SUSE-SU-2025:4534-1: important: Security update for dpdk22
openSUSE-SU-2025:0489-1: important: Security update for trivy
openSUSE-SU-2025:0490-1: important: Security update for trivy
openSUSE-SU-2025:15850-1: moderate: python312-3.12.12-4.1 on GA media
openSUSE-SU-2025:15852-1: moderate: trivy-0.68.2-1.1 on GA media
openSUSE-SU-2025:15849-1: moderate: python311-3.11.14-3.1 on GA media
openSUSE-SU-2025:15851-1: moderate: python313-3.13.11-1.1 on GA media
openSUSE-SU-2025:0493-1: important: Security update for go-sendxmpp
openSUSE-SU-2025:0491-1: important: Security update for flannel
openSUSE-SU-2025:0492-1: important: Security update for cheat
openSUSE-SU-2025:0496-1: moderate: Security update for duc
SUSE-SU-2025:4534-1: important: Security update for dpdk22
# Security update for dpdk22
Announcement ID: SUSE-SU-2025:4534-1
Release Date: 2025-12-29T16:15:35Z
Rating: important
References:
* bsc#1214724
* bsc#1254161
Cross-References:
* CVE-2025-23259
CVSS scores:
* CVE-2025-23259 ( SUSE ): 7.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-23259 ( SUSE ): 6.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
* CVE-2025-23259 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Affected Products:
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves one vulnerability and has one security fix can now be
installed.
## Description:
This update for dpdk22 fixes the following issues:
Update to version 22.11.10.
Security issues fixed:
* CVE-2025-23259: issue in the Poll Mode Driver (PMD) allows an attacker on a
VM in the system to leak information and cause a denial of service on the
network interface (bsc#1254161).
Other updates and bugfixes:
* Fix SUSE provided DPDK modules tainting the kernel as unsupported
(bsc#1214724).
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.5
zypper in -t patch SUSE-2025-4534=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-4534=1
* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2025-4534=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-4534=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-4534=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-4534=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-4534=1
## Package List:
* openSUSE Leap 15.5 (aarch64 ppc64le x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* dpdk22-devel-static-22.11.10-150500.5.10.1
* dpdk22-examples-debuginfo-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* dpdk22-examples-22.11.10-150500.5.10.1
* openSUSE Leap 15.5 (noarch)
* dpdk22-doc-22.11.10-150500.5.10.1
* dpdk22-thunderx-doc-22.11.10-150500.5.10.1
* openSUSE Leap 15.5 (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-tools-22.11.10-150500.5.10.1
* dpdk22-thunderx-devel-static-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-examples-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-examples-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-devel-22.11.10-150500.5.10.1
* openSUSE Leap 15.6 (aarch64 ppc64le x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* dpdk22-devel-static-22.11.10-150500.5.10.1
* dpdk22-examples-debuginfo-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* dpdk22-examples-22.11.10-150500.5.10.1
* openSUSE Leap 15.6 (noarch)
* dpdk22-doc-22.11.10-150500.5.10.1
* dpdk22-thunderx-doc-22.11.10-150500.5.10.1
* openSUSE Leap 15.6 (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-tools-22.11.10-150500.5.10.1
* dpdk22-thunderx-devel-static-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-examples-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-examples-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-devel-22.11.10-150500.5.10.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* SUSE Linux Enterprise Micro 5.5 (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-tools-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-devel-22.11.10-150500.5.10.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-devel-22.11.10-150500.5.10.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64)
* dpdk22-thunderx-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-debuginfo-22.11.10-150500.5.10.1
* dpdk22-thunderx-debugsource-22.11.10-150500.5.10.1
* dpdk22-thunderx-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-thunderx-devel-22.11.10-150500.5.10.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* dpdk22-debuginfo-22.11.10-150500.5.10.1
* dpdk22-kmp-default-debuginfo-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-22.11.10-150500.5.10.1
* libdpdk-23-22.11.10-150500.5.10.1
* dpdk22-tools-22.11.10-150500.5.10.1
* libdpdk-23-debuginfo-22.11.10-150500.5.10.1
* dpdk22-devel-22.11.10-150500.5.10.1
* dpdk22-kmp-default-22.11.10_k5.14.21_150500.55.127-150500.5.10.1
* dpdk22-debugsource-22.11.10-150500.5.10.1
## References:
* https://www.suse.com/security/cve/CVE-2025-23259.html
* https://bugzilla.suse.com/show_bug.cgi?id=1214724
* https://bugzilla.suse.com/show_bug.cgi?id=1254161
openSUSE-SU-2025:0489-1: important: Security update for trivy
openSUSE Security Update: Security update for trivy
_______________________________
Announcement ID: openSUSE-SU-2025:0489-1
Rating: important
References: #1239225 #1239385 #1240466 #1241724 #1243633
#1246730 #1248897 #1248937 #1250625 #1251363
#1251547 #1253512 #1253786 #1253977
Cross-References: CVE-2025-11065 CVE-2025-22868 CVE-2025-22869
CVE-2025-22872 CVE-2025-30204 CVE-2025-46569
CVE-2025-47291 CVE-2025-47911 CVE-2025-47913
CVE-2025-47914 CVE-2025-53547 CVE-2025-58058
CVE-2025-58181 CVE-2025-58190
CVSS scores:
CVE-2025-11065 (SUSE): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2025-22868 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-22869 (SUSE): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-22872 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
CVE-2025-30204 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-46569 (SUSE): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVE-2025-47291 (SUSE): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-47913 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47914 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-53547 (SUSE): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
CVE-2025-58058 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________
An update that fixes 14 vulnerabilities is now available.
Description:
This update for trivy fixes the following issues:
Update to version 0.68.2:
* fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport:
release/v0.68] (#9949)
* ci: enable `check-latest` for `setup-go` [backport: release/v0.68]
(#9946)
Update to version 0.68.1 (boo#1251363, CVE-2025-47911, boo#1251547,
CVE-2025-58190, boo#1253512, CVE-2025-47913, boo#1253512, CVE-2025-47913,
boo#1253786, CVE-2025-58181, boo#1253977, CVE-2025-47914):
* fix: update cosing settings for GoReleaser after bumping cosing to v3
(#9863)
* chore(deps): bump the testcontainers group with 2 updates (#9506)
* feat(aws): Add support for dualstack ECR endpoints (#9862)
* fix(vex): use a separate `visited` set for each DFS path (#9760)
* docs: catch some missed docs -> guide (#9850)
* refactor(misconf): parse azure_policy_enabled to
addonprofile.azurepolicy.enabled (#9851)
* chore(cli): Remove Trivy Cloud (#9847)
* fix(misconf): ensure value used as ignore marker is non-null and known
(#9835)
* fix(misconf): map healthcheck start period flag to --start-period
instead of --startPeriod (#9837)
* chore(deps): bump the docker group with 3 updates (#9776)
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
* chore(deps): bump the common group across 1 directory with 20 updates
(#9840)
* feat(image): add Sigstore bundle SBOM support (#9516)
* chore(deps): bump the aws group with 7 updates (#9691)
* test(k8s): update k8s integrtion test (#9725)
* chore(deps): bump github.com/containerd/containerd from 1.7.28 to
1.7.29 (#9764)
* feat(sbom): add support for SPDX attestations (#9829)
* docs(misconf): Remove duplicate sections (#9819)
* feat(misconf): Update Azure network schema for new checks (#9791)
* feat(misconf): Update AppService schema (#9792)
* fix(misconf): ensure boolean metadata values are correctly interpreted
(#9770)
* feat(misconf): support https_traffic_only_enabled in Az storage
account (#9784)
* docs: restructure docs for new hosting (#9799)
* docs(server): fix info about scanning licenses on the client side.
