Kernel, PostgreSQL, Trivy updates for SUSE

SUSE 5495 Published by

SUSE Linux has announced the release of multiple security updates, which include multiple updates for the Linux Kernel and PostgreSQL and Trivy updates:

SUSE-SU-2025:02832-1: important: Security update for the Linux Kernel (Live Patch 58 for SLE 15 SP3)
SUSE-SU-2025:02833-1: important: Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP4)
SUSE-SU-2025:02834-1: important: Security update for the Linux Kernel (Live Patch 38 for SLE 15 SP4)
SUSE-SU-2025:02842-1: important: Security update for postgresql13
openSUSE-SU-2025:0303-1: important: Security update for trivy
openSUSE-SU-2025:0302-1: important: Security update for trivy
SUSE-SU-2025:02849-1: important: Security update for the Linux Kernel
SUSE-SU-2025:02852-1: important: Security update for the Linux Kernel
SUSE-SU-2025:02857-1: important: Security update for the Linux Kernel (Live Patch 57 for SLE 15 SP3)




SUSE-SU-2025:02832-1: important: Security update for the Linux Kernel (Live Patch 58 for SLE 15 SP3)


# Security update for the Linux Kernel (Live Patch 58 for SLE 15 SP3)

Announcement ID: SUSE-SU-2025:02832-1
Release Date: 2025-08-17T06:03:55Z
Rating: important
References:

* bsc#1244631
* bsc#1245218
* bsc#1245350
* bsc#1247350
* bsc#1247351

Cross-References:

* CVE-2024-36978
* CVE-2025-38079
* CVE-2025-38083
* CVE-2025-38494
* CVE-2025-38495

CVSS scores:

* CVE-2024-36978 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36978 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38083 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise Live Patching 15-SP3
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves five vulnerabilities can now be installed.

## Description:

This update for the Linux Kernel 5.3.18-150300_59_207 fixes several issues.

The following security issues were fixed:

* CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247350).
* CVE-2025-38495: HID: core: ensure the allocated report buffer can contain
the reserved report ID (bsc#1247351).
* CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept
(bsc#1245218).
* CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245350).
* CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in
multiq_tune() (bsc#1244631).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2025-2832=1

* SUSE Linux Enterprise Live Patching 15-SP3
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2025-2832=1

## Package List:

* openSUSE Leap 15.3 (ppc64le s390x x86_64)
* kernel-livepatch-5_3_18-150300_59_207-default-3-150300.2.1
* kernel-livepatch-SLE15-SP3_Update_58-debugsource-3-150300.2.1
* kernel-livepatch-5_3_18-150300_59_207-default-debuginfo-3-150300.2.1
* openSUSE Leap 15.3 (x86_64)
* kernel-livepatch-5_3_18-150300_59_207-preempt-3-150300.2.1
* kernel-livepatch-5_3_18-150300_59_207-preempt-debuginfo-3-150300.2.1
* SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64)
* kernel-livepatch-5_3_18-150300_59_207-default-3-150300.2.1
* kernel-livepatch-SLE15-SP3_Update_58-debugsource-3-150300.2.1
* kernel-livepatch-5_3_18-150300_59_207-default-debuginfo-3-150300.2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36978.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38083.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://bugzilla.suse.com/show_bug.cgi?id=1244631
* https://bugzilla.suse.com/show_bug.cgi?id=1245218
* https://bugzilla.suse.com/show_bug.cgi?id=1245350
* https://bugzilla.suse.com/show_bug.cgi?id=1247350
* https://bugzilla.suse.com/show_bug.cgi?id=1247351



SUSE-SU-2025:02833-1: important: Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP4)


# Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP4)

Announcement ID: SUSE-SU-2025:02833-1
Release Date: 2025-08-17T09:03:59Z
Rating: important
References:

* bsc#1232927
* bsc#1244631
* bsc#1245218
* bsc#1245350
* bsc#1247350
* bsc#1247351

Cross-References:

* CVE-2024-36978
* CVE-2025-38079
* CVE-2025-38083
* CVE-2025-38494
* CVE-2025-38495

CVSS scores:

* CVE-2024-36978 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36978 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38083 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Live Patching 15-SP4
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves five vulnerabilities and has one security fix can now be
installed.

## Description:

This update for the Linux Kernel 5.14.21-150400_24_128 fixes several issues.

