Git-Bug, Go, Libpng updates for SUSE

SUSE 5496 Published by

The openSUSE project has released three security updates to address vulnerabilities in various packages. The first update, openSUSE-SU-2025-20143-1, fixes seven vulnerabilities and several bugs in the git-bug package and can be installed on openSUSE Leap 16.0 using YaST online_update or zypper patch. The second update, openSUSE-SU-2025:15796-1, addresses two vulnerabilities in the go1.24 package and is applicable to openSUSE Tumbleweed. The third update, openSUSE-SU-2025:15797-1, fixes one vulnerability in the libpng12-0 package on openSUSE Tumbleweed.

openSUSE-SU-2025-20143-1: important: Security update for git-bug
openSUSE-SU-2025:15796-1: moderate: go1.24-1.24.11-1.1 on GA media
openSUSE-SU-2025:15797-1: moderate: libpng12-0-1.2.59-4.1 on GA media




openSUSE-SU-2025-20143-1: important: Security update for git-bug


openSUSE security update: security update for git-bug
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20143-1
Rating: important
References:

* bsc#1234565
* bsc#1239494
* bsc#1251463
* bsc#1251664
* bsc#1253506
* bsc#1253930
* bsc#1254084

Cross-References:

* CVE-2024-45337
* CVE-2025-22869
* CVE-2025-47911
* CVE-2025-47913
* CVE-2025-47914
* CVE-2025-58181
* CVE-2025-58190

CVSS scores:

* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-22869 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-22869 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-47914 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47914 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58181 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed.

Description:

This update for git-bug fixes the following issues:

Changes in git-bug:

- Revendor to include fixed version of depending libraries:
- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
golang.org/x/crypto to v0.43.0
- GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
github.com/go-viper/mapstructure/v2 to v2.4.0
- GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
- GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
github.com/cloudflare/circl to v1.6.1
- GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
golang.org/x/crypto/ssh to v0.45.0
- GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
golang.org/x/crypto/ssh/agent to v0.45.0

- Revendor to include golang.org/x/net/html v 0.45.0 to prevent
possible DoS by various algorithms with quadratic complexity
when parsing HTML documents (bsc#1251463, CVE-2025-47911 and
bsc#1251664, CVE-2025-58190).

Update to version 0.10.1:

- cli: ignore missing sections when removing configuration (ddb22a2f)

Update to version 0.10.0:

- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- webui: remark upgrade + gfm + syntax highlighting (6ee47b96)
- BREAKING CHANGE: dev-infra: remove gokart (89b880bd)

Update to version 0.10.0:

- bridge: correct command used to create a new bridge (9942337b)
- web: simplify header navigation (7e95b169)
- web: remark upgrade + gfm + syntax highlighting (6ee47b96)

Update to version 0.9.0:

- completion: remove errata from string literal (aa102c91)
- tui: improve readability of the help bar (23be684a)

Update to version 0.8.1+git.1746484874.96c7a111:

* docs: update install, contrib, and usage documentation (#1222)
* fix: resolve the remote URI using url.*.insteadOf (#1394)
* build(deps): bump the go_modules group across 1 directory with 3 updates (#1376)
* chore: gofmt simplify gitlab/export_test.go (#1392)
* fix: checkout repo before setting up go environment (#1390)
* feat: bump to go v1.24.2 (#1389)
* chore: update golang.org/x/net (#1379)
* fix: use -0700 when formatting time (#1388)
* fix: use correct url for gitlab PATs (#1384)
* refactor: remove depdendency on pnpm for auto-label action (#1383)
* feat: add action: auto-label (#1380)
* feat: remove lifecycle/frozen (#1377)
* build(deps): bump the npm_and_yarn group across 1 directory with 12 updates (#1378)
* feat: support new exclusion label: lifecycle/pinned (#1375)
* fix: refactor how gitlab title changes are detected (#1370)
* revert: "Create Dependabot config file" (#1374)
* refactor: rename //:git-bug.go to //:main.go (#1373)
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.25 (#1361)
* fix: set GitLastTag to an empty string when git-describe errors (#1355)
* chore: update go-git to v5@masterupdate_mods (#1284)
* refactor: Directly swap two variables to optimize code (#1272)
* Update README.md Matrix link to new room (#1275)

- Update to version 0.8.0+git.1742269202.0ab94c9:
* deps(crypto): bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337) (#1312)

- Update golang.org/x/crypto/ssh to v0.35.0 (bsc#1239494,
CVE-2025-22869).

- Add missing Requires to completion subpackages.

Update to version 0.8.0+git.1733745604.d499b6e:

* fix typos in docs (#1266)
* build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#1289)

- bump golang.org/x/crypto from v0.26.0 to v0.31.0 (fix for CVE-2024-45337, bsc#1234565).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-46=1

Package List:

- openSUSE Leap 16.0:

git-bug-0.10.1-bp160.1.1
git-bug-bash-completion-0.10.1-bp160.1.1
git-bug-fish-completion-0.10.1-bp160.1.1
git-bug-zsh-completion-0.10.1-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2025-22869.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
* https://www.suse.com/security/cve/CVE-2025-47913.html
* https://www.suse.com/security/cve/CVE-2025-47914.html
* https://www.suse.com/security/cve/CVE-2025-58181.html
* https://www.suse.com/security/cve/CVE-2025-58190.html



openSUSE-SU-2025:15796-1: moderate: go1.24-1.24.11-1.1 on GA media


# go1.24-1.24.11-1.1 on GA media

Announcement ID: openSUSE-SU-2025:15796-1
Rating: moderate

Cross-References:

* CVE-2025-61727
* CVE-2025-61729

CVSS scores:

* CVE-2025-61727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-61727 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-61729 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-61729 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the go1.24-1.24.11-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* go1.24 1.24.11-1.1
* go1.24-doc 1.24.11-1.1
* go1.24-libstd 1.24.11-1.1
* go1.24-race 1.24.11-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-61727.html
* https://www.suse.com/security/cve/CVE-2025-61729.html



openSUSE-SU-2025:15797-1: moderate: libpng12-0-1.2.59-4.1 on GA media


# libpng12-0-1.2.59-4.1 on GA media

Announcement ID: openSUSE-SU-2025:15797-1
Rating: moderate

Cross-References:

* CVE-2025-64505

CVSS scores:

* CVE-2025-64505 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2025-64505 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the libpng12-0-1.2.59-4.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* libpng12-0 1.2.59-4.1
* libpng12-0-32bit 1.2.59-4.1
* libpng12-compat-devel 1.2.59-4.1
* libpng12-compat-devel-32bit 1.2.59-4.1
* libpng12-devel 1.2.59-4.1
* libpng12-devel-32bit 1.2.59-4.1

## References:

* https://www.suse.com/security/cve/CVE-2025-64505.html


Thunderbird, HaProxy, Kernel, and more updates for Oracle Linux

Linux Kernel updates for Ubuntu

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...