(#9805)
* ci: remove unused preinstalled software/images for build tests to free
up disk space. (#9814)
* feat(report): add fingerprint generation for vulnerabilities (#9794)
* chore: trigger the trivy-www workflow (#9737)
* fix: update all documentation links (#9777)
* feat(suse): Add new openSUSE, Micro and SLES releases end of life
dates (#9788)
* test(go): set `GOPATH` for tests (#9785)
* feat(flag): add `--cacert` flag (#9781)
* fix(misconf): handle unsupported experimental flags in Dockerfile
(#9769)
* test(go): refactor mod_test.go to use txtar format (#9775)
* docs: Fix typos and linguistic errors in documentation / hacktoberfest
(#9586)
* chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to
1.13.0 (#9778)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to
2.1.5 (#9763)
* fix(java): use `true` as default value for Repository Release|Snapshot
Enabled in pom.xml and settings.xml files (#9751)
* docs: add info that `SSL_CERT_FILE` works on `Unix systems other than
macOS` only (#9772)
* docs: change SecObserve URLs in documentatio (#9771)
* feat(db): enable concurrent access to vulnerability database (#9750)
* feat(misconf): add agentpools to azure container schema (#9714)
* feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
* feat(misconf): Update Azure Compute schema (#9675)
* feat(misconf): Update azure storage schema (#9728)
* feat(misconf): Update SecurityCenter schema (#9674)
* feat(image): pass global context to docker/podman image save func
(#9733)
* chore(deps): bump the github-actions group with 4 updates (#9739)
* fix(flag): remove viper.SetDefault to fix IsSet() for config-only
flags (#9732)
* feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
* feat(dotnet): add dependency graph support for .deps.json files (#9726)
* feat(misconf): Add support for configurable Rego error limit (#9657)
* feat(misconf): Add RoleAssignments attribute (#9396)
* feat(report): add image reference to report metadata (#9729)
* fix(os): Add photon 5.0 in supported OS (#9724)
* fix(license): handle SPDX WITH exceptions as single license in
category detection (#9380)
* refactor: add case-insensitive string set implementation (#9720)
* feat: include registry and repository in artifact ID calculation
(#9689)
* feat(java): add support remote repositories from settings.xml files
(#9708)
* fix(sbom): don???t panic on SBOM format if scanned CycloneDX file has
empty metadata (#9562)
* docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
* docs: add info about `java-db` subdir (#9706)
* fix(report): correct field order in SARIF license results (#9712)
* test: improve golden file management in integration tests (#9699)
* ci: get base_sha using base.ref (#9704)
* refactor(misconf): mark AVDID fields as deprecated and use ID
internally (#9576)
* fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
* fix: close all opened resources if an error occurs (#9665)
* refactor(misconf): type-safe parser results in generic scanner (#9685)
* feat(image): add RepoTags support for Docker archives (#9690)
* chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1
(#9694)
* feat(misconf): Update Azure Container Schema (#9673)
* ci: use merge commit for apidiff to avoid false positives (#9622)
* feat(misconf): include map key in manifest snippet for diagnostics
(#9681)
* refactor(misconf): add ManifestFromYAML for unified manifest parsing
(#9680)
* test: update golden files for TestRepository* integration tests (#9684)
* refactor(cli): Update the cloud config command (#9676)
* fix(sbom): add `buildInfo` info as properties (#9683)
* feat: add ReportID field to scan reports (#9670)
* docs: add vulnerability database contribution guide (#9667)
* feat(cli): Add trivy cloud suppport (#9637)
* feat: add ArtifactID field to uniquely identify scan targets (#9663)
* fix(nodejs): use the default ID format to match licenses in pnpm
packages. (#9661)
* feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
* fix: use context for analyzers (#9538)
* chore(deps): bump the docker group with 3 updates (#9545)
* chore(deps): bump the aws group with 6 updates (#9547)
* ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1
(#9641)
* test(helm): bump up Yamale dependency for Helm chart-testing-action
(#9653)
* fix: Trim the end-of-range suffix (#9618)
* test(k8s): use a specific bundle for k8s misconfig scan (#9633)
* fix: Use `fetch-level: 1` to check out trivy-repo in the release
workflow (#9636)
* refactor: move the aws config (#9617)
* fix(license): don't normalize `unlicensed` licenses into `unlicense`
(#9611)
* fix: using SrcVersion instead of Version for echo detector (#9552)
* feat(fs): change artifact type to repository when git info is detected
(#9613)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
* fix(vex): don't use reused BOM (#9604)
* ci: use pull_request_target for apidiff workflow to support fork PRs
(#9605)
* fix: restore compatibility for google.protobuf.Value (#9559)
* ci: add API diff workflow (#9600)
* chore(deps): update to module-compatible docker-credential-gcr/v2
(#9591)
* docs: improve documentation for scanning raw IaC configurations (#9571)
* feat: allow ignoring findings by type in Rego (#9578)
* docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
* refactor(misconf): add ID to scan.Rule (#9573)
* fix(java): update order for resolving package fields from multiple
demManagement (#9575)
* chore(deps): bump the github-actions group across 1 directory with 9
updates (#9563)
* chore(deps): bump the common group across 1 directory with 7 updates
(#9590)
* chore(deps): Switch to go-viper/mapstructure (#9579)
* chore: add context to the cache interface (#9565)
* ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0
(#9554)
* fix: validate backport branch name (#9548)
Update to version 0.67.2 (boo#1250625, CVE-2025-11065, boo#1248897,
CVE-2025-58058):
* fix: Use `fetch-level: 1` to check out trivy-repo in the release
workflow [backport: release/v0.67] (#9638)
* fix: restore compatibility for google.protobuf.Value [backport:
release/v0.67] (#9631)
* fix: using SrcVersion instead of Version for echo detector [backport:
release/v0.67] (#9629)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport:
release/v0.67] (#9615)
* fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
* fix(vex): don't suppress vulns for packages with infinity loop (#9465)
* fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
* refactor(misconf): replace github.com/liamg/memoryfs with internal
mapfs and testing/fstest (#9282)
* docs: clarify inline ignore limitations for resource-less checks
(#9537)
* fix(k8s): disable parallel traversal with fs cache for k8s images
(#9534)
* fix(misconf): handle tofu files in module detection (#9486)
* feat(seal): add seal support (#9370)
* docs: fix modules path and update code example (#9539)
* fix: close file descriptors and pipes on error paths (#9536)
* feat: add documentation URL for database lock errors (#9531)
* fix(db): Dowload database when missing but metadata still exists
(#9393)
* feat(cloudformation): support default values and list results in
Fn::FindInMap (#9515)
* fix(misconf): unmark cty values before access (#9495)
* feat(cli): change --list-all-pkgs default to true (#9510)
* fix(nodejs): parse workspaces as objects for package-lock.json files
(#9518)
* refactor(fs): use underlyingPath to determine virtual files more
reliably (#9302)
* refactor: remove google/wire dependency and implement manual DI (#9509)
* chore(deps): bump the aws group with 6 updates (#9481)
* chore(deps): bump the common group across 1 directory with 24 updates
(#9507)
* fix(misconf): wrap legacy ENV values in quotes to preserve spaces
(#9497)
* docs: move info about `detection priority` into coverage section
(#9469)
* feat(sbom): added support for CoreOS (#9448)
* fix(misconf): strip build metadata suffixes from image history (#9498)
* feat(cyclonedx): preserve SBOM structure when scanning SBOM files with
vulnerability updates (#9439)
* docs: Fix typo in terraform docs (#9492)
* feat(redhat): add os-release detection for RHEL-based images (#9458)
* ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
* refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
* fix(vuln): compare `nuget` package names in lower case (#9456)
* chore: Update release flow to include chocolatey (#9460)
* docs: document eol supportability (#9434)
* docs(report): add nuanses about secret/license scanner in summary
table (#9442)
* ci: use environment variables in GitHub Actions for improved security
(#9433)
* chore: bump Go to 1.24.7 (#9435)
* fix(nodejs): use snapshot string as `Package.ID` for pnpm packages
(#9330)
* ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0
(#9425)
- Fix version number shown for 'trivy -v'
Update to version 0.66.0 (boo#1248937, CVE-2025-58058):
* chore(deps): bump the aws group with 7 updates (#9419)
* refactor(secret): clarify secret scanner messages (#9409)
* fix(cyclonedx): handle multiple license types (#9378)
* fix(repo): sanitize git repo URL before inserting into report metadata
(#9391)
* test: add HTTP basic authentication to git test server (#9407)
* fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
* fix(misconf): ensure module source is known (#9404)
* ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
* fix: create temp file under composite fs dir (#9387)
* chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
* refactor: switch to stable azcontainerregistry SDK package (#9319)
* chore(deps): bump the common group with 7 updates (#9382)