The following security issues were fixed:

* CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247350).
* CVE-2025-38495: HID: core: ensure the allocated report buffer can contain
the reserved report ID (bsc#1247351).
* CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept
(bsc#1245218).
* CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245350).
* CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in
multiq_tune() (bsc#1244631).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-2833=1

* SUSE Linux Enterprise Live Patching 15-SP4
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2025-2833=1

## Package List:

* openSUSE Leap 15.4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_128-default-15-150400.2.1
* kernel-livepatch-5_14_21-150400_24_128-default-debuginfo-15-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_29-debugsource-15-150400.2.1
* SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_128-default-15-150400.2.1
* kernel-livepatch-5_14_21-150400_24_128-default-debuginfo-15-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_29-debugsource-15-150400.2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36978.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38083.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://bugzilla.suse.com/show_bug.cgi?id=1232927
* https://bugzilla.suse.com/show_bug.cgi?id=1244631
* https://bugzilla.suse.com/show_bug.cgi?id=1245218
* https://bugzilla.suse.com/show_bug.cgi?id=1245350
* https://bugzilla.suse.com/show_bug.cgi?id=1247350
* https://bugzilla.suse.com/show_bug.cgi?id=1247351



SUSE-SU-2025:02834-1: important: Security update for the Linux Kernel (Live Patch 38 for SLE 15 SP4)


# Security update for the Linux Kernel (Live Patch 38 for SLE 15 SP4)

Announcement ID: SUSE-SU-2025:02834-1
Release Date: 2025-08-17T12:04:04Z
Rating: important
References:

* bsc#1232927
* bsc#1244631
* bsc#1245218
* bsc#1245350
* bsc#1247350
* bsc#1247351

Cross-References:

* CVE-2024-36978
* CVE-2025-38079
* CVE-2025-38083
* CVE-2025-38494
* CVE-2025-38495

CVSS scores:

* CVE-2024-36978 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36978 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38083 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise Live Patching 15-SP4
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves five vulnerabilities and has one security fix can now be
installed.

## Description:

This update for the Linux Kernel 5.14.21-150400_24_158 fixes several issues.

The following security issues were fixed:

* CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247350).
* CVE-2025-38495: HID: core: ensure the allocated report buffer can contain
the reserved report ID (bsc#1247351).
* CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept
(bsc#1245218).
* CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245350).
* CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in
multiq_tune() (bsc#1244631).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-2834=1

* SUSE Linux Enterprise Live Patching 15-SP4
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2025-2834=1

## Package List:

* openSUSE Leap 15.4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_158-default-4-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_38-debugsource-4-150400.2.1
* kernel-livepatch-5_14_21-150400_24_158-default-debuginfo-4-150400.2.1
* SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_158-default-4-150400.2.1
* kernel-livepatch-SLE15-SP4_Update_38-debugsource-4-150400.2.1
* kernel-livepatch-5_14_21-150400_24_158-default-debuginfo-4-150400.2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36978.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38083.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://bugzilla.suse.com/show_bug.cgi?id=1232927
* https://bugzilla.suse.com/show_bug.cgi?id=1244631
* https://bugzilla.suse.com/show_bug.cgi?id=1245218
* https://bugzilla.suse.com/show_bug.cgi?id=1245350
* https://bugzilla.suse.com/show_bug.cgi?id=1247350
* https://bugzilla.suse.com/show_bug.cgi?id=1247351



SUSE-SU-2025:02842-1: important: Security update for postgresql13


# Security update for postgresql13

Announcement ID: SUSE-SU-2025:02842-1
Release Date: 2025-08-18T12:33:33Z
Rating: important
References:

* bsc#1248119
* bsc#1248120
* bsc#1248122

Cross-References:

* CVE-2025-8713
* CVE-2025-8714
* CVE-2025-8715

CVSS scores:

* CVE-2025-8713 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-8713 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-8713 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-8714 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-8714 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-8714 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-8715 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-8715 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-8715 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6

An update that solves three vulnerabilities can now be installed.

## Description:

This update for postgresql13 fixes the following issues:

Upgrade to 13.22:

* CVE-2025-8713: optimizer statistics can expose sampled data within a view,
partition, or child table (bsc#1248120).
* CVE-2025-8714: untrusted data inclusion in `pg_dump` lets superuser of
origin server execute arbitrary code in psql client (bsc#1248122).
* CVE-2025-8715: improper neutralization of newlines in `pg_dump` allows
execution of arbitrary code in psql client and in restore target server
(bsc#1248119).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-2842=1 openSUSE-SLE-15.6-2025-2842=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* postgresql13-plpython-debuginfo-13.22-150600.14.11.1
* postgresql13-13.22-150600.14.11.1
* postgresql13-contrib-13.22-150600.14.11.1
* postgresql13-llvmjit-devel-13.22-150600.14.11.1
* postgresql13-pltcl-debuginfo-13.22-150600.14.11.1
* postgresql13-debugsource-13.22-150600.14.11.1
* postgresql13-server-devel-debuginfo-13.22-150600.14.11.1
* postgresql13-devel-13.22-150600.14.11.1
* postgresql13-test-13.22-150600.14.11.1
* postgresql13-llvmjit-debuginfo-13.22-150600.14.11.1
* postgresql13-pltcl-13.22-150600.14.11.1
* postgresql13-plperl-13.22-150600.14.11.1
* postgresql13-server-devel-13.22-150600.14.11.1
* postgresql13-server-debuginfo-13.22-150600.14.11.1
* postgresql13-server-13.22-150600.14.11.1
* postgresql13-llvmjit-13.22-150600.14.11.1
* postgresql13-debuginfo-13.22-150600.14.11.1
* postgresql13-contrib-debuginfo-13.22-150600.14.11.1
* postgresql13-plperl-debuginfo-13.22-150600.14.11.1
* postgresql13-devel-debuginfo-13.22-150600.14.11.1
* postgresql13-plpython-13.22-150600.14.11.1
* openSUSE Leap 15.6 (noarch)
* postgresql13-docs-13.22-150600.14.11.1

## References:

* https://www.suse.com/security/cve/CVE-2025-8713.html
* https://www.suse.com/security/cve/CVE-2025-8714.html
* https://www.suse.com/security/cve/CVE-2025-8715.html
* https://bugzilla.suse.com/show_bug.cgi?id=1248119
* https://bugzilla.suse.com/show_bug.cgi?id=1248120
* https://bugzilla.suse.com/show_bug.cgi?id=1248122



openSUSE-SU-2025:0303-1: important: Security update for trivy


openSUSE Security Update: Security update for trivy
_______________________________

Announcement ID: openSUSE-SU-2025:0303-1
Rating: important
References: #1232948 #1235265 #1246151
Cross-References: CVE-2024-45338 CVE-2024-51744 CVE-2025-53547

CVSS scores:
CVE-2024-45338 (SUSE): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2024-51744 (SUSE): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2025-53547 (SUSE): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for trivy fixes the following issues:

- CVE-2025-53547: Fixed code execution in Helm Chart (boo#1246151)

