Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-47914 (GCVE-0-2025-47914)
Vulnerability from cvelistv5
Published
2025-11-19 20:33
Modified
2025-11-20 17:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
References
| URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| golang.org/x/crypto | golang.org/x/crypto/ssh/agent |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:50:27.263405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:50:30.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/crypto/ssh/agent",
"product": "golang.org/x/crypto/ssh/agent",
"programRoutines": [
{
"name": "parseConstraints"
},
{
"name": "ForwardToAgent"
},
{
"name": "ServeAgent"
}
],
"vendor": "golang.org/x/crypto",
"versions": [
{
"lessThan": "0.45.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-237",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T17:15:00.344Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
},
{
"url": "https://go.dev/cl/721960"
},
{
"url": "https://go.dev/issue/76364"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-4135"
}
],
"title": "Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-47914",
"datePublished": "2025-11-19T20:33:43.126Z",
"dateReserved": "2025-05-13T23:31:29.597Z",
"dateUpdated": "2025-11-20T17:15:00.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47914\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-11-19T21:15:50.517\",\"lastModified\":\"2025-12-11T19:36:41.373\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.45.0\",\"matchCriteriaId\":\"0DB7D01D-5361-40FC-83A9-91A601A0321D\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/721960\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/76364\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-4135\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47914\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-19T20:50:27.263405Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125 Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-19T20:50:22.359Z\"}}], \"cna\": {\"title\": \"Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent\", \"credits\": [{\"lang\": \"en\", \"value\": \"Jakub Ciolek\"}], \"affected\": [{\"vendor\": \"golang.org/x/crypto\", \"product\": \"golang.org/x/crypto/ssh/agent\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.45.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/crypto/ssh/agent\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"parseConstraints\"}, {\"name\": \"ForwardToAgent\"}, {\"name\": \"ServeAgent\"}]}], \"references\": [{\"url\": \"https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA\"}, {\"url\": \"https://go.dev/cl/721960\"}, {\"url\": \"https://go.dev/issue/76364\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2025-4135\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-237\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-11-20T17:15:00.344Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47914\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T17:15:00.344Z\", \"dateReserved\": \"2025-05-13T23:31:29.597Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2025-11-19T20:33:43.126Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
opensuse-su-2025:20177-1
Vulnerability from csaf_opensuse
Published
2025-12-18 00:17
Modified
2025-12-18 00:17
Summary
Security update for cheat
Notes
Title of the patch
Security update for cheat
Description of the patch
This update for cheat fixes the following issues:
- Security:
* CVE-2025-47913: Fix client process termination (bsc#1253593)
* CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)
* CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
* Replace golang.org/x/net=golang.org/x/net@v0.47.0
* Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
- Packaging improvements:
* Drop Requires: golang-packaging. The recommended Go toolchain
dependency expression is BuildRequires: golang(API) >= 1.x or
optionally the metapackage BuildRequires: go
* Use BuildRequires: golang(API) >= 1.19 matching go.mod
* Build PIE with pattern that may become recommended procedure:
%%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
A go toolchain buildmode default config would be preferable
but none exist at this time.
* Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable
* Remove go build -o output binary location and name. Default
binary has the same name as package of func main() and is
placed in the top level of the build directory.
* Add basic %check to execute binary --help
- Packaging improvements:
* Service go_modules replace dependencies with CVEs
* Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
* Replace golang.org/x/net=golang.org/x/net@v0.36.0
Fixes GO-2025-3503 CVE-2025-22870
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0
Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8
Fixes GO-2025-3487 CVE-2025-22869
* Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0
Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m
* Service tar_scm set mode manual from disabled
* Service tar_scm create archive from git so we can exclude
vendor directory upstream committed to git. Committed vendor
directory contents have build issues even after go mod tidy.