* refactor(misconf): migrate from custom Azure JSON parser (#9222)
* fix(repo): preserve RepoMetadata on FS cache hit (#9389)
* refactor(misconf): use atomic.Int32 (#9385)
* chore(deps): bump the aws group with 6 updates (#9383)
* docs: Fix broken link to "Built-in Checks" (#9375)
* fix(plugin): don't remove plugins when updating index.yaml file (#9358)
* fix: persistent flag option typo (#9374)
* chore(deps): bump the common group across 1 directory with 26 updates
(#9347)
* fix(image): use standardized HTTP client for ECR authentication (#9322)
* refactor: export `systemFileFiltering` Post Handler (#9359)
* docs: update links to Semaphore pages (#9352)
* fix(conda): memory leak by adding closure method for `package.json`
file (#9349)
* feat: add timeout handling for cache database operations (#9307)
* fix(misconf): use correct field log_bucket instead of target_bucket in
gcp bucket (#9296)
* fix(misconf): ensure ignore rules respect subdirectory chart paths
(#9324)
* chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
* feat(terraform): use .terraform cache for remote modules in plan
scanning (#9277)
* chore: fix some function names in comment (#9314)
* chore(deps): bump the aws group with 7 updates (#9311)
* docs: add explanation for how to use non-system certificates (#9081)
* chore(deps): bump the github-actions group across 1 directory with 2
updates (#8962)
* fix(misconf): preserve original paths of remote submodules from
.terraform (#9294)
* refactor(terraform): make Scan method of Terraform plan scanner
private (#9272)
* fix: suppress debug log for context cancellation errors (#9298)
* feat(secret): implement streaming secret scanner with byte offset
tracking (#9264)
* fix(python): impove package name normalization (#9290)
* feat(misconf): added audit config attribute (#9249)
* refactor(misconf): decouple input fs and track extracted files with fs
references (#9281)
* test(misconf): remove BenchmarkCalculate using outdated check metadata
(#9291)
* refactor: simplify Detect function signature (#9280)
* ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0
(#9288)
* fix(fs): avoid shadowing errors in file.glob (#9286)
* test(misconf): move terraform scan tests to integration tests (#9271)
* test(misconf): drop gcp iam test covered by another case (#9285)
* chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
Update to version 0.65.0:
* fix(cli): ensure correct command is picked by telemetry (#9260)
* feat(flag): add schema validation for `--server` flag (#9270)
* chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to
28.3.3+incompatible (#9274)
* ci: skip undefined labels in discussion triage action (#9175)
* feat(repo): add git repository metadata to reports (#9252)
* fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
* chore: add modernize tool integration for code modernization (#9251)
* fix(secret): add UTF-8 validation in secret scanner to prevent
protobuf marshalling errors (#9253)
* chore: implement process-safe temp file cleanup (#9241)
* fix: prevent graceful shutdown message on normal exit (#9244)
* fix(misconf): correctly parse empty port ranges in
google_compute_firewall (#9237)
* feat: add graceful shutdown with signal handling (#9242)
* chore: update template URL for brew formula (#9221)
* test: add end-to-end testing framework with image scan and proxy tests
(#9231)
* refactor(db): use `Getter` interface with `GetParams` for trivy-db
sources (#9239)
* ci: specify repository for `gh cache delete` in canary worklfow (#9240)
* ci: remove invalid `--confirm` flag from `gh cache delete` command in
canary builds (#9236)
* fix(misconf): fix log bucket in schema (#9235)
* chore(deps): bump the common group across 1 directory with 24 updates
(#9228)
* ci: move runner.os context from job-level env to step-level in canary
workflow (#9233)
* chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
* feat(misconf): added logging and versioning to the gcp storage bucket
(#9226)
* fix(server): add HTTP transport setup to server mode (#9217)
* chore: update the rpm download Update (#9202)
* feat(alma): add AlmaLinux 10 support (#9207)
* fix(nodejs): don't use prerelease logic for compare npm constraints
(#9208)
* fix(rootio): fix severity selection (#9181)
* fix(sbom): merge in-graph and out-of-graph OS packages in scan results
(#9194)
* fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2
(#9206)
* fix(misconf): correctly adapt azure storage account (#9138)
* feat(misconf): add private ip google access attribute to subnetwork
(#9199)
* feat(report): add CVSS vectors in sarif report (#9157)
* fix(terraform): `for_each` on a map returns a resource for every key
(#9156)
* fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
* chore: migrate protoc setup from Docker to buf CLI (#9184)
* ci: delete cache after artifacts upload in canary workflow (#9177)
* refactor: remove aws flag helper message (#9080)
* ci: use gh pr view to get PR number for forked repositories in
auto-ready workflow (#9183)
* ci: add auto-ready-for-review workflow (#9179)
* feat(image): add Docker context resolution (#9166)
* ci: optimize golangci-lint performance with cache-based strategy
(#9173)
* feat: add HTTP request/response tracing support (#9125)
* fix(aws): update amazon linux 2 EOL date (#9176)
* chore: Update release workflow to trigger version updates (#9162)
* chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
* fix: also check `filepath` when removing duplicate packages (#9142)
* chore: add debug log to show image source location (#9163)
* docs: add section on customizing default check data (#9114)
* chore(deps): bump the common group across 1 directory with 9 updates
(#9153)
* docs: partners page content updates (#9149)
* chore(license): add missed spdx exceptions: (#9147)
* docs: trivy partners page updates (#9133)
* fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
* ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1
(#9135)
* feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
* fix(misconf): skip rewriting expr if attr is nil (#9113)
* fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy
mapping (#9116)
* fix(cli): Add more non-sensitive flags to telemetry (#9110)
* fix(alma): parse epochs from rpmqa file (#9101)
* fix(rootio): check full version to detect `root.io` packages (#9117)
* chore: drop FreeBSD 32-bit support (#9102)
* fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
* fix(secret): fix line numbers for multiple-line secrets (#9104)
* feat(license): observe pkg types option in license scanner (#9091)
* ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0
(#9107)
- Update to version 0.64.1 (boo#1243633, CVE-2025-47291, (boo#1246730,
CVE-2025-46569):
- Update to version 0.62.1 (boo#1239225, CVE-2025-22868, boo#1241724,
CVE-2025-22872):
- Update to version 0.61.1 (boo#1239385, CVE-2025-22869, boo#1240466,
CVE-2025-30204):
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP7:
zypper in -t patch openSUSE-2025-489=1
Package List:
- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):
trivy-0.68.2-bp157.2.6.1
References:
https://www.suse.com/security/cve/CVE-2025-11065.html
https://www.suse.com/security/cve/CVE-2025-22868.html
https://www.suse.com/security/cve/CVE-2025-22869.html
https://www.suse.com/security/cve/CVE-2025-22872.html
https://www.suse.com/security/cve/CVE-2025-30204.html
https://www.suse.com/security/cve/CVE-2025-46569.html
https://www.suse.com/security/cve/CVE-2025-47291.html
https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-47913.html
https://www.suse.com/security/cve/CVE-2025-47914.html
https://www.suse.com/security/cve/CVE-2025-53547.html
https://www.suse.com/security/cve/CVE-2025-58058.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1239225
https://bugzilla.suse.com/1239385
https://bugzilla.suse.com/1240466
https://bugzilla.suse.com/1241724
https://bugzilla.suse.com/1243633
https://bugzilla.suse.com/1246730
https://bugzilla.suse.com/1248897
https://bugzilla.suse.com/1248937
https://bugzilla.suse.com/1250625
https://bugzilla.suse.com/1251363
https://bugzilla.suse.com/1251547
https://bugzilla.suse.com/1253512
https://bugzilla.suse.com/1253786
https://bugzilla.suse.com/1253977
openSUSE-SU-2025:0490-1: important: Security update for trivy
openSUSE Security Update: Security update for trivy
_______________________________
Announcement ID: openSUSE-SU-2025:0490-1
Rating: important
References: #1239225 #1239385 #1240466 #1241724 #1243633
#1246730 #1248897 #1248937 #1250625 #1251363
#1251547 #1253512 #1253786 #1253977
Cross-References: CVE-2025-11065 CVE-2025-22868 CVE-2025-22869
CVE-2025-22872 CVE-2025-30204 CVE-2025-46569
CVE-2025-47291 CVE-2025-47911 CVE-2025-47913
CVE-2025-47914 CVE-2025-53547 CVE-2025-58058
CVE-2025-58181 CVE-2025-58190
CVSS scores:
CVE-2025-11065 (SUSE): 5.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2025-22868 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-22869 (SUSE): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-22872 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
CVE-2025-30204 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-46569 (SUSE): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVE-2025-47291 (SUSE): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-47913 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47914 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-53547 (SUSE): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
CVE-2025-58058 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes 14 vulnerabilities is now available.
