Security update for afterburn SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:3784-1 Final 1 1 2025-10-24T13:28:17Z current 2025-10-24T13:28:17Z 2025-10-24T13:28:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for afterburn This update for afterburn fixes the following issues: Update to version 5.9.0.git21.a73f509. Security issues fixed: - CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large repetitions on empty sub-expressions can lead to excessive resource consumption and denial of service (bsc#1196972). - CVE-2024-12224: idna: acceptance of Punycode labels that do not produce any non-ASCII output may lead to incorrect hostname comparisons and incorrect URL parsing (bsc#1243850). - CVE-2025-5791: users: `root` user being appended to group listings whenever listing does not have exactly 1024 groups can lead to privilege escalation when information is used for access control (bsc#1244199). - CVE-2025-3416: openssl: passing of `Some(...)` value as `properties` argument to `Md::fetch` or `Cipher::fetch` can lead to use-after-free (bsc#1242665). Other issues fixed: - Fixed in version 5.9.0.git21.a73f509: * cargo: update dependencies * microsoft/azure: Add XML attribute alias for serde-xml-rs Fedora compat * microsoft/azure: Fix SharedConfig parsing of XML attributes * microsoft/azure: Mock goalstate.SharedConfig output in tests * providers/azure: switch SSH key retrieval from certs endpoint to IMDS as azure stopped providing keys in the old one (bsc#1250471). * upcloud: implement UpCloud provider * Update several build dependencies - Fixed in version 5.9.0: * cargo: update dependencies * dracut: Return 255 in module-setup * oraclecloud: add release note and move base URL to constant * oraclecloud: implement oraclecloud provider * Update several build dependencies - Fixed in version 5.8.2: * cargo: update dependencies * packit: add initial support - Fixed in version 5.7.0.git103.bae893c: * proxmoxve: Add more context to log messages. * proxmoxve: Remove unneeded fields * proxmoxve: Add tests for static network configuration from cloud-init. * proxmoxve: Add support for static network configuration from cloud-init. * providers/openstack: ignore ec2 metadata if not present * proxmox: use noop provider if no configdrive * Update several build dependencies - Fixed in version 5.7.0: * cargo: update dependencies * dhcp: replace dbus_proxy with proxy, and zbus traits * providers/hetzner: private ipv4 addresses in attributes * openstack: Document the two platforms * microsoft/azure: allow empty certificate chain in PKCS12 file * proxmoxve: implement proxmoxve provider * providers/hetzner: fix duplicate attribute prefix * lint: silence deadcode warnings * lint: address latest lint's from msrv update * cargo: update msrv to 1.75 * providers: Add 'akamai' provider * providers/vmware: add missing public functions for non-amd64 * providers/vmware: Process guestinfo.metadata netplan configuration * kubevirt: Run afterburn-hostname service * providers: add support for scaleway * Move away from deprecated `users` to `uzers` * providers/hetzner: add support for Hetzner Cloud * cargo: update MSRV to 1.71 * cargo: specify required features for nix dependency * openstack: Add attribute OPENSTACK_INSTANCE_UUID * cargo: allow openssl 0.10.46 * build-sys: Use new tier = 2 for cargo-vendor-filterer * cargo: fix minimum version of openssl crate * microsoft/crypto/mod: replace deprecated function `parse` with `parse2` * cli: switch to clap derive * cli: add descriptive value names for option arguments in --help * cli: have clap require exactly one of --cmdline/--provider * providers/`*`: move endpoint mocking into retry::Client * retry/client: move URL parsing into helper function * providers/microsoft: import crate::retry * providers/microsoft: use stored client for all fetches * providers/packet: use stored client for boot checkin * initrd: remember to write trailing newline to network kargs file * util: drop obsolete 'OEM' terminology * Inline variables into format strings * Update several build dependencies - Fixed in version 5.4.1: * cargo: add configuration for cargo-vendor-filterer * util: support DHCP option lookup from NetworkManager * util: factor out retries of DHCP option lookup * util: refactor DHCP option query helper into an enum * util: move dns_lease_key_lookup() to a separate module * cargo: update MSRV to 1.66 * cargo: update all packages to fix build error * cargo: continue to support openssh-keys 0.5 * cargo: drop serde_derive crate in favor of serde derive feature * cargo: use consistent declaration syntax for slog dependency * cargo: drop unused dependencies * cargo: continue to support base64 0.13 * cargo: continue to support mailparse 0.13.8 * cargo: continue to support clap 3.1 * cargo: stop enabling LTO in release builds * providers/ibmcloud: avoid error if an ssh key not found in metadata * systemd: add explicit ordering, after multi-user.target * network: fix clippy 1.63.0 lints * cargo: allow serde_yaml 0.8 * cargo: update version ranges for post-1.x deps * providers: Use inline `format!