* Service tar_scm exclude dir vendor
* Service set_version set mode manual from disabled
* Service set_version remove param basename not needed
Patchnames
openSUSE-Leap-16.0-packagehub-59
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cheat",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cheat fixes the following issues:\n\n- Security:\n * CVE-2025-47913: Fix client process termination (bsc#1253593)\n * CVE-2025-58181: Fix potential unbounded memory consumption (bsc#1253922)\n * CVE-2025-47914: Fix panic due to an out of bounds read (bsc#1254051)\n * Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0\n * Replace golang.org/x/net=golang.org/x/net@v0.47.0\n * Replace golang.org/x/sys=golang.org/x/sys@v0.38.0\n\n- Packaging improvements:\n * Drop Requires: golang-packaging. The recommended Go toolchain\n dependency expression is BuildRequires: golang(API) \u003e= 1.x or\n optionally the metapackage BuildRequires: go\n * Use BuildRequires: golang(API) \u003e= 1.19 matching go.mod\n * Build PIE with pattern that may become recommended procedure:\n %%ifnarch ppc64 GOFLAGS=\"-buildmode=pie\" %%endif go build\n A go toolchain buildmode default config would be preferable\n but none exist at this time.\n * Drop mod=vendor, go1.14+ will detect vendor dir and auto-enable\n * Remove go build -o output binary location and name. Default\n binary has the same name as package of func main() and is\n placed in the top level of the build directory.\n * Add basic %check to execute binary --help\n\n- Packaging improvements:\n * Service go_modules replace dependencies with CVEs\n * Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1\n Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm\n * Replace golang.org/x/net=golang.org/x/net@v0.36.0\n Fixes GO-2025-3503 CVE-2025-22870\n * Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0\n Fixes GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8\n Fixes GO-2025-3487 CVE-2025-22869\n * Replace github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0\n Fixes GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4\n Fixes GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m\n * Service tar_scm set mode manual from disabled\n * Service tar_scm create archive from git so we can exclude\n vendor directory upstream committed to git. Committed vendor\n directory contents have build issues even after go mod tidy.\n * Service tar_scm exclude dir vendor\n * Service set_version set mode manual from disabled\n * Service set_version remove param basename not needed\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-59",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20177-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1247629",
"url": "https://bugzilla.suse.com/1247629"
},
{
"category": "self",
"summary": "SUSE Bug 1253593",
"url": "https://bugzilla.suse.com/1253593"
},
{
"category": "self",
"summary": "SUSE Bug 1253922",
"url": "https://bugzilla.suse.com/1253922"
},
{
"category": "self",
"summary": "SUSE Bug 1254051",
"url": "https://bugzilla.suse.com/1254051"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-48795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-48795/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21613 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21613/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21614 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21614/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
}
],
"title": "Security update for cheat",
"tracking": {
"current_release_date": "2025-12-18T00:17:52Z",
"generator": {
"date": "2025-12-18T00:17:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20177-1",
"initial_release_date": "2025-12-18T00:17:52Z",
"revision_history": [
{
"date": "2025-12-18T00:17:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-bp160.2.1.aarch64",
"product": {
"name": "cheat-4.4.2-bp160.2.1.aarch64",
"product_id": "cheat-4.4.2-bp160.2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-bp160.2.1.ppc64le",
"product": {
"name": "cheat-4.4.2-bp160.2.1.ppc64le",
"product_id": "cheat-4.4.2-bp160.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-bp160.2.1.s390x",
"product": {
"name": "cheat-4.4.2-bp160.2.1.s390x",
"product_id": "cheat-4.4.2-bp160.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-bp160.2.1.x86_64",
"product": {
"name": "cheat-4.4.2-bp160.2.1.x86_64",
"product_id": "cheat-4.4.2-bp160.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64"
},
"product_reference": "cheat-4.4.2-bp160.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le"
},
"product_reference": "cheat-4.4.2-bp160.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-bp160.2.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x"
},
"product_reference": "cheat-4.4.2-bp160.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
},
"product_reference": "cheat-4.4.2-bp160.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-48795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-48795"
}
],
"notes": [
{
"category": "general",
"text": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-48795",
"url": "https://www.suse.com/security/cve/CVE-2023-48795"
},
{
"category": "external",
"summary": "SUSE Bug 1217950 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1217950"
},
{
"category": "external",
"summary": "SUSE Bug 1218708 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1218708"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "important"
}
],
"title": "CVE-2023-48795"
},
{
"cve": "CVE-2025-21613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21613"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21613",
"url": "https://www.suse.com/security/cve/CVE-2025-21613"
},
{
"category": "external",
"summary": "SUSE Bug 1235572 for CVE-2025-21613",
"url": "https://bugzilla.suse.com/1235572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-21613"
},
{
"cve": "CVE-2025-21614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21614",
"url": "https://www.suse.com/security/cve/CVE-2025-21614"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-21614"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.aarch64",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.ppc64le",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.s390x",
"openSUSE Leap 16.0:cheat-4.4.2-bp160.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-18T00:17:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
}
]
}
opensuse-su-2025-20143-1
Vulnerability from csaf_opensuse
Published
2025-12-04 13:08
Modified
2025-12-04 13:08
Summary
Security update for git-bug
Notes
Title of the patch
Security update for git-bug
Description of the patch
This update for git-bug fixes the following issues:
Changes in git-bug:
- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
golang.org/x/crypto to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
github.com/cloudflare/circl to v1.6.1
- GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0
- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
possible DoS by various algorithms with quadratic complexity
when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
bsc#1251664, CVE-2025-58190).
Update to version 0.10.1:
- cli: ignore missing sections when removing configuration (ddb22a2f)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)
Update to version 0.9.0:
- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)
Update to version 0.8.1+git.1746484874.96c7a111:
* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)
- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
CVE-2025-22869).
- Add missing Requires to completion subpackages.