Description:
This update for trivy fixes the following issues:
Update to version 0.68.2:
* fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport:
release/v0.68] (#9949)
Update to version 0.68.1 (boo#1251363, CVE-2025-47911, boo#1251547,
CVE-2025-58190, boo#1253512, CVE-2025-47913, boo#1253512, CVE-2025-47913,
boo#1253786, CVE-2025-58181, boo#1253977, CVE-2025-47914):
* fix: update cosing settings for GoReleaser after bumping cosing to v3
(#9863)
* chore(deps): bump the testcontainers group with 2 updates (#9506)
* feat(aws): Add support for dualstack ECR endpoints (#9862)
* fix(vex): use a separate `visited` set for each DFS path (#9760)
* docs: catch some missed docs -> guide (#9850)
* refactor(misconf): parse azure_policy_enabled to
addonprofile.azurepolicy.enabled (#9851)
* chore(cli): Remove Trivy Cloud (#9847)
* fix(misconf): ensure value used as ignore marker is non-null and known
(#9835)
* fix(misconf): map healthcheck start period flag to --start-period
instead of --startPeriod (#9837)
* chore(deps): bump the docker group with 3 updates (#9776)
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
* chore(deps): bump the common group across 1 directory with 20 updates
(#9840)
* feat(image): add Sigstore bundle SBOM support (#9516)
* chore(deps): bump the aws group with 7 updates (#9691)
* test(k8s): update k8s integrtion test (#9725)
* chore(deps): bump github.com/containerd/containerd from 1.7.28 to
1.7.29 (#9764)
* feat(sbom): add support for SPDX attestations (#9829)
* docs(misconf): Remove duplicate sections (#9819)
* feat(misconf): Update Azure network schema for new checks (#9791)
* feat(misconf): Update AppService schema (#9792)
* fix(misconf): ensure boolean metadata values are correctly interpreted
(#9770)
* feat(misconf): support https_traffic_only_enabled in Az storage
account (#9784)
* docs: restructure docs for new hosting (#9799)
* docs(server): fix info about scanning licenses on the client side.
(#9805)
* ci: remove unused preinstalled software/images for build tests to free
up disk space. (#9814)
* feat(report): add fingerprint generation for vulnerabilities (#9794)
* chore: trigger the trivy-www workflow (#9737)
* fix: update all documentation links (#9777)
* feat(suse): Add new openSUSE, Micro and SLES releases end of life
dates (#9788)
* test(go): set `GOPATH` for tests (#9785)
* feat(flag): add `--cacert` flag (#9781)
* fix(misconf): handle unsupported experimental flags in Dockerfile
(#9769)
* test(go): refactor mod_test.go to use txtar format (#9775)
* docs: Fix typos and linguistic errors in documentation / hacktoberfest
(#9586)
* chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to
1.13.0 (#9778)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to
2.1.5 (#9763)
* fix(java): use `true` as default value for Repository Release|Snapshot
Enabled in pom.xml and settings.xml files (#9751)
* docs: add info that `SSL_CERT_FILE` works on `Unix systems other than
macOS` only (#9772)
* docs: change SecObserve URLs in documentatio (#9771)
* feat(db): enable concurrent access to vulnerability database (#9750)
* feat(misconf): add agentpools to azure container schema (#9714)
* feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
* feat(misconf): Update Azure Compute schema (#9675)
* feat(misconf): Update azure storage schema (#9728)
* feat(misconf): Update SecurityCenter schema (#9674)
* feat(image): pass global context to docker/podman image save func
(#9733)
* chore(deps): bump the github-actions group with 4 updates (#9739)
* fix(flag): remove viper.SetDefault to fix IsSet() for config-only
flags (#9732)
* feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
* feat(dotnet): add dependency graph support for .deps.json files (#9726)
* feat(misconf): Add support for configurable Rego error limit (#9657)
* feat(misconf): Add RoleAssignments attribute (#9396)
* feat(report): add image reference to report metadata (#9729)
* fix(os): Add photon 5.0 in supported OS (#9724)
* fix(license): handle SPDX WITH exceptions as single license in
category detection (#9380)
* refactor: add case-insensitive string set implementation (#9720)
* feat: include registry and repository in artifact ID calculation
(#9689)
* feat(java): add support remote repositories from settings.xml files
(#9708)
* fix(sbom): don???t panic on SBOM format if scanned CycloneDX file has
empty metadata (#9562)
* docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
* docs: add info about `java-db` subdir (#9706)
* fix(report): correct field order in SARIF license results (#9712)
* test: improve golden file management in integration tests (#9699)
* ci: get base_sha using base.ref (#9704)
* refactor(misconf): mark AVDID fields as deprecated and use ID
internally (#9576)
* fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
* fix: close all opened resources if an error occurs (#9665)
* refactor(misconf): type-safe parser results in generic scanner (#9685)
* feat(image): add RepoTags support for Docker archives (#9690)
* chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1
(#9694)
* feat(misconf): Update Azure Container Schema (#9673)
* ci: use merge commit for apidiff to avoid false positives (#9622)
* feat(misconf): include map key in manifest snippet for diagnostics
(#9681)
* refactor(misconf): add ManifestFromYAML for unified manifest parsing
(#9680)
* test: update golden files for TestRepository* integration tests (#9684)
* refactor(cli): Update the cloud config command (#9676)
* fix(sbom): add `buildInfo` info as properties (#9683)
* feat: add ReportID field to scan reports (#9670)
* docs: add vulnerability database contribution guide (#9667)
* feat(cli): Add trivy cloud suppport (#9637)
* feat: add ArtifactID field to uniquely identify scan targets (#9663)
* fix(nodejs): use the default ID format to match licenses in pnpm
packages. (#9661)
* feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
* fix: use context for analyzers (#9538)
* chore(deps): bump the docker group with 3 updates (#9545)
* chore(deps): bump the aws group with 6 updates (#9547)
* ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1
(#9641)
* test(helm): bump up Yamale dependency for Helm chart-testing-action
(#9653)
* fix: Trim the end-of-range suffix (#9618)
* test(k8s): use a specific bundle for k8s misconfig scan (#9633)
* fix: Use `fetch-level: 1` to check out trivy-repo in the release
workflow (#9636)
* refactor: move the aws config (#9617)
* fix(license): don't normalize `unlicensed` licenses into `unlicense`
(#9611)
* fix: using SrcVersion instead of Version for echo detector (#9552)
* feat(fs): change artifact type to repository when git info is detected
(#9613)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
* fix(vex): don't use reused BOM (#9604)
* ci: use pull_request_target for apidiff workflow to support fork PRs
(#9605)
* fix: restore compatibility for google.protobuf.Value (#9559)
* ci: add API diff workflow (#9600)
* chore(deps): update to module-compatible docker-credential-gcr/v2
(#9591)
* docs: improve documentation for scanning raw IaC configurations (#9571)
* feat: allow ignoring findings by type in Rego (#9578)
* docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
* refactor(misconf): add ID to scan.Rule (#9573)
* fix(java): update order for resolving package fields from multiple
demManagement (#9575)
* chore(deps): bump the github-actions group across 1 directory with 9
updates (#9563)
* chore(deps): bump the common group across 1 directory with 7 updates
(#9590)
* chore(deps): Switch to go-viper/mapstructure (#9579)
* chore: add context to the cache interface (#9565)
* ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0
(#9554)
* fix: validate backport branch name (#9548)
Update to version 0.67.2 (boo#1250625, CVE-2025-11065, boo#1248897,
