The openSUSE project has released security updates for various packages, including git-bug and python311-starlette. The update for git-bug fixes two vulnerabilities (CVE-2025-47911 and CVE-2025-58190) that could potentially lead to denial-of-service attacks when parsing HTML documents. Meanwhile, the python311-starlette package has been updated to fix a vulnerability (CVE-2025-62727), which is rated as high-risk. Both updates are available for installation via YaST online_update or "zypper patch" and can be applied to specific openSUSE distributions such as Backports SLE-15-SP6, Backports SLE-15-SP7, and Tumbleweed.

openSUSE-SU-2025:0418-1: moderate: Security update for git-bug
openSUSE-SU-2025:0417-1: moderate: Security update for git-bug
openSUSE-SU-2025:15696-1: moderate: python311-starlette-0.49.1-1.1 on GA media

openSUSE-SU-2025:0418-1: moderate: Security update for git-bug

openSUSE Security Update: Security update for git-bug
_______________________________

Announcement ID: openSUSE-SU-2025:0418-1
Rating: moderate
References: #1251463 #1251664
Cross-References: CVE-2025-47911 CVE-2025-58190
CVSS scores:
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for git-bug fixes the following issues:

- Revendor to include golang.org/x/net/html v 0.45.0 to prevent possible
DoS by various algorithms with quadratic complexity when parsing HTML
documents (boo#1251463, CVE-2025-47911 and boo#1251664, CVE-2025-58190).

- Update to version 0.10.1:
- cli: ignore missing sections when removing configuration (ddb22a2f)

- Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)

- Update to version 0.10.0
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)

- Update to version 0.9.0:
- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)

- Update to version 0.8.1+git.1746484874.96c7a111:
* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3
updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12
updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25
(#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)

- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix
for CVE-2024-45337) (#1312)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2025-418=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

git-bug-0.10.1-bp157.2.3.1

- openSUSE Backports SLE-15-SP7 (noarch):

git-bug-bash-completion-0.10.1-bp157.2.3.1
git-bug-fish-completion-0.10.1-bp157.2.3.1
git-bug-zsh-completion-0.10.1-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1251463
https://bugzilla.suse.com/1251664

openSUSE-SU-2025:0417-1: moderate: Security update for git-bug

openSUSE Security Update: Security update for git-bug
_______________________________

Announcement ID: openSUSE-SU-2025:0417-1
Rating: moderate
References: #1251463 #1251664
Cross-References: CVE-2025-47911 CVE-2025-58190
CVSS scores:
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for git-bug fixes the following issues:

- Revendor to include golang.org/x/net/html v 0.45.0 to prevent possible
DoS by various algorithms with quadratic complexity when parsing HTML
documents (boo#1251463, CVE-2025-47911 and boo#1251664, CVE-2025-58190).

- Update to version 0.10.1:
- cli: ignore missing sections when removing configuration (ddb22a2f)

- Update to version 0.10.0:
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)

- Update to version 0.10.0
- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)

- Update to version 0.9.0:
- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)

- Update to version 0.8.1+git.1746484874.96c7a111:
* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3
updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12
updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25
(#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)

- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix
for CVE-2024-45337) (#1312)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2025-417=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

git-bug-0.10.1-bp156.3.6.1

- openSUSE Backports SLE-15-SP6 (noarch):

git-bug-bash-completion-0.10.1-bp156.3.6.1
git-bug-fish-completion-0.10.1-bp156.3.6.1
git-bug-zsh-completion-0.10.1-bp156.3.6.1

References:

https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1251463
https://bugzilla.suse.com/1251664

openSUSE-SU-2025:15696-1: moderate: python311-starlette-0.49.1-1.1 on GA media

# python311-starlette-0.49.1-1.1 on GA media

Announcement ID: openSUSE-SU-2025:15696-1
Rating: moderate

Cross-References:

* CVE-2025-62727

CVSS scores:

* CVE-2025-62727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-62727 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-starlette-0.49.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-starlette 0.49.1-1.1
* python312-starlette 0.49.1-1.1
* python313-starlette 0.49.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-62727.html