Update to version 0.8.0+git.1733745604.d499b6e:
* fix typos in docs (#1266)
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
Patchnames
openSUSE-Leap-16.0-packagehub-46
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for git-bug",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for git-bug fixes the following issues:\n\nChanges in git-bug:\n\n- Revendor to include fixed version of depending libraries:\n - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade\n golang.org/x/crypto to v0.43.0\n - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade\n github.com/go-viper/mapstructure/v2 to v2.4.0\n - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous\n - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade\n github.com/cloudflare/circl to v1.6.1\n - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade\n golang.org/x/crypto/ssh to v0.45.0\n - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade\n golang.org/x/crypto/ssh/agent to v0.45.0\n\n- Revendor to include golang.org/x/net/html v 0.45.0 to prevent\n possible DoS by various algorithms with quadratic complexity\n when parsing HTML documents (bsc#1251463, CVE-2025-47911 and\n bsc#1251664, CVE-2025-58190).\n\nUpdate to version 0.10.1:\n\n - cli: ignore missing sections when removing configuration (ddb22a2f)\n\nUpdate to version 0.10.0:\n\n - bridge: correct command used to create a new bridge (9942337b)\n - web: simplify header navigation (7e95b169)\n - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)\n - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)\n\nUpdate to version 0.10.0:\n\n - bridge: correct command used to create a new bridge (9942337b)\n - web: simplify header navigation (7e95b169)\n - web: remark upgrade + gfm + syntax highlighting (6ee47b96)\n\nUpdate to version 0.9.0:\n\n - completion: remove errata from string literal (aa102c91)\n - tui: improve readability of the help bar (23be684a)\n\nUpdate to version 0.8.1+git.1746484874.96c7a111:\n\n * docs: update install, contrib, and usage documentation (#1222)\n * fix: resolve the remote URI using url.*.insteadOf (#1394)\n * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)\n * chore: gofmt simplify gitlab/export_test.go (#1392)\n * fix: checkout repo before setting up go environment (#1390)\n * feat: bump to go v1.24.2 (#1389)\n * chore: update golang.org/x/net (#1379)\n * fix: use -0700 when formatting time (#1388)\n * fix: use correct url for gitlab PATs (#1384)\n * refactor: remove depdendency on pnpm for auto-label action (#1383)\n * feat: add action: auto-label (#1380)\n * feat: remove lifecycle/frozen (#1377)\n * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)\n * feat: support new exclusion label: lifecycle/pinned (#1375)\n * fix: refactor how gitlab title changes are detected (#1370)\n * revert: \"Create Dependabot config file\" (#1374)\n * refactor: rename //:git-bug.go to //:main.go (#1373)\n * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)\n * fix: set GitLastTag to an empty string when git-describe errors (#1355)\n * chore: update go-git to v5@masterupdate_mods (#1284)\n * refactor: Directly swap two variables to optimize code (#1272)\n * Update README.md Matrix link to new room (#1275)\n\n- Update to version 0.8.0+git.1742269202.0ab94c9:\n * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)\n\n- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,\n CVE-2025-22869).\n\n- Add missing Requires to completion subpackages.\n\nUpdate to version 0.8.0+git.1733745604.d499b6e:\n\n * fix typos in docs (#1266)\n * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)\n\n- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-46",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025-20143-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1234565",
"url": "https://bugzilla.suse.com/1234565"
},
{
"category": "self",
"summary": "SUSE Bug 1239494",
"url": "https://bugzilla.suse.com/1239494"
},
{
"category": "self",
"summary": "SUSE Bug 1251463",
"url": "https://bugzilla.suse.com/1251463"
},
{
"category": "self",
"summary": "SUSE Bug 1251664",
"url": "https://bugzilla.suse.com/1251664"
},
{
"category": "self",
"summary": "SUSE Bug 1253506",
"url": "https://bugzilla.suse.com/1253506"
},
{
"category": "self",
"summary": "SUSE Bug 1253930",
"url": "https://bugzilla.suse.com/1253930"
},
{
"category": "self",
"summary": "SUSE Bug 1254084",
"url": "https://bugzilla.suse.com/1254084"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for git-bug",
"tracking": {
"current_release_date": "2025-12-04T13:08:26Z",
"generator": {
"date": "2025-12-04T13:08:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025-20143-1",
"initial_release_date": "2025-12-04T13:08:26Z",
"revision_history": [
{
"date": "2025-12-04T13:08:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.aarch64",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.aarch64",
"product_id": "git-bug-0.10.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.ppc64le",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.ppc64le",
"product_id": "git-bug-0.10.1-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.s390x",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.s390x",
"product_id": "git-bug-0.10.1-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.x86_64",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.x86_64",
"product_id": "git-bug-0.10.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
opensuse-su-2025:20143-1
Vulnerability from csaf_opensuse
Published
2025-12-04 13:08
Modified
2025-12-04 13:08
Summary
Security update for git-bug
Notes
Title of the patch
Security update for git-bug
Description of the patch
This update for git-bug fixes the following issues:
Changes in git-bug:
- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
golang.org/x/crypto to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
github.com/cloudflare/circl to v1.6.1
- GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0
- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
possible DoS by various algorithms with quadratic complexity
when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
bsc#1251664, CVE-2025-58190).
Update to version 0.10.1:
- cli: ignore missing sections when removing configuration (ddb22a2f)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)
Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)
Update to version 0.9.0:
- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)
Update to version 0.8.1+git.1746484874.96c7a111:
* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)
- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)
- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
CVE-2025-22869).
- Add missing Requires to completion subpackages.
Update to version 0.8.0+git.1733745604.d499b6e:
* fix typos in docs (#1266)
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)
- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).
