SUSE 5338 Published by

SUSE Linux has been updated with security updates for audiofile, rustup, and nbdkit:

SUSE-SU-2025:1559-1: moderate: Security update for audiofile
SUSE-SU-2025:1560-1: low: Security update for rustup
openSUSE-SU-2025:15088-1: moderate: nbdkit-1.42.3-1.1 on GA media




SUSE-SU-2025:1559-1: moderate: Security update for audiofile


# Security update for audiofile

Announcement ID: SUSE-SU-2025:1559-1
Release Date: 2025-05-15T11:19:29Z
Rating: moderate
References:

* bsc#1140031
* bsc#1196487

Cross-References:

* CVE-2019-13147
* CVE-2022-24599

CVSS scores:

* CVE-2019-13147 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2019-13147 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2019-13147 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2022-24599 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
* CVE-2022-24599 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products:

* Desktop Applications Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves two vulnerabilities can now be installed.

## Description:

This update for audiofile fixes the following issues:

* CVE-2019-13147: Fixed NULL pointer dereference in ulaw2linear_buf that could
lead to DOS (bsc#1140031).
* CVE-2022-24599: unverified user input when processing audio files can lead
to information leak (bsc#1196487).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-1559=1

* Desktop Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-1559=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* audiofile-0.3.6-150000.3.12.1
* audiofile-debuginfo-0.3.6-150000.3.12.1
* libaudiofile1-debuginfo-0.3.6-150000.3.12.1
* libaudiofile1-0.3.6-150000.3.12.1
* audiofile-debugsource-0.3.6-150000.3.12.1
* audiofile-devel-0.3.6-150000.3.12.1
* audiofile-doc-0.3.6-150000.3.12.1
* openSUSE Leap 15.6 (x86_64)
* libaudiofile1-32bit-debuginfo-0.3.6-150000.3.12.1
* audiofile-devel-32bit-0.3.6-150000.3.12.1
* libaudiofile1-32bit-0.3.6-150000.3.12.1
* Desktop Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* audiofile-debuginfo-0.3.6-150000.3.12.1
* libaudiofile1-debuginfo-0.3.6-150000.3.12.1
* libaudiofile1-0.3.6-150000.3.12.1
* audiofile-debugsource-0.3.6-150000.3.12.1
* audiofile-devel-0.3.6-150000.3.12.1

## References:

* https://www.suse.com/security/cve/CVE-2019-13147.html
* https://www.suse.com/security/cve/CVE-2022-24599.html
* https://bugzilla.suse.com/show_bug.cgi?id=1140031
* https://bugzilla.suse.com/show_bug.cgi?id=1196487



SUSE-SU-2025:1560-1: low: Security update for rustup


# Security update for rustup

Announcement ID: SUSE-SU-2025:1560-1
Release Date: 2025-05-15T12:51:24Z
Rating: low
References:

* bsc#1242617

Cross-References:

* CVE-2025-3416

CVSS scores:

* CVE-2025-3416 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-3416 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-3416 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:

* openSUSE Leap 15.4

An update that solves one vulnerability can now be installed.

## Description:

This update for rustup fixes the following issues:

* CVE-2025-3416: Fixed use-After-Free in Md::fetch and Cipher::fetch in rust-
openssl crate (bsc#1242617)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-1560=1

## Package List:

* openSUSE Leap 15.4 (aarch64 x86_64)
* rustup-debuginfo-1.26.0~0-150400.3.10.1
* rustup-debugsource-1.26.0~0-150400.3.10.1
* rustup-1.26.0~0-150400.3.10.1

## References:

* https://www.suse.com/security/cve/CVE-2025-3416.html
* https://bugzilla.suse.com/show_bug.cgi?id=1242617



openSUSE-SU-2025:15088-1: moderate: nbdkit-1.42.3-1.1 on GA media


# nbdkit-1.42.3-1.1 on GA media

Announcement ID: openSUSE-SU-2025:15088-1
Rating: moderate

Cross-References:

* CVE-2025-47711
* CVE-2025-47712

CVSS scores:

* CVE-2025-47711 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47711 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47712 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47712 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the nbdkit-1.42.3-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* nbdkit 1.42.3-1.1
* nbdkit-bash-completion 1.42.3-1.1
* nbdkit-basic-filters 1.42.3-1.1
* nbdkit-basic-plugins 1.42.3-1.1
* nbdkit-bzip2-filter 1.42.3-1.1
* nbdkit-curl-plugin 1.42.3-1.1
* nbdkit-devel 1.42.3-1.1
* nbdkit-example-plugins 1.42.3-1.1
* nbdkit-gcs-plugin 1.42.3-1.1
* nbdkit-linuxdisk-plugin 1.42.3-1.1
* nbdkit-nbd-plugin 1.42.3-1.1
* nbdkit-python-plugin 1.42.3-1.1
* nbdkit-server 1.42.3-1.1
* nbdkit-ssh-plugin 1.42.3-1.1
* nbdkit-stats-filter 1.42.3-1.1
* nbdkit-tar-filter 1.42.3-1.1
* nbdkit-tmpdisk-plugin 1.42.3-1.1
* nbdkit-vddk-plugin 1.42.3-1.1
* nbdkit-xz-filter 1.42.3-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-47711.html
* https://www.suse.com/security/cve/CVE-2025-47712.html