CVE-2025-58058):
* fix: Use `fetch-level: 1` to check out trivy-repo in the release
workflow [backport: release/v0.67] (#9638)
* fix: restore compatibility for google.protobuf.Value [backport:
release/v0.67] (#9631)
* fix: using SrcVersion instead of Version for echo detector [backport:
release/v0.67] (#9629)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport:
release/v0.67] (#9615)
* fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
* release: v0.67.0 [main] (#9432)
* fix(vex): don't suppress vulns for packages with infinity loop (#9465)
* fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
* refactor(misconf): replace github.com/liamg/memoryfs with internal
mapfs and testing/fstest (#9282)
* docs: clarify inline ignore limitations for resource-less checks
(#9537)
* fix(k8s): disable parallel traversal with fs cache for k8s images
(#9534)
* fix(misconf): handle tofu files in module detection (#9486)
* feat(seal): add seal support (#9370)
* docs: fix modules path and update code example (#9539)
* fix: close file descriptors and pipes on error paths (#9536)
* feat: add documentation URL for database lock errors (#9531)
* fix(db): Dowload database when missing but metadata still exists
(#9393)
* feat(cloudformation): support default values and list results in
Fn::FindInMap (#9515)
* fix(misconf): unmark cty values before access (#9495)
* feat(cli): change --list-all-pkgs default to true (#9510)
* fix(nodejs): parse workspaces as objects for package-lock.json files
(#9518)
* refactor(fs): use underlyingPath to determine virtual files more
reliably (#9302)
* refactor: remove google/wire dependency and implement manual DI (#9509)
* chore(deps): bump the aws group with 6 updates (#9481)
* chore(deps): bump the common group across 1 directory with 24 updates
(#9507)
* fix(misconf): wrap legacy ENV values in quotes to preserve spaces
(#9497)
* docs: move info about `detection priority` into coverage section
(#9469)
* feat(sbom): added support for CoreOS (#9448)
* fix(misconf): strip build metadata suffixes from image history (#9498)
* feat(cyclonedx): preserve SBOM structure when scanning SBOM files with
vulnerability updates (#9439)
* docs: Fix typo in terraform docs (#9492)
* feat(redhat): add os-release detection for RHEL-based images (#9458)
* ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
* refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
* fix(vuln): compare `nuget` package names in lower case (#9456)
* chore: Update release flow to include chocolatey (#9460)
* docs: document eol supportability (#9434)
* docs(report): add nuanses about secret/license scanner in summary
table (#9442)
* ci: use environment variables in GitHub Actions for improved security
(#9433)
* chore: bump Go to 1.24.7 (#9435)
* fix(nodejs): use snapshot string as `Package.ID` for pnpm packages
(#9330)
* ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0
(#9425)
- Fix version number shown for 'trivy -v'
Update to version 0.66.0 (boo#1248937, CVE-2025-58058):
* chore(deps): bump the aws group with 7 updates (#9419)
* refactor(secret): clarify secret scanner messages (#9409)
* fix(cyclonedx): handle multiple license types (#9378)
* fix(repo): sanitize git repo URL before inserting into report metadata
(#9391)
* test: add HTTP basic authentication to git test server (#9407)
* fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
* fix(misconf): ensure module source is known (#9404)
* ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
* fix: create temp file under composite fs dir (#9387)
* chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
* refactor: switch to stable azcontainerregistry SDK package (#9319)
* chore(deps): bump the common group with 7 updates (#9382)
* refactor(misconf): migrate from custom Azure JSON parser (#9222)
* fix(repo): preserve RepoMetadata on FS cache hit (#9389)
* refactor(misconf): use atomic.Int32 (#9385)
* chore(deps): bump the aws group with 6 updates (#9383)
* docs: Fix broken link to "Built-in Checks" (#9375)
* fix(plugin): don't remove plugins when updating index.yaml file (#9358)
* fix: persistent flag option typo (#9374)
* chore(deps): bump the common group across 1 directory with 26 updates
(#9347)
* fix(image): use standardized HTTP client for ECR authentication (#9322)
* refactor: export `systemFileFiltering` Post Handler (#9359)
* docs: update links to Semaphore pages (#9352)
* fix(conda): memory leak by adding closure method for `package.json`
file (#9349)
* feat: add timeout handling for cache database operations (#9307)
* fix(misconf): use correct field log_bucket instead of target_bucket in
gcp bucket (#9296)
* fix(misconf): ensure ignore rules respect subdirectory chart paths
(#9324)
* chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
* feat(terraform): use .terraform cache for remote modules in plan
scanning (#9277)
* chore: fix some function names in comment (#9314)
* chore(deps): bump the aws group with 7 updates (#9311)
* docs: add explanation for how to use non-system certificates (#9081)
* chore(deps): bump the github-actions group across 1 directory with 2
updates (#8962)
* fix(misconf): preserve original paths of remote submodules from
.terraform (#9294)
* refactor(terraform): make Scan method of Terraform plan scanner
private (#9272)
* fix: suppress debug log for context cancellation errors (#9298)
* feat(secret): implement streaming secret scanner with byte offset
tracking (#9264)
* fix(python): impove package name normalization (#9290)
* feat(misconf): added audit config attribute (#9249)
* refactor(misconf): decouple input fs and track extracted files with fs
references (#9281)
* test(misconf): remove BenchmarkCalculate using outdated check metadata
(#9291)
* refactor: simplify Detect function signature (#9280)
* ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0
(#9288)
* fix(fs): avoid shadowing errors in file.glob (#9286)
* test(misconf): move terraform scan tests to integration tests (#9271)
* test(misconf): drop gcp iam test covered by another case (#9285)
* chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
Update to version 0.65.0:
* fix(cli): ensure correct command is picked by telemetry (#9260)
* feat(flag): add schema validation for `--server` flag (#9270)
* chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to
28.3.3+incompatible (#9274)
* ci: skip undefined labels in discussion triage action (#9175)
* feat(repo): add git repository metadata to reports (#9252)
* fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
* chore: add modernize tool integration for code modernization (#9251)
* fix(secret): add UTF-8 validation in secret scanner to prevent
protobuf marshalling errors (#9253)
* chore: implement process-safe temp file cleanup (#9241)
* fix: prevent graceful shutdown message on normal exit (#9244)
* fix(misconf): correctly parse empty port ranges in
google_compute_firewall (#9237)
* feat: add graceful shutdown with signal handling (#9242)
* chore: update template URL for brew formula (#9221)
* test: add end-to-end testing framework with image scan and proxy tests
(#9231)
* refactor(db): use `Getter` interface with `GetParams` for trivy-db
sources (#9239)
* ci: specify repository for `gh cache delete` in canary worklfow (#9240)
* ci: remove invalid `--confirm` flag from `gh cache delete` command in
canary builds (#9236)
* fix(misconf): fix log bucket in schema (#9235)
* chore(deps): bump the common group across 1 directory with 24 updates
(#9228)
* ci: move runner.os context from job-level env to step-level in canary
workflow (#9233)
* chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
* feat(misconf): added logging and versioning to the gcp storage bucket
(#9226)
* fix(server): add HTTP transport setup to server mode (#9217)