Patchnames
openSUSE-Leap-16.0-packagehub-46
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for git-bug",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for git-bug fixes the following issues:\n\nChanges in git-bug:\n\n- Revendor to include fixed version of depending libraries:\n - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade\n golang.org/x/crypto to v0.43.0\n - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade\n github.com/go-viper/mapstructure/v2 to v2.4.0\n - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous\n - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade\n github.com/cloudflare/circl to v1.6.1\n - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade\n golang.org/x/crypto/ssh to v0.45.0\n - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade\n golang.org/x/crypto/ssh/agent to v0.45.0\n\n- Revendor to include golang.org/x/net/html v 0.45.0 to prevent\n possible DoS by various algorithms with quadratic complexity\n when parsing HTML documents (bsc#1251463, CVE-2025-47911 and\n bsc#1251664, CVE-2025-58190).\n\nUpdate to version 0.10.1:\n\n - cli: ignore missing sections when removing configuration (ddb22a2f)\n\nUpdate to version 0.10.0:\n\n - bridge: correct command used to create a new bridge (9942337b)\n - web: simplify header navigation (7e95b169)\n - webui: remark upgrade + gfm + syntax highlighting (6ee47b96)\n - BREAKING CHANGE: dev-infra: remove gokart (89b880bd)\n\nUpdate to version 0.10.0:\n\n - bridge: correct command used to create a new bridge (9942337b)\n - web: simplify header navigation (7e95b169)\n - web: remark upgrade + gfm + syntax highlighting (6ee47b96)\n\nUpdate to version 0.9.0:\n\n - completion: remove errata from string literal (aa102c91)\n - tui: improve readability of the help bar (23be684a)\n\nUpdate to version 0.8.1+git.1746484874.96c7a111:\n\n * docs: update install, contrib, and usage documentation (#1222)\n * fix: resolve the remote URI using url.*.insteadOf (#1394)\n * build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)\n * chore: gofmt simplify gitlab/export_test.go (#1392)\n * fix: checkout repo before setting up go environment (#1390)\n * feat: bump to go v1.24.2 (#1389)\n * chore: update golang.org/x/net (#1379)\n * fix: use -0700 when formatting time (#1388)\n * fix: use correct url for gitlab PATs (#1384)\n * refactor: remove depdendency on pnpm for auto-label action (#1383)\n * feat: add action: auto-label (#1380)\n * feat: remove lifecycle/frozen (#1377)\n * build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)\n * feat: support new exclusion label: lifecycle/pinned (#1375)\n * fix: refactor how gitlab title changes are detected (#1370)\n * revert: \"Create Dependabot config file\" (#1374)\n * refactor: rename //:git-bug.go to //:main.go (#1373)\n * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)\n * fix: set GitLastTag to an empty string when git-describe errors (#1355)\n * chore: update go-git to v5@masterupdate_mods (#1284)\n * refactor: Directly swap two variables to optimize code (#1272)\n * Update README.md Matrix link to new room (#1275)\n\n- Update to version 0.8.0+git.1742269202.0ab94c9:\n * deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)\n\n- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,\n CVE-2025-22869).\n\n- Add missing Requires to completion subpackages.\n\nUpdate to version 0.8.0+git.1733745604.d499b6e:\n\n * fix typos in docs (#1266)\n * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)\n\n- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-46",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20143-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1234565",
"url": "https://bugzilla.suse.com/1234565"
},
{
"category": "self",
"summary": "SUSE Bug 1239494",
"url": "https://bugzilla.suse.com/1239494"
},
{
"category": "self",
"summary": "SUSE Bug 1251463",
"url": "https://bugzilla.suse.com/1251463"
},
{
"category": "self",
"summary": "SUSE Bug 1251664",
"url": "https://bugzilla.suse.com/1251664"
},
{
"category": "self",
"summary": "SUSE Bug 1253506",
"url": "https://bugzilla.suse.com/1253506"
},
{
"category": "self",
"summary": "SUSE Bug 1253930",
"url": "https://bugzilla.suse.com/1253930"
},
{
"category": "self",
"summary": "SUSE Bug 1254084",
"url": "https://bugzilla.suse.com/1254084"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22869 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22869/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58190 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58190/"
}
],
"title": "Security update for git-bug",
"tracking": {
"current_release_date": "2025-12-04T13:08:26Z",
"generator": {
"date": "2025-12-04T13:08:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20143-1",
"initial_release_date": "2025-12-04T13:08:26Z",
"revision_history": [
{
"date": "2025-12-04T13:08:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.aarch64",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.aarch64",
"product_id": "git-bug-0.10.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"product": {
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"product_id": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.ppc64le",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.ppc64le",
"product_id": "git-bug-0.10.1-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.s390x",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.s390x",
"product_id": "git-bug-0.10.1-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-bp160.1.1.x86_64",
"product": {
"name": "git-bug-0.10.1-bp160.1.1.x86_64",
"product_id": "git-bug-0.10.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64"
},
"product_reference": "git-bug-0.10.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
},
"product_reference": "git-bug-zsh-completion-0.10.1-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2025-22869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22869"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22869",
"url": "https://www.suse.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "SUSE Bug 1239322 for CVE-2025-22869",
"url": "https://bugzilla.suse.com/1239322"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2025-22869"
},
{
"cve": "CVE-2025-47911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47911"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47911",
"url": "https://www.suse.com/security/cve/CVE-2025-47911"
},
{
"category": "external",
"summary": "SUSE Bug 1251308 for CVE-2025-47911",
"url": "https://bugzilla.suse.com/1251308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47911"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2025-58190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58190"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58190",
"url": "https://www.suse.com/security/cve/CVE-2025-58190"
},
{
"category": "external",
"summary": "SUSE Bug 1251309 for CVE-2025-58190",
"url": "https://bugzilla.suse.com/1251309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:git-bug-0.10.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:git-bug-bash-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-fish-completion-0.10.1-bp160.1.1.noarch",
"openSUSE Leap 16.0:git-bug-zsh-completion-0.10.1-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-04T13:08:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-58190"
}
]
}
opensuse-su-2025:15771-1
Vulnerability from csaf_opensuse
Published
2025-11-26 00:00
Modified
2025-11-26 00:00
Summary
