Security update for himmelblau SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:3869-1 Final 1 1 2025-10-30T13:45:10Z current 2025-10-30T13:45:10Z 2025-10-30T13:45:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for himmelblau This update for himmelblau fixes the following issues: Update to version 0.7.18+git.0.8485a75. - CVE-2025-58160: tracing-subscriber: untrusted user input containing ANSI escape sequences could be injected into terminal output when logged (bsc#1249013). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3869,SUSE-SLE-Module-Basesystem-15-SP7-2025-3869 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20253869-1/ Link for SUSE-SU-2025:3869-1 https://lists.suse.com/pipermail/sle-security-updates/2025-October/023088.html E-Mail link for SUSE-SU-2025:3869-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1249013 SUSE Bug 1249013 https://www.suse.com/security/cve/CVE-2025-58160/ SUSE CVE CVE-2025-58160 page SUSE Linux Enterprise Module for Basesystem 15 SP7 himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 himmelblau-sshd-config-0.7.18+git.0.8485a75-150700.3.6.1 libnss_himmelblau2-0.7.18+git.0.8485a75-150700.3.6.1 pam-himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 himmelblau-sshd-config-0.7.18+git.0.8485a75-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libnss_himmelblau2-0.7.18+git.0.8485a75-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 pam-himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences. CVE-2025-58160 SUSE Linux Enterprise Module for Basesystem 15 SP7:himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:himmelblau-sshd-config-0.7.18+git.0.8485a75-150700.3.6.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libnss_himmelblau2-0.7.18+git.0.8485a75-150700.3.6.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:pam-himmelblau-0.7.18+git.0.8485a75-150700.3.6.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253869-1/ https://www.suse.com/security/cve/CVE-2025-58160.html CVE-2025-58160 https://bugzilla.suse.com/1249007 SUSE Bug 1249007