* chore: update the rpm download Update (#9202)
* feat(alma): add AlmaLinux 10 support (#9207)
* fix(nodejs): don't use prerelease logic for compare npm constraints
(#9208)
* fix(rootio): fix severity selection (#9181)
* fix(sbom): merge in-graph and out-of-graph OS packages in scan results
(#9194)
* fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2
(#9206)
* fix(misconf): correctly adapt azure storage account (#9138)
* feat(misconf): add private ip google access attribute to subnetwork
(#9199)
* feat(report): add CVSS vectors in sarif report (#9157)
* fix(terraform): `for_each` on a map returns a resource for every key
(#9156)
* fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
* chore: migrate protoc setup from Docker to buf CLI (#9184)
* ci: delete cache after artifacts upload in canary workflow (#9177)
* refactor: remove aws flag helper message (#9080)
* ci: use gh pr view to get PR number for forked repositories in
auto-ready workflow (#9183)
* ci: add auto-ready-for-review workflow (#9179)
* feat(image): add Docker context resolution (#9166)
* ci: optimize golangci-lint performance with cache-based strategy
(#9173)
* feat: add HTTP request/response tracing support (#9125)
* fix(aws): update amazon linux 2 EOL date (#9176)
* chore: Update release workflow to trigger version updates (#9162)
* chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
* fix: also check `filepath` when removing duplicate packages (#9142)
* chore: add debug log to show image source location (#9163)
* docs: add section on customizing default check data (#9114)
* chore(deps): bump the common group across 1 directory with 9 updates
(#9153)
* docs: partners page content updates (#9149)
* chore(license): add missed spdx exceptions: (#9147)
* docs: trivy partners page updates (#9133)
* fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
* ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1
(#9135)
* feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
* fix(misconf): skip rewriting expr if attr is nil (#9113)
* fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy
mapping (#9116)
* fix(cli): Add more non-sensitive flags to telemetry (#9110)
* fix(alma): parse epochs from rpmqa file (#9101)
* fix(rootio): check full version to detect `root.io` packages (#9117)
* chore: drop FreeBSD 32-bit support (#9102)
* fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
* fix(secret): fix line numbers for multiple-line secrets (#9104)
* feat(license): observe pkg types option in license scanner (#9091)
* ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0
(#9107)
- Update to version 0.64.1 (boo#1243633, CVE-2025-47291, (boo#1246730,
CVE-2025-46569):
- Update to version 0.62.1 (boo#1239225, CVE-2025-22868, boo#1241724,
CVE-2025-22872):
- Update to version 0.61.1 (boo#1239385, CVE-2025-22869, boo#1240466,
CVE-2025-30204):
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-490=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
trivy-0.68.2-bp156.2.15.1
References:
https://www.suse.com/security/cve/CVE-2025-11065.html
https://www.suse.com/security/cve/CVE-2025-22868.html
https://www.suse.com/security/cve/CVE-2025-22869.html
https://www.suse.com/security/cve/CVE-2025-22872.html
https://www.suse.com/security/cve/CVE-2025-30204.html
https://www.suse.com/security/cve/CVE-2025-46569.html
https://www.suse.com/security/cve/CVE-2025-47291.html
https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-47913.html
https://www.suse.com/security/cve/CVE-2025-47914.html
https://www.suse.com/security/cve/CVE-2025-53547.html
https://www.suse.com/security/cve/CVE-2025-58058.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1239225
https://bugzilla.suse.com/1239385
https://bugzilla.suse.com/1240466
https://bugzilla.suse.com/1241724
https://bugzilla.suse.com/1243633
https://bugzilla.suse.com/1246730
https://bugzilla.suse.com/1248897
https://bugzilla.suse.com/1248937
https://bugzilla.suse.com/1250625
https://bugzilla.suse.com/1251363
https://bugzilla.suse.com/1251547
https://bugzilla.suse.com/1253512
https://bugzilla.suse.com/1253786
https://bugzilla.suse.com/1253977
openSUSE-SU-2025:15850-1: moderate: python312-3.12.12-4.1 on GA media
# python312-3.12.12-4.1 on GA media
Announcement ID: openSUSE-SU-2025:15850-1
Rating: moderate
Cross-References:
* CVE-2025-12084
* CVE-2025-13836
* CVE-2025-13837
CVSS scores:
* CVE-2025-12084 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-12084 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13836 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( SUSE ): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13837 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* openSUSE Tumbleweed
An update that solves 3 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the python312-3.12.12-4.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* python312 3.12.12-4.1
* python312-32bit 3.12.12-4.1
* python312-curses 3.12.12-4.1
* python312-dbm 3.12.12-4.1
* python312-idle 3.12.12-4.1
* python312-tk 3.12.12-4.1
* python312-x86-64-v3 3.12.12-4.1
## References:
* https://www.suse.com/security/cve/CVE-2025-12084.html
* https://www.suse.com/security/cve/CVE-2025-13836.html
* https://www.suse.com/security/cve/CVE-2025-13837.html
openSUSE-SU-2025:15852-1: moderate: trivy-0.68.2-1.1 on GA media
# trivy-0.68.2-1.1 on GA media
Announcement ID: openSUSE-SU-2025:15852-1
Rating: moderate
Cross-References:
* CVE-2025-47911
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-58190
CVSS scores:
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
* openSUSE Tumbleweed
An update that solves 4 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the trivy-0.68.2-1.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* trivy 0.68.2-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-47914.html
* https://www.suse.com/security/cve/CVE-2025-58190.html
openSUSE-SU-2025:15849-1: moderate: python311-3.11.14-3.1 on GA media
# python311-3.11.14-3.1 on GA media
Announcement ID: openSUSE-SU-2025:15849-1
Rating: moderate
Cross-References:
* CVE-2025-12084
* CVE-2025-13836
* CVE-2025-13837
CVSS scores:
* CVE-2025-12084 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-12084 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13836 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( SUSE ): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13837 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* openSUSE Tumbleweed
An update that solves 3 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the python311-3.11.14-3.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* python311 3.11.14-3.1
* python311-32bit 3.11.14-3.1
* python311-curses 3.11.14-3.1
* python311-dbm 3.11.14-3.1
* python311-idle 3.11.14-3.1
* python311-tk 3.11.14-3.1
* python311-x86-64-v3 3.11.14-3.1
## References:
* https://www.suse.com/security/cve/CVE-2025-12084.html
* https://www.suse.com/security/cve/CVE-2025-13836.html
* https://www.suse.com/security/cve/CVE-2025-13837.html
openSUSE-SU-2025:15851-1: moderate: python313-3.13.11-1.1 on GA media
# python313-3.13.11-1.1 on GA media
Announcement ID: openSUSE-SU-2025:15851-1
Rating: moderate
Cross-References:
* CVE-2025-12084
* CVE-2025-13836
* CVE-2025-13837
CVSS scores:
* CVE-2025-12084 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-12084 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13836 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( SUSE ): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13837 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* openSUSE Tumbleweed
An update that solves 3 vulnerabilities can now be installed.
## Description:
These are all security issues fixed in the python313-3.13.11-1.1 package on the GA media of openSUSE Tumbleweed.