git-bug-0.10.1-3.1 on GA media
Notes
Title of the patch
git-bug-0.10.1-3.1 on GA media
Description of the patch
These are all security issues fixed in the git-bug-0.10.1-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15771
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "git-bug-0.10.1-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the git-bug-0.10.1-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15771",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15771-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
}
],
"title": "git-bug-0.10.1-3.1 on GA media",
"tracking": {
"current_release_date": "2025-11-26T00:00:00Z",
"generator": {
"date": "2025-11-26T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15771-1",
"initial_release_date": "2025-11-26T00:00:00Z",
"revision_history": [
{
"date": "2025-11-26T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-3.1.aarch64",
"product": {
"name": "git-bug-0.10.1-3.1.aarch64",
"product_id": "git-bug-0.10.1-3.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-3.1.aarch64",
"product": {
"name": "git-bug-bash-completion-0.10.1-3.1.aarch64",
"product_id": "git-bug-bash-completion-0.10.1-3.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-3.1.aarch64",
"product": {
"name": "git-bug-fish-completion-0.10.1-3.1.aarch64",
"product_id": "git-bug-fish-completion-0.10.1-3.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-3.1.aarch64",
"product": {
"name": "git-bug-zsh-completion-0.10.1-3.1.aarch64",
"product_id": "git-bug-zsh-completion-0.10.1-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-3.1.ppc64le",
"product": {
"name": "git-bug-0.10.1-3.1.ppc64le",
"product_id": "git-bug-0.10.1-3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-3.1.ppc64le",
"product": {
"name": "git-bug-bash-completion-0.10.1-3.1.ppc64le",
"product_id": "git-bug-bash-completion-0.10.1-3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-3.1.ppc64le",
"product": {
"name": "git-bug-fish-completion-0.10.1-3.1.ppc64le",
"product_id": "git-bug-fish-completion-0.10.1-3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"product": {
"name": "git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"product_id": "git-bug-zsh-completion-0.10.1-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-3.1.s390x",
"product": {
"name": "git-bug-0.10.1-3.1.s390x",
"product_id": "git-bug-0.10.1-3.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-3.1.s390x",
"product": {
"name": "git-bug-bash-completion-0.10.1-3.1.s390x",
"product_id": "git-bug-bash-completion-0.10.1-3.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-3.1.s390x",
"product": {
"name": "git-bug-fish-completion-0.10.1-3.1.s390x",
"product_id": "git-bug-fish-completion-0.10.1-3.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-3.1.s390x",
"product": {
"name": "git-bug-zsh-completion-0.10.1-3.1.s390x",
"product_id": "git-bug-zsh-completion-0.10.1-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.10.1-3.1.x86_64",
"product": {
"name": "git-bug-0.10.1-3.1.x86_64",
"product_id": "git-bug-0.10.1-3.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.10.1-3.1.x86_64",
"product": {
"name": "git-bug-bash-completion-0.10.1-3.1.x86_64",
"product_id": "git-bug-bash-completion-0.10.1-3.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.10.1-3.1.x86_64",
"product": {
"name": "git-bug-fish-completion-0.10.1-3.1.x86_64",
"product_id": "git-bug-fish-completion-0.10.1-3.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.10.1-3.1.x86_64",
"product": {
"name": "git-bug-zsh-completion-0.10.1-3.1.x86_64",
"product_id": "git-bug-zsh-completion-0.10.1-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64"
},
"product_reference": "git-bug-0.10.1-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le"
},
"product_reference": "git-bug-0.10.1-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x"
},
"product_reference": "git-bug-0.10.1-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.10.1-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64"
},
"product_reference": "git-bug-0.10.1-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64"
},
"product_reference": "git-bug-bash-completion-0.10.1-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le"
},
"product_reference": "git-bug-bash-completion-0.10.1-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x"
},
"product_reference": "git-bug-bash-completion-0.10.1-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.10.1-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64"
},
"product_reference": "git-bug-bash-completion-0.10.1-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64"
},
"product_reference": "git-bug-fish-completion-0.10.1-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le"
},
"product_reference": "git-bug-fish-completion-0.10.1-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x"
},
"product_reference": "git-bug-fish-completion-0.10.1-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.10.1-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64"
},
"product_reference": "git-bug-fish-completion-0.10.1-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64"
},
"product_reference": "git-bug-zsh-completion-0.10.1-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le"
},
"product_reference": "git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x"
},
"product_reference": "git-bug-zsh-completion-0.10.1-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.10.1-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
},
"product_reference": "git-bug-zsh-completion-0.10.1-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.10.1-3.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.10.1-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
}
]
}
opensuse-su-2025:15773-1
Vulnerability from csaf_opensuse
Published
2025-11-27 00:00
Modified
2025-11-27 00:00
Summary
cheat-4.4.2-3.1 on GA media
Notes
Title of the patch
cheat-4.4.2-3.1 on GA media
Description of the patch
These are all security issues fixed in the cheat-4.4.2-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15773
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cheat-4.4.2-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cheat-4.4.2-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15773",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15773-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
}
],
"title": "cheat-4.4.2-3.1 on GA media",
"tracking": {
"current_release_date": "2025-11-27T00:00:00Z",
"generator": {
"date": "2025-11-27T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15773-1",
"initial_release_date": "2025-11-27T00:00:00Z",
"revision_history": [
{
"date": "2025-11-27T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-3.1.aarch64",
"product": {
"name": "cheat-4.4.2-3.1.aarch64",
"product_id": "cheat-4.4.2-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-3.1.ppc64le",
"product": {
"name": "cheat-4.4.2-3.1.ppc64le",
"product_id": "cheat-4.4.2-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-3.1.s390x",
"product": {
"name": "cheat-4.4.2-3.1.s390x",
"product_id": "cheat-4.4.2-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cheat-4.4.2-3.1.x86_64",
"product": {
"name": "cheat-4.4.2-3.1.x86_64",
"product_id": "cheat-4.4.2-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64"
},
"product_reference": "cheat-4.4.2-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le"
},
"product_reference": "cheat-4.4.2-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x"
},
