SUSE Linux has been updated with security enhancements for kanidm, git-lfs, and augeas, addressing moderate and low security vulnerabilities:

openSUSE-SU-2025:0152-1: moderate: Security update for kanidm
openSUSE-SU-2025:0153-1: moderate: Security update for git-lfs
SUSE-SU-2025:1534-1: low: Security update for augeas

openSUSE-SU-2025:0152-1: moderate: Security update for kanidm

openSUSE Security Update: Security update for kanidm
_______________________________

Announcement ID: openSUSE-SU-2025:0152-1
Rating: moderate
References: #1242642
Cross-References: CVE-2025-3416
CVSS scores:
CVE-2025-3416 (SUSE): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for kanidm fixes the following issues:

- Update to version 1.6.2~git0.a20663ea8:
* Release 1.6.2
* fix: clippy
* maint: typo in log message
* Set kid manually to prevent divergence
* Order keys in application JWKS / Fix rotation bug
* Fix toml issues with strings

- Update to version 1.6.1~git0.2e4429eca:
* Release 1.6.1
* Resolve reload of oauth2 on startup (#3604)

- CVE-2025-3416: Fixed openssl use after free (boo#1242642)

- Update to version 1.6.0~git0.d7ae0f336:
* Release 1.6.0
* Avoid openssl for md4
* Fixes #3586, inverts the navbar button color (#3593)
* Release 1.6.0-pre
* chore: Release Notes (#3588)
* Do not require instances to exist during optional config load (#3591)
* Fix std::fmt::Display for some objects (#3587)
* Drop fernet in favour of JWE (#3577)
* docs: document how to configure oauth2 for opkssh (#3566)
* Add kanidm_ssh_authorizedkeys_direct to client deb (#3585)
* Bump the all group in /pykanidm with 2 updates (#3581)
* Update dependencies, fix a bunch of clippy lints (#3576)
* Support spaces in ssh key comments (#3575)
* 20250402 3423 proxy protocol (#3542)
* fix(web): Preserve SSH key content on form validation error (#3574)
* Bump the all group in /pykanidm with 3 updates (#3572)
* Bump the all group in /pykanidm with 2 updates (#3564)
* Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group (#3560)
* Improve token handling (#3553)
* Bump tokio from 1.44.1 to 1.44.2 in the cargo group (#3549)
* Update fs4 and improve klock handling (#3551)
* Less footguns (#3552)
* Unify unix config parser (#3533)
* Bump openssl from 0.10.71 to 0.10.72 in the cargo group (#3544)
* Bump the all group in /pykanidm with 8 updates (#3547)
* implement notify-reload protocol (#3540)
* Allow versioning of server configs (#3515)
* 20250314 remove protected plugin (#3504)
* Bump the all group with 10 updates (#3539)
* Bump mozilla-actions/sccache-action from 0.0.8 to 0.0.9 in the all
group (#3538)
* Bump the all group in /pykanidm with 4 updates (#3537)
* Add max_ber_size to freeipa sync (#3530)
* Bump the all group in /pykanidm with 5 updates (#3524)
* Update Concread
* Update developer_ethics.md (#3520)
* Update examples.md (#3519)
* Make schema indexing a boolean instead of index types (#3517)
* Add missing lld dependency and fix syntax typo (#3490)
* Update shell.nix to work with stable nixpkgs (#3514)
* Improve unixd tasks channel comments (#3510)
* Update kanidm_ppa_automation reference to latest (#3512)
* Add set-description to group tooling (#3511)
* packaging: Add kanidmd deb package, update documentation (#3506)
* Bump the all group in /pykanidm with 5 updates (#3508)
* 20250313 unixd system cache (#3501)
* Support rfc2307 memberUid in sync operations. (#3466)
* Bump mozilla-actions/sccache-action from 0.0.7 to 0.0.8 in the all
group (#3496)
* Update Traefik config example to remove invalid label (#3500)
* Add uid/gid allocation table (#3498)
* 20250225 ldap testing in testkit (#3460)
* Bump the all group in /pykanidm with 5 updates (#3494)
* Bump ring from 0.17.10 to 0.17.13 in the cargo group (#3491)
* Handle form-post as a response mode (#3467)
* book: fix english (#3487)
* Correct paths with Kanidm Tools Container (#3486)
* 20250225 improve test performance (#3459)
* Bump the all group in /pykanidm with 8 updates (#3484)
* Use lld by default on linux (#3477)
* 20250213 patch used wrong acp (#3432)
* Android support (#3475)
* Changed all CI/CD builds to locked (#3471)
* Make it a bit clearer that providers are needed (#3468)
* Fix incorrect credential generation in radius docs (#3465)
* Add crypt formats for password import (#3458)
* build: Create daemon image from scratch (#3452)
* address webfinger doc feedbacks (#3446)
* Bump the all group across 1 directory with 5 updates (#3453)
* [htmx] Admin ui for groups and users management (#3019)
* Fixes #3406: add configurable maximum queryable attributes for LDAP
(#3431)
* Accept invalid certs and fix token_cache_path (#3439)
* Accept lowercase ldap pwd hashes (#3444)
* TOTP label verification (#3419)
* Rewrite WebFinger docs (#3443)
* doc: fix formatting of URL table, remove Caddyfile instructions (#3442)
* book: add OAuth2 Proxy example (#3434)
* Exempt idm_admin and admin from denied names. (#3429)
* Book fixes (#3433)
* ci: uniform Docker builds (#3430)
* 20240213 3413 domain displayname (#3425)
* Correct path to kanidm config example in documentation. (#3424)
* Support redirect uris with query parameters (#3422)
* Update to 1.6.0-dev (#3418)
* Remove white background from square logo. (#3417)
* feat: Added webfinger implementation (#3410)
* Bump the all group in /pykanidm with 7 updates (#3412)