## Package List:
* openSUSE Tumbleweed:
* python313 3.13.11-1.1
* python313-32bit 3.13.11-1.1
* python313-curses 3.13.11-1.1
* python313-dbm 3.13.11-1.1
* python313-idle 3.13.11-1.1
* python313-tk 3.13.11-1.1
* python313-x86-64-v3 3.13.11-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-12084.html
* https://www.suse.com/security/cve/CVE-2025-13836.html
* https://www.suse.com/security/cve/CVE-2025-13837.html
openSUSE-SU-2025:0493-1: important: Security update for go-sendxmpp
openSUSE Security Update: Security update for go-sendxmpp
_______________________________
Announcement ID: openSUSE-SU-2025:0493-1
Rating: important
References: #1251461 #1251677
Cross-References: CVE-2025-47911 CVE-2025-58190
CVSS scores:
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for go-sendxmpp fixes the following issues:
Update to 0.15.1:
- Added
* Add XEP-0359 Origin-ID to messages (requires go-xmpp >= v0.2.18).
- Changed
* HTTP upload: Ignore timeouts on disco IQs as some components do not
reply.
- Upgrades the embedded golang.org/x/net to 0.46.0
* Fixes: boo#1251461, CVE-2025-47911: various algorithms with quadratic
complexity when parsing HTML documents
* Fixes: boo#1251677, CVE-2025-58190: excessive memory consumption by
'html.ParseFragment' when processing specially crafted input
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-493=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
go-sendxmpp-0.15.1-bp156.2.9.1
References:
https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1251461
https://bugzilla.suse.com/1251677
openSUSE-SU-2025:0491-1: important: Security update for flannel
openSUSE Security Update: Security update for flannel
_______________________________
Announcement ID: openSUSE-SU-2025:0491-1
Rating: important
References: #1218694 #1236522 #1240516
Cross-References: CVE-2019-14697 CVE-2023-45288 CVE-2025-30204
CVSS scores:
CVE-2023-45288 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-30204 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for flannel fixes the following issues:
- Update to version 0.27.4:
* Removed PodSecurityPolicy manifest creation
* Fix interface IP address detection in dual-stack mode
* Fix: recreate VXLAN device (flannel.*) when external interface is
deleted and re-added (#2247)
* golangci-lint: fix iptables_test
* firewall: add option to disable fully-random mode for MASQUERADE
* Bump the tencent group with 2 updates
* Bump github.com/coreos/go-systemd/v22 in the other-go-modules group
* Bump golang.org/x/sys in the other-go-modules group
* Bump the etcd group with 4 updates
* Bump etcd version in tests
* Stop using deprecated cache.NewIndexerInformer function
* Bump k8s test version
* Bump k8s deps to v0.31.11
* Bump the other-go-modules group with 2 updates
* helm chart: add nodeSelector in the helm chart
* Updated Alpine image
* Added flag to enable blackhole route locally for Canal
* Bump golang.org/x/sync in the other-go-modules group
* make enqueueLeaseEvent context aware and prevent dangling goroutines
when context is done - fixed a typo/build error
* make retry interval exp backoff
* cont_when_cache_not_ready configurable with fail by default * use
semaphore as opposed to raw signal channel
* Update pkg/subnet/kube/kube.go
* Fix deadlock in startup for large clusters
* enable setting resources in helm chart
* capture close() err on subnet file save (#2248)
* doc: document flag --iptables-forward-rules
* Bump netlink to v1.3.1
* fix: clean-up rules when starting instead of shutting down
* Bump k8s and sles test version
* Add modprobe br_netfilter step in test workflows
* test: don't run the workflows on "push" events
* Update to the latest flannel cni-plugins v1.7.1
* Move to go 1.23.6
- Update to version 0.26.6:
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common
* Bump the etcd group with 4 updates
* Bump the tencent group with 2 updates
* Organize dependabot PR's more clearly by using groups
* Use peer's wireguard port, not our own
* Bump to codeql v3
* Pin all GHA to a specific SHA commit
* Bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (fix
CVE-2025-30204, boo#1240516)
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common
* Bump go.etcd.io/etcd/tests/v3 from 3.5.18 to 3.5.20
* add missing GH_TOKEN env var in release.yaml
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc
* Upload chart archive with the release files
* make deps
* refactor release.yaml to reduce use of potentially vulnerable GH
Actions
* Bump golang.org/x/net from 0.34.0 to 0.36.0
* enable setting CNI directory paths in helm chart
* Added cni file configuration on the chart
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc
* Bump github.com/avast/retry-go/v4 from 4.6.0 to 4.6.1
- Update to version 0.26.4:
* Moved to github container registry
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc
* Bump go.etcd.io/etcd/tests/v3 from 3.5.17 to 3.5.18
* fix: Fix high CPU usage when losing etcd connection and try to
re-establish connection with exponential backoff
* Bump github.com/containernetworking/plugins from 1.6.1 to 1.6.2
* Bump alpine from 20240923 to 20250108 in /images
* Bump golang.org/x/net from 0.31.0 to 0.33.0
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc
* Bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0
* feat: add bool to control CNI config installation using Helm
* fix: add missing MY_NODE_NAME env in chart
* Bump k8s deps to 0.29.12
* Don't panic upon shutdown when running in standalone mode
* Bump golang.org/x/crypto from 0.29.0 to 0.31.0
* Bump alpine from 20240807 to 20240923 in /images
* Bump github.com/containernetworking/plugins from 1.6.0 to 1.6.1
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc
* Bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
* Use the standard context library
* Bump github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common
* Updated flannel cni image to 1.6.0
* Updated CNI plugins version on the README
* Bump sigs.k8s.io/knftables from 0.0.17 to 0.0.18
* Bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.5.1
* Bump github.com/Microsoft/hcsshim from 0.12.8 to 0.12.9
* Added check to not check br_filter in case of windows
* Bumo golangci-lint to latest version
* Bump to go 1.23
* Added checks for br_netfilter module
* Try not to cleanup multiple peers behind same PublicIP
* fix trivy check
* check that the lease includes an IP address of the requested family
before configuring the flannel interface
* Fixed IPv6 chosen in case of public-ipv6 configured
* add timeout to e2e test pipelines
* Update k8s version ine2e tests to v1.29.8
* Update netlink to v1.3.0
* Fixed values file on flannel chart
* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.1
* Updated Flannel chart with Netpol containter and removed clustercidr
* Fix bug in hostgw-windows
* Fix bug in the logic polling the interface
* Added node-public-ip annotation
* Try several times to contact kube-api before failing
* Fixed IPv6 0 initialization
* wireguard backend: avoid error message if route already exists
* Bump github.com/avast/retry-go/v4 from 4.5.1 to 4.6.0
* use wait.PollUntilContextTimeout instead of deprecated wait.Poll
* troubleshooting.md: add `ethtool -K flannel.1 tx-checksum-ip-generic
off` for NAT
* Added configuration for pulic-ip through node annotation
* extension/vxlan: remove arp commands from vxlan examples
* Refactor TrafficManager windows files to clarify logs
* Add persistent-mac option to v6 too
* fix comparison with previous networks in SetupAndEnsureMasqRules
* show content of stdout and stderr when running iptables-restore
returns an error
* Add extra check before contacting kube-api
* remove unimplemented error in windows trafficmngr
* remove --dirty flags in git describe
* Added leaseAttr string method with logs on VxLan
* remove multiClusterCidr related-code.