"product_reference": "cheat-4.4.2-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cheat-4.4.2-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
},
"product_reference": "cheat-4.4.2-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cheat-4.4.2-3.1.aarch64",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.ppc64le",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.s390x",
"openSUSE Tumbleweed:cheat-4.4.2-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-27T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
}
]
}
CERTFR-2025-AVI-1129
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| VMware | Tanzu Platform | Extended App Support pour Tanzu Platform versions antérieures à 1.0.11 | ||
| VMware | Tanzu Platform | Cloud Native Buildpacks pour Tanzu Platform versions antérieures à 0.6.1 | ||
| VMware | Tanzu Platform | Elastic Application Runtime pour Tanzu Platform versions antérieures à 10.3.2 | ||
| VMware | Tanzu Platform | Elastic Application Runtime pour Tanzu Platform versions antérieures à 10.2.6+LTS-T | ||
| VMware | Tanzu Kubernetes Runtime | .NET Core Buildpack versions antérieures à 2.4.72 | ||
| VMware | Tanzu Platform | Elastic Application Runtime pour Tanzu Platform versions antérieures à 6.0.23+LTS-T |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Extended App Support pour Tanzu Platform versions ant\u00e9rieures \u00e0 1.0.11",
"product": {
"name": "Tanzu Platform",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Cloud Native Buildpacks pour Tanzu Platform versions ant\u00e9rieures \u00e0 0.6.1",
"product": {
"name": "Tanzu Platform",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Elastic Application Runtime pour Tanzu Platform versions ant\u00e9rieures \u00e0 10.3.2",
"product": {
"name": "Tanzu Platform",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Elastic Application Runtime pour Tanzu Platform versions ant\u00e9rieures \u00e0 10.2.6+LTS-T",
"product": {
"name": "Tanzu Platform",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": ".NET Core Buildpack versions ant\u00e9rieures \u00e0 2.4.72",
"product": {
"name": "Tanzu Kubernetes Runtime",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Elastic Application Runtime pour Tanzu Platform versions ant\u00e9rieures \u00e0 6.0.23+LTS-T",
"product": {
"name": "Tanzu Platform",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"name": "CVE-2025-59830",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59830"
},
{
"name": "CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"name": "CVE-2025-25186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25186"
},
{
"name": "CVE-2025-22872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22872"
},
{
"name": "CVE-2024-25126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25126"
},
{
"name": "CVE-2025-0913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0913"
},
{
"name": "CVE-2025-47907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
},
{
"name": "CVE-2025-27219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27219"
},
{
"name": "CVE-2025-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3573"
},
{
"name": "CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"name": "CVE-2025-58185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58185"
},
{
"name": "CVE-2024-45341",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45341"
},
{
"name": "CVE-2025-61919",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61919"
},
{
"name": "CVE-2025-61771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61771"
},
{
"name": "CVE-2025-61770",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61770"
},
{
"name": "CVE-2025-64329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64329"
},
{
"name": "CVE-2025-8291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8291"
},
{
"name": "CVE-2025-61727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61727"
},
{
"name": "CVE-2025-22866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22866"
},
{
"name": "CVE-2024-34158",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
},
{
"name": "CVE-2025-27111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27111"
},
{
"name": "CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"name": "CVE-2025-47910",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47910"
},
{
"name": "CVE-2025-46727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46727"
},
{
"name": "CVE-2023-48795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48795"
},
{
"name": "CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"name": "CVE-2025-31133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31133"
},
{
"name": "CVE-2024-3044",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3044"
},
{
"name": "CVE-2025-58188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58188"
},
{
"name": "CVE-2020-7792",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7792"
},
{
"name": "CVE-2025-4674",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4674"
},
{
"name": "CVE-2022-29526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29526"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2024-45336",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45336"
},
{
"name": "CVE-2025-52881",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52881"
},
{
"name": "CVE-2025-61724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61724"
},
{
"name": "CVE-2025-61723",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61723"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2024-26146",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26146"
},
{
"name": "CVE-2024-45337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
},
{
"name": "CVE-2025-66030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66030"
},
{
"name": "CVE-2025-43857",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43857"
},
{
"name": "CVE-2025-61725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61725"
},
{
"name": "CVE-2025-27220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27220"
},
{
"name": "CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"name": "CVE-2024-12905",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12905"
},
{
"name": "CVE-2025-22874",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22874"
},
{
"name": "CVE-2025-47912",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47912"
},
{
"name": "CVE-2025-52565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
},
{
"name": "CVE-2024-26141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26141"
},
{
"name": "CVE-2025-58186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58186"
},
{
"name": "CVE-2025-58187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58187"
},
{
"name": "CVE-2025-4673",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4673"
},
{
"name": "CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"name": "CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"name": "CVE-2025-25184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25184"
},
{
"name": "CVE-2025-24294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24294"
},
{
"name": "CVE-2025-58181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58181"
},
{
"name": "CVE-2025-47914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47914"
},
{
"name": "CVE-2024-25621",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25621"
},
{
"name": "CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"name": "CVE-2025-58189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58189"
},
