600.4.9.1 as a component of Container bci/spack:latest libgnutls30-3.8.3-150600.4.9.1 as a component of Container suse/samba-client:latest libgnutls30-3.8.3-150600.4.9.1 as a component of Container suse/samba-server:latest libgnutls30-3.8.3-150600.4.9.1 as a component of Container suse/samba-toolbox:latest gnutls-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libgnutls-devel-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libgnutls30-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libgnutls30-32bit-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libgnutlsxx-devel-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libgnutlsxx30-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 gnutls-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libgnutls-devel-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libgnutls30-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libgnutls30-32bit-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libgnutlsxx-devel-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libgnutlsxx30-3.8.3-150600.4.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 gnutls-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutls-devel-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutls-devel-32bit-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutls30-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutls30-32bit-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutlsxx-devel-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 libgnutlsxx30-3.8.3-150600.4.9.1 as a component of openSUSE Leap 15.6 A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. CVE-2025-32988 Container bci/php-apache:latest:libgnutls30-3.8.3-150600.4.9.1 Container bci/spack:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-client:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-server:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-toolbox:latest:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:gnutls-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx30-3.8.3-150600.4.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502595-1/ https://www.suse.com/security/cve/CVE-2025-32988.html CVE-2025-32988 https://bugzilla.suse.com/1246232 SUSE Bug 1246232 A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. CVE-2025-32989 Container bci/php-apache:latest:libgnutls30-3.8.3-150600.4.9.1 Container bci/spack:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-client:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-server:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-toolbox:latest:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:gnutls-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx30-3.8.3-150600.4.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502595-1/ https://www.suse.com/security/cve/CVE-2025-32989.html CVE-2025-32989 https://bugzilla.suse.com/1246233 SUSE Bug 1246233 A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. CVE-2025-32990 Container bci/php-apache:latest:libgnutls30-3.8.3-150600.4.9.1 Container bci/spack:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-client:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-server:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-toolbox:latest:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:gnutls-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx30-3.8.3-150600.4.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502595-1/ https://www.suse.com/security/cve/CVE-2025-32990.html CVE-2025-32990 https://bugzilla.suse.com/1246267 SUSE Bug 1246267 A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). CVE-2025-6395 Container bci/php-apache:latest:libgnutls30-3.8.3-150600.4.9.1 Container bci/spack:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-client:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-server:latest:libgnutls30-3.8.3-150600.4.9.1 Container suse/samba-toolbox:latest:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libgnutlsxx30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:gnutls-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutls30-32bit-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx-devel-3.8.3-150600.4.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libgnutlsxx30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:gnutls-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls-devel-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutls30-32bit-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx-devel-3.8.3-150600.4.9.1 openSUSE Leap 15.6:libgnutlsxx30-3.8.3-150600.4.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502595-1/ https://www.suse.com/security/cve/CVE-2025-6395.html CVE-2025-6395 https://bugzilla.suse.com/1246299 SUSE Bug 1246299