* Implement nftables masquerading for flannel
* fix: ipv6 iptables rules were created even when IPv6 was disabled
* Add tolerations to the flannel chart
* Added additional check for n.spec.podCIDRs
* Remove net-tools since it's an old package that we are not using
* fix iptables_windows.go
* Clean-up Makefile and use docker buildx locally
* Use manual test to ensure iptables-* binaries are present
* Bump github.com/containerd/containerd from 1.6.23 to 1.6.26
* Bump github.com/joho/godotenv
* SubnetManager should use the main context
* Simplify TrafficManager interface
* refactor iptables package to prepare for nftables-based implementation
- flannel v0.26.4, includes `golang.org/x/net/http2` at v0.34.0, which
fixes boo#1236522 (CVE-2023-45288)
- Update to version 0.24.2:
* Prepare for v0.24.2 release
* Increase the time out for interface checking in windows
* Prepare for v0.24.1 release
* Provide support to select the interface in Windows
* Improve the log from powershell
* Wait all the jobs to finish before deploy the github-page
* remove remaining references to mips64le
* add multi-arch dockerfile
* add missing riscv64 in docker manifest create step
* prepare for v0.24.0 release
* Bump golang.org/x/crypto from 0.15.0 to 0.17.0
* Add the VNI to the error message in Windows
* chart: add possibility for defining image pull secrets in daemonset
* Remove multiclustercidr logic from code
* Update opentelemetry dependencies
* Bump
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* Add riscv64 arch in GH actions
* vxlan vni should not be type uint16
* Quote wireguard psk in helm chart
* add riscv64 support
- Update to 0.14.0:
* Add tencent cloud VPC network support
* moving go modules to flannel-io/flannel and updating to go 1.16
* fix(windows): nil pointer panic
* Preserve environment for extension backend
* Fix flannel hang if lease expired
* Documentation for the Flannel upgrade/downgrade procedure
* Move from glog to klog
* fix(host-gw): failed to restart if gateway hnsep existed
* ipsec: use well known paths of charon daemon
* upgrade client-go to 1.19.4
* move from juju/errors to pkg/errors
* subnets: move forward the cursor to skip illegal subnet
* Fix Expired URL to Deploying Flannel with kubeadm
* Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1
* preserve AccessKey & AccessKeySecret environment on sudo fix some typo
in doc.
* iptables: handle errors that prevent rule deletes
- Sync manifest with upstream (0.13.0 release). Includes the following
changes:
* Fix typo and invalid indent in kube-flannel.yml
* Use stable os and arch label for node
* set priorityClassName to system-node-critical
* Add NET_RAW capability to support cri-o
* Use multi-arch Docker images in the Kubernetes manifest
- Set GO111MODULE=auto to build with go1.16+
* Default changed to GO111MODULE=on in go1.16
* Set temporarily until using upstream version with go.mod
- update to 0.13.0:
* Use multi-arch Docker images in the Kubernetes manifest
* Accept existing XMRF policies and update them intead of raising errors
* Add --no-sanity-check to iptables-wrapper-installer.sh for
architectures other than amd64
* Use "docker manifest" to publish multi-arch Docker images
* Add NET_RAW capability to support cri-o
* remove glide
* switch to go modules
* Add and implement iptables-wrapper-installer.sh from
https://github.com/kubernetes-sigs/iptables-wrappers
* documentation: set priorityClassName to system-node-critical
* Added a hint for firewall rules
* Disabling ipv6 accept_ra explicitely on the created interface
* use alpine 3.12 everywhere
* windows: replace old netsh (rakelkar/gonetsh) with powershell commands
* fix CVE-2019-14697
* Bugfix: VtepMac would be empty when lease re-acquire for windows
* Use stable os and arch label for node
* doc(awsvpc): correct the required permissions
- update to 0.12.0:
* fix deleteLease
* Use publicIP lookup iface if --public-ip indicated
* kubernetes 1.16 cni error
* Add cniVersion to general CNI plugin configuration.
* Needs to clear NodeNetworkUnavailable flag on Kubernetes
* Replaces gorillalabs go-powershell with bhendo/go-powershell
* Make VXLAN device learning attribute configurable
* change nodeSelector to nodeAffinity and schedule the pod to linux node
* This PR adds the cni version to the cni-conf.yaml inside the
kube-flannel-cfg configmap
* EnableNonPersistent flag for Windows Overlay networks
* snap package.
* Update lease with DR Mac
* main.go: add the "net-config-path" flag
* Deploy Flannel with unprivileged PSP
* Enable local host to local pod connectivity in Windows VXLAN
* Update hcsshim for HostRoute policy in Windows VXLAN
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-491=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
flannel-0.27.4-bp156.4.3.1
- openSUSE Backports SLE-15-SP6 (noarch):
flannel-k8s-yaml-0.27.4-bp156.4.3.1
References:
https://www.suse.com/security/cve/CVE-2019-14697.html
https://www.suse.com/security/cve/CVE-2023-45288.html
https://www.suse.com/security/cve/CVE-2025-30204.html
https://bugzilla.suse.com/1218694
https://bugzilla.suse.com/1236522
https://bugzilla.suse.com/1240516
openSUSE-SU-2025:0492-1: important: Security update for cheat
openSUSE Security Update: Security update for cheat
_______________________________
Announcement ID: openSUSE-SU-2025:0492-1
Rating: important
References: #1247629 #1253593 #1253922 #1254051
Cross-References: CVE-2023-48795 CVE-2025-21613 CVE-2025-21614
CVE-2025-22869 CVE-2025-22870 CVE-2025-47913
CVE-2025-47914 CVE-2025-58181
CVSS scores:
CVE-2023-48795 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2025-21613 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-22869 (SUSE): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-22870 (SUSE): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-47913 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-47914 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58181 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for cheat fixes the following issues:
Security:
* CVE-2025-47913: Fix client process termination (boo#1253593)
* CVE-2025-58181: Fix potential unbounded memory consumption
(boo#1253922)
* CVE-2025-47914: Fix panic due to an out of bounds read (boo#1254051)
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.45.0
* Replace golang.org/x/net=golang.org/x/net@v0.47.0
* Replace golang.org/x/sys=golang.org/x/sys@v0.38.0
Packaging improvements:
* Service go_modules replace dependencies with CVEs
* Replace github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1
Fix GO-2025-3754 GHSA-2x5j-vhc8-9cwm
* Replace golang.org/x/net=golang.org/x/net@v0.36.0 Fixes GO-2025-3503
CVE-2025-22870
* Replace golang.org/x/crypto=golang.org/x/crypto@v0.35.0 Fixes
GO-2023-2402 CVE-2023-48795 GHSA-45x7-px36-x8w8 Fixes GO-2025-3487
CVE-2025-22869
* Replace
github.com/go-git/go-git/v5=github.com/go-git/go-git/v5@v5.13.0 Fixes
GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4 Fixes GO-2025-3368
CVE-2025-21613 GHSA-v725-9546-7q7m
* Service tar_scm set mode manual from disabled
* Service tar_scm create archive from git so we can exclude vendor
directory upstream committed to git. Committed vendor directory
contents have build issues even after go mod tidy.
* Service tar_scm exclude dir vendor
* Service set_version set mode manual from disabled
* Service set_version remove param basename not needed
boo#1247629 (CVE-2025-21613):
* Use go-git 5.13.0 via replace in _service
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-492=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
cheat-4.4.2-bp156.3.6.1
References:
https://www.suse.com/security/cve/CVE-2023-48795.html
https://www.suse.com/security/cve/CVE-2025-21613.html
https://www.suse.com/security/cve/CVE-2025-21614.html
https://www.suse.com/security/cve/CVE-2025-22869.html
https://www.suse.com/security/cve/CVE-2025-22870.html
https://www.suse.com/security/cve/CVE-2025-47913.html
https://www.suse.com/security/cve/CVE-2025-47914.html
https://www.suse.com/security/cve/CVE-2025-58181.html
https://bugzilla.suse.com/1247629
https://bugzilla.suse.com/1253593
https://bugzilla.suse.com/1253922
https://bugzilla.suse.com/1254051
openSUSE-SU-2025:0496-1: moderate: Security update for duc
openSUSE Security Update: Security update for duc
_______________________________
Announcement ID: openSUSE-SU-2025:0496-1
Rating: moderate
References: #1254566
Cross-References: CVE-2025-13654
CVSS scores:
CVE-2025-13654 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that fixes one vulnerability is now available.
Description:
This update for duc fixes the following issues:
Update to 1.4.6:
* new: added LICENCE to 'make release' target
* fix: fixed logic error in buffer_get() (boo#1254566, CVE-2025-13654)
* cha: updated tests
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-496=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
duc-1.4.6-bp156.3.3.1
References:
https://www.suse.com/security/cve/CVE-2025-13654.html
https://bugzilla.suse.com/1254566