{
"name": "CVE-2025-61772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61772"
},
{
"name": "CVE-2025-22870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2025-61748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61748"
},
{
"name": "CVE-2025-12194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12194"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"name": "CVE-2025-54388",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54388"
},
{
"name": "CVE-2025-59419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59419"
},
{
"name": "CVE-2025-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2025-61780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61780"
},
{
"name": "CVE-2025-57352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57352"
},
{
"name": "CVE-2025-32441",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32441"
},
{
"name": "CVE-2025-53066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
},
{
"name": "CVE-2025-27221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27221"
},
{
"name": "CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
}
],
"initial_release_date": "2025-12-19T00:00:00",
"last_revision_date": "2025-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1129",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits VMware",
"vendor_advisories": [
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware DSA-2025-25",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36626"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36633",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36633"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36630",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36630"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36631",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36631"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware DSA-2024-26",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36629"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36632",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36632"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware DSA-2025-25",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36627"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware DSA-2024-26",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36628"
},
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36625",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36625"
}
]
}
ghsa-f6x5-jh6r-wrfv
Vulnerability from github
Published
2025-11-19 23:16
Modified
2025-11-20 16:35
Severity ?
VLAI Severity ?
Summary
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
Details
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.45.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47914"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-19T23:16:40Z",
"nvd_published_at": "2025-11-19T21:15:50Z",
"severity": "MODERATE"
},
"details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"id": "GHSA-f6x5-jh6r-wrfv",
"modified": "2025-11-20T16:35:18Z",
"published": "2025-11-19T23:16:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47914"
},
{
"type": "WEB",
"url": "https://go.dev/cl/721960"
},
{
"type": "WEB",
"url": "https://go.dev/issue/76364"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/crypto"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4135"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read"
}
wid-sec-w-2025-2645
Vulnerability from csaf_certbund
Published
2025-11-19 23:00
Modified
2025-12-23 23:00
Summary
Golang Go: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Go ist eine quelloffene Programmiersprache.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Go ist eine quelloffene Programmiersprache.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2645 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2645.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2645 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2645"
},
{
"category": "external",
"summary": "golang.org/x/crypto GO-2025-4135 vom 2025-11-19",
"url": "https://pkg.go.dev/vuln/GO-2025-4135"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-f6x5-jh6r-wrfv vom 2025-11-19",
"url": "https://github.com/advisories/GHSA-f6x5-jh6r-wrfv"
},
{
"category": "external",
"summary": "golang.org/x/crypto GO-2025-4134 vom 2025-11-19",
"url": "https://pkg.go.dev/vuln/GO-2025-4134"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-j5w8-q4qc-rx2x vom 2025-11-19",
"url": "https://github.com/advisories/GHSA-j5w8-q4qc-rx2x"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4220-1 vom 2025-11-25",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOLZYXYXKUYHDTMI5MUWYMLKG6RQQB3S/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15761-1 vom 2025-11-25",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WINGLFLMS3PIWPIGHCBWGAP25RHW3IQ2/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025-20143-1 vom 2025-12-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SA2FH57FMWGQVYC3SRSZ25NB6ME2DDCT/"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7254313 vom 2025-12-10",
"url": "https://www.ibm.com/support/pages/node/7254313"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:20177-1 vom 2025-12-23",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VDMAOCE6FMUQXLIFZPI7NDGE25ALNJNL/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15841-1 vom 2025-12-23",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4XOE33SLNLUVY64NSWCNY4TLYMHQMV3E/"
}
],
"source_lang": "en-US",
"title": "Golang Go: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
"tracking": {
"current_release_date": "2025-12-23T23:00:00.000+00:00",
"generator": {
"date": "2025-12-24T08:50:06.752+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2645",
"initial_release_date": "2025-11-19T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-11-19T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE und openSUSE aufgenommen"
},
{
"date": "2025-12-07T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-12-10T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-12-23T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "crypto ssh agent \u003c0.45.0",
"product": {
"name": "Golang Go crypto ssh agent \u003c0.45.0",
"product_id": "T048785"
}
},
{
"category": "product_version",
"name": "crypto ssh agent 0.45.0",
"product": {
"name": "Golang Go crypto ssh agent 0.45.0",
"product_id": "T048785-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:golang:go:crypto_ssh_agent__0.45.0"
}
}
}
],
"category": "product_name",
"name": "Go"
}
],
"category": "vendor",
"name": "Golang"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Operator",
"product": {
"name": "IBM MQ Operator",
"product_id": "T036688",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:operator"
}
}
},
{
"category": "product_version",
"name": "Container",
"product": {
"name": "IBM MQ Container",
"product_id": "T040640",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:container"
}
}
}
],
"category": "product_name",
"name": "MQ"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47914",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T036688",
"T040640",
"T048785"
]
},
"release_date": "2025-11-19T23:00:00.000+00:00",
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T036688",
"T040640",
"T048785"
]
},
"release_date": "2025-11-19T23:00:00.000+00:00",
"title": "CVE-2025-58181"
}
]
}
fkie_cve-2025-47914
Vulnerability from fkie_nvd
Published
2025-11-19 21:15
Modified
2025-12-11 19:36
Severity ?