` in a few places * *: bump MSRV to 1.58.0 * cargo: update clap to 3.2.5 * copr: mark git checkout as safe * providers/aws: expose instance availability-zone-id as AWS_AVAILABILITY_ZONE_ID * Update several build dependencies - Fixed in version 5.3.0: * systemd: enable sshkeys on Power VS platform * network: Encode information for systemd-networkd-wait-online * cargo: update to clap 3.1 * cargo: enable clap wrap_help feature * cli: run clap tests * cli: avoid deprecated clap constructs * cargo: update to clap 3.0 * cli: use clap mechanism to require exp subcommand * cargo: declare MSRV in Cargo.toml * cargo: update to Rust 2021; bump MSRV to 1.56.0 * copr: abort if specfile fetch fails * providers/aws: add AWS_IPV6 attribute * providers/aws: bump metadata version to 2021-01-03 * kubevirt: Add KubeVirt platform support * *.service: add/update Documentation field * aws/mock_tests: explicitly drop mocks before resetting * aws/mock_tests: split out IMDS tests * aws/mock_tests: factor out map building * *: use `RemainAfterExit` on all oneshot services * Update several build dependencies The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3784,SUSE-SLE-Micro-5.5-2025-3784 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20253784-1/ Link for SUSE-SU-2025:3784-1 https://lists.suse.com/pipermail/sle-updates/2025-October/042303.html E-Mail link for SUSE-SU-2025:3784-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1196972 SUSE Bug 1196972 https://bugzilla.suse.com/1242665 SUSE Bug 1242665 https://bugzilla.suse.com/1243850 SUSE Bug 1243850 https://bugzilla.suse.com/1244199 SUSE Bug 1244199 https://bugzilla.suse.com/1244675 SUSE Bug 1244675 https://bugzilla.suse.com/1250471 SUSE Bug 1250471 https://www.suse.com/security/cve/CVE-2022-24713/ SUSE CVE CVE-2022-24713 page https://www.suse.com/security/cve/CVE-2024-12224/ SUSE CVE CVE-2024-12224 page https://www.suse.com/security/cve/CVE-2025-3416/ SUSE CVE CVE-2025-3416 page https://www.suse.com/security/cve/CVE-2025-5791/ SUSE CVE CVE-2025-5791 page SUSE Linux Enterprise Micro 5.5 afterburn-5.9.0.git21.a73f509-150500.3.3.1 afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 afterburn-5.9.0.git21.a73f509-150500.3.3.1 as a component of SUSE Linux Enterprise Micro 5.5 afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 as a component of SUSE Linux Enterprise Micro 5.5 regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes. CVE-2022-24713 SUSE Linux Enterprise Micro 5.5:afterburn-5.9.0.git21.a73f509-150500.3.3.1 SUSE Linux Enterprise Micro 5.5:afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253784-1/ https://www.suse.com/security/cve/CVE-2022-24713.html CVE-2022-24713 https://bugzilla.suse.com/1196972 SUSE Bug 1196972 https://bugzilla.suse.com/1197903 SUSE Bug 1197903 Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. CVE-2024-12224 SUSE Linux Enterprise Micro 5.5:afterburn-5.9.0.git21.a73f509-150500.3.3.1 SUSE Linux Enterprise Micro 5.5:afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253784-1/ https://www.suse.com/security/cve/CVE-2024-12224.html CVE-2024-12224 https://bugzilla.suse.com/1243848 SUSE Bug 1243848 A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string. CVE-2025-3416 SUSE Linux Enterprise Micro 5.5:afterburn-5.9.0.git21.a73f509-150500.3.3.1 SUSE Linux Enterprise Micro 5.5:afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253784-1/ https://www.suse.com/security/cve/CVE-2025-3416.html CVE-2025-3416 https://bugzilla.suse.com/1242599 SUSE Bug 1242599 A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list. CVE-2025-5791 SUSE Linux Enterprise Micro 5.5:afterburn-5.9.0.git21.a73f509-150500.3.3.1 SUSE Linux Enterprise Micro 5.5:afterburn-dracut-5.9.0.git21.a73f509-150500.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253784-1/ https://www.suse.com/security/cve/CVE-2025-5791.html CVE-2025-5791 https://bugzilla.suse.com/1244187 SUSE Bug 1244187