- Update to version 1.5.0~git2.21c2a1bd0:
* fix: documentation fail (#3555)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2025-152=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 x86_64):

kanidm-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-clients-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-clients-debuginfo-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-debuginfo-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-debugsource-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-docs-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-server-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-server-debuginfo-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-unixd-clients-1.6.2~git0.a20663ea8-bp156.29.1
kanidm-unixd-clients-debuginfo-1.6.2~git0.a20663ea8-bp156.29.1

References:

https://www.suse.com/security/cve/CVE-2025-3416.html
https://bugzilla.suse.com/1242642

openSUSE-SU-2025:0153-1: moderate: Security update for git-lfs

openSUSE Security Update: Security update for git-lfs
_______________________________

Announcement ID: openSUSE-SU-2025:0153-1
Rating: moderate
References: #1235876
Cross-References: CVE-2024-53263
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for git-lfs fixes the following issues:

Update to 3.6.1: (boo#1235876):

This release introduces a security fix for all platforms, which has been
assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions
of Git LFS passed portions of the host's URL to the git-credential(1)
command without checking for embedded line-ending control characters, and
then sent any credentials received back from the Git credential helper to
the remote host. By inserting URL-encoded control characters such as line
feed (LF) or carriage return (CR) characters into the URL, an attacker
might have been able to retrieve a user's Git credentials. Git LFS now
prevents bare line feed (LF) characters from being included in the values
sent to the git-credential(1) command, and also prevents bare carriage
return (CR) characters from being included unless the
credential.protectProtocol configuration
option is set to a value equivalent to false.

* Bugs

- Reject bare line-ending control characters in Git credential
requests (@chrisd8088)

update to version 3.6.0:

- https://github.com/git-lfs/git-lfs/releases/tag/v3.6.0

update to 3.5.1:

* Build release assets with Go 1.21 #5668 (@bk2204)
* script/packagecloud: instantiate distro map properly #5662 (@bk2204)
* Install msgfmt on Windows in CI and release workflows #5666
(@chrisd8088)

update to version 3.4.1:

- https://github.com/git-lfs/git-lfs/releases/tag/v3.4.1

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2025-153=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

git-lfs-3.6.1-bp156.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-53263.html
https://bugzilla.suse.com/1235876

SUSE-SU-2025:1534-1: low: Security update for augeas

# Security update for augeas

Announcement ID: SUSE-SU-2025:1534-1
Release Date: 2025-05-12T16:01:07Z
Rating: low
References:

* bsc#1239909

Cross-References:

* CVE-2025-2588

CVSS scores:

* CVE-2025-2588 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-2588 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-2588 ( NVD ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-2588 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-2588 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for augeas fixes the following issues:

* CVE-2025-2588: Check for NULL pointers when calling re_case_expand in
function fa_expand_nocase. (bsc#1239909)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-1534=1 openSUSE-SLE-15.6-2025-1534=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-1534=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* augeas-devel-1.14.1-150600.3.3.1
* libfa1-debuginfo-1.14.1-150600.3.3.1
* augeas-lense-tests-1.14.1-150600.3.3.1
* augeas-debugsource-1.14.1-150600.3.3.1
* libaugeas0-debuginfo-1.14.1-150600.3.3.1
* augeas-debuginfo-1.14.1-150600.3.3.1
* augeas-bash-completion-1.14.1-150600.3.3.1
* libaugeas0-1.14.1-150600.3.3.1
* augeas-lenses-1.14.1-150600.3.3.1
* libfa1-1.14.1-150600.3.3.1
* augeas-1.14.1-150600.3.3.1
* openSUSE Leap 15.6 (x86_64)
* augeas-devel-32bit-1.14.1-150600.3.3.1
* libfa1-32bit-1.14.1-150600.3.3.1
* libaugeas0-32bit-debuginfo-1.14.1-150600.3.3.1
* libaugeas0-32bit-1.14.1-150600.3.3.1
* libfa1-32bit-debuginfo-1.14.1-150600.3.3.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libfa1-64bit-1.14.1-150600.3.3.1
* libaugeas0-64bit-debuginfo-1.14.1-150600.3.3.1
* libfa1-64bit-debuginfo-1.14.1-150600.3.3.1
* libaugeas0-64bit-1.14.1-150600.3.3.1
* augeas-devel-64bit-1.14.1-150600.3.3.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* augeas-devel-1.14.1-150600.3.3.1
* libfa1-debuginfo-1.14.1-150600.3.3.1
* augeas-debugsource-1.14.1-150600.3.3.1
* libaugeas0-debuginfo-1.14.1-150600.3.3.1
* augeas-debuginfo-1.14.1-150600.3.3.1
* libaugeas0-1.14.1-150600.3.3.1
* augeas-lenses-1.14.1-150600.3.3.1
* libfa1-1.14.1-150600.3.3.1
* augeas-1.14.1-150600.3.3.1

## References:

* https://www.suse.com/security/cve/CVE-2025-2588.html
* https://bugzilla.suse.com/show_bug.cgi?id=1239909