Summary
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
References
| URL | Tags | ||
|---|---|---|---|
| security@golang.org | https://go.dev/cl/721960 | Patch | |
| security@golang.org | https://go.dev/issue/76364 | Issue Tracking, Patch | |
| security@golang.org | https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA | Mailing List | |
| security@golang.org | https://pkg.go.dev/vuln/GO-2025-4135 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*",
"matchCriteriaId": "0DB7D01D-5361-40FC-83A9-91A601A0321D",
"versionEndExcluding": "0.45.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read."
}
],
"id": "CVE-2025-47914",
"lastModified": "2025-12-11T19:36:41.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-19T21:15:50.517",
"references": [
{
"source": "security@golang.org",
"tags": [
"Patch"
],
"url": "https://go.dev/cl/721960"
},
{
"source": "security@golang.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://go.dev/issue/76364"
},
{
"source": "security@golang.org",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"
},
{
"source": "security@golang.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pkg.go.dev/vuln/GO-2025-4135"
}
],
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
suse-su-2025:4526-1
Vulnerability from csaf_suse
Published
2025-12-26 12:24
Modified
2025-12-26 12:24
Summary
Security update for buildah
Notes
Title of the patch
Security update for buildah
Description of the patch
This update for buildah fixes the following issues:
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed out of bounds read caused by non validated
message size (bsc#1254054)
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving
an unexpected message type in response to a key listing or signing request (bsc#1253598)
Patchnames
SUSE-2025-4526,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4526,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4526,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4526,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4526
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for buildah",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for buildah fixes the following issues:\n\n- CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed out of bounds read caused by non validated \n message size (bsc#1254054)\n- CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving \n an unexpected message type in response to a key listing or signing request (bsc#1253598)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-4526,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-4526,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-4526,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-4526,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-4526",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4526-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:4526-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254526-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:4526-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023656.html"
},
{
"category": "self",
"summary": "SUSE Bug 1253598",
"url": "https://bugzilla.suse.com/1253598"
},
{
"category": "self",
"summary": "SUSE Bug 1254054",
"url": "https://bugzilla.suse.com/1254054"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
}
],
"title": "Security update for buildah",
"tracking": {
"current_release_date": "2025-12-26T12:24:16Z",
"generator": {
"date": "2025-12-26T12:24:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:4526-1",
"initial_release_date": "2025-12-26T12:24:16Z",
"revision_history": [
{
"date": "2025-12-26T12:24:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.35.5-150400.3.59.1.aarch64",
"product": {
"name": "buildah-1.35.5-150400.3.59.1.aarch64",
"product_id": "buildah-1.35.5-150400.3.59.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.35.5-150400.3.59.1.i586",
"product": {
"name": "buildah-1.35.5-150400.3.59.1.i586",
"product_id": "buildah-1.35.5-150400.3.59.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.35.5-150400.3.59.1.ppc64le",
"product": {
"name": "buildah-1.35.5-150400.3.59.1.ppc64le",
"product_id": "buildah-1.35.5-150400.3.59.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.35.5-150400.3.59.1.s390x",
"product": {
"name": "buildah-1.35.5-150400.3.59.1.s390x",
"product_id": "buildah-1.35.5-150400.3.59.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "buildah-1.35.5-150400.3.59.1.x86_64",
"product": {
"name": "buildah-1.35.5-150400.3.59.1.x86_64",
"product_id": "buildah-1.35.5-150400.3.59.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "buildah-1.35.5-150400.3.59.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
},
"product_reference": "buildah-1.35.5-150400.3.59.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-26T12:24:16Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:buildah-1.35.5-150400.3.59.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:buildah-1.35.5-150400.3.59.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-26T12:24:16Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…