- Update to version 0.64.1:
* release: v0.64.1 [release/v0.64] (#9122)
* fix(misconf): skip rewriting expr if attr is nil [backport:
release/v0.64] (#9127)
* fix(cli): Add more non-sensitive flags to telemetry [backport:
release/v0.64] (#9124)
* fix(rootio): check full version to detect `root.io` packages
[backport: release/v0.64] (#9120)
* fix(alma): parse epochs from rpmqa file [backport: release/v0.64]
(#9119)
* release: v0.64.0 [main] (#8955)
* docs(python): fix type with METADATA file name (#9090)
* feat: reject unsupported artifact types in remote image retrieval
(#9052)
* chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to
2.3.0 (#9088)
* refactor(misconf): rewrite Rego module filtering using functional
filters (#9061)
* feat(terraform): add partial evaluation for policy templates (#8967)
* feat(vuln): add Root.io support for container image scanning (#9073)
* feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
* fix(cli): add some values to the telemetry call (#9056)
* feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
* refactor: centralize HTTP transport configuration (#9058)
* test: include integration tests in linting and fix all issues (#9060)
* chore(deps): bump the common group across 1 directory with 26 updates
(#9063)
* feat(java): dereference all maven settings.xml env placeholders (#9024)
* fix(misconf): reduce log noise on incompatible check (#9029)
* fix(misconf): .Config.User always takes precedence over USER in
.History (#9050)
* chore(deps): update Docker to v28.2.2 and fix compatibility issues
(#9037)
* docs(misconf): simplify misconfiguration docs (#9030)
* fix(misconf): move disabled checks filtering after analyzer scan
(#9002)
* docs: add PR review policy for maintainers (#9032)
* fix(sbom): remove unnecessary OS detection check in SBOM decoding
(#9034)
* test: improve and extend tests for iac/adapters/arm (#9028)
* chore: bump up Go version to 1.24.4 (#9031)
* feat(cli): add version constraints to annoucements (#9023)
* fix(misconf): correct Azure value-to-time conversion in AsTimeValue
(#9015)
* feat(ubuntu): add eol date for 20.04-ESM (#8981)
* fix(report): don't panic when report contains vulns, but doesn't
contain packages for `table` format (#8549)
* fix(nodejs): correctly parse `packages` array of `bun.lock` file
(#8998)
* refactor: use strings.SplitSeq instead of strings.Split in for-loop
(#8983)
* docs: change --disable-metrics to --disable-telemetry in example
(#8999) (#9003)
* feat(misconf): add OpenTofu file extension support (#8747)
* refactor(misconf): set Trivy version by default in Rego scanner (#9001)
* docs: fix assets with versioning (#8996)
* docs: add partners page (#8988)
* chore(alpine): add EOL date for Alpine 3.22 (#8992)
* fix: don't show corrupted trivy-db warning for first run (#8991)
* Update installation.md (#8979)
* feat(misconf): normalize CreatedBy for buildah and legacy docker
builder (#8953)
* chore(k8s): update comments with deprecated command format (#8964)
* chore: fix errors and typos in docs (#8963)
* fix: Add missing version check flags (#8951)
* feat(redhat): Add EOL date for RHEL 10. (#8910)
* fix: Correctly check for semver versions for trivy version check
(#8948)
* refactor(server): change custom advisory and vulnerability data types
fr??? (#8923)
* ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0
(#8946)
* release: v0.63.0 [main] (#8809)
* fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
* chore(deps): Bump trivy-checks (#8934)
* fix(julia): add `Relationship` field support (#8939)
* feat(minimos): Add support for MinimOS (#8792)
* feat(alpine): add maintainer field extraction for APK packages (#8930)
* feat(echo): Add Echo Support (#8833)
* fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
* fix(wolfi): support new APK database location (#8937)
* feat(k8s): get components from namespaced resources (#8918)
* refactor(cloudformation): remove unused ScanFile method from Scanner
(#8927)
* refactor(terraform): remove result sorting from scanner (#8928)
* feat(misconf): Add support for `Minimum Trivy Version` (#8880)
* docs: improve skipping files documentation (#8749)
* feat(cli): Add available version checking (#8553)
* feat(nodejs): add a bun.lock analyzer (#8897)
* feat: terraform parser option to set current working directory (#8909)
* perf(secret): only match secrets of meaningful length, allow example
strings to not be matched (#8602)
* feat(misconf): export raw Terraform data to Rego (#8741)
* refactor(terraform): simplify AllReferences method signature in
Attribute (#8906)
* fix: check post-analyzers for StaticPaths (#8904)
* feat: add Bottlerocket OS package analyzer (#8653)
* feat(license): improve work text licenses with custom classification
(#8888)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to
2.1.1 (#8901)
* chore(deps): bump the common group across 1 directory with 9 updates
(#8887)
* refactor(license): simplify compound license scanning (#8896)
* feat(license): Support compound licenses (licenses using SPDX
operators) (#8816)
* fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
* feat(nodejs): add bun.lock parser (#8851)
* feat(license): improve work with custom classification of licenses
from config file (#8861)
* fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom`
command (#8886)
* fix: julia parser panicing (#8883)
* refactor(db): change logic to detect wrong DB (#8864)
* fix(cli): don't use allow values for `--compliance` flag (#8881)
* docs(misconf): Reorganize misconfiguration scan pages (#8206)
* fix(server): add missed Relationship field for `rpc` (#8872)
* feat: add JSONC support for comments and trailing commas (#8862)
* fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
* feat(go): support license scanning in both GOPATH and vendor (#8843)
* fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
* fix: filter all files when processing files installed from package
managers (#8842)
* feat(misconf): add misconfiguration location to junit template (#8793)
* docs(vuln): remove OSV for Python from data sources (#8841)
* chore: add an issue template for maintainers (#8838)
* chore: enable staticcheck (#8815)
* ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1
(#8836)
* feat(license): scan vendor directory for license for go.mod files
(#8689)
* docs(java): Update info about dev deps in gradle lock (#8830)
* chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the
common group (#8822)
* fix(java): exclude dev dependencies in gradle lockfile (#8803)
* fix: octalLiteral from go-critic (#8811)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing
(#8818)
* chore(deps): bump the common group across 1 directory with 10 updates
(#8817)
* fix: use-any from revive (#8810)
* fix: more revive rules (#8814)
* docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
* fix(misconf): check if for-each is known when expanding dyn block
(#8808)
* ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0
(#8802)

- Update to version 0.62.1:
* release: v0.62.1 [release/v0.62] (#8825)
* chore(deps): bump the common group across 1 directory with 10 updates
[backport: release/v0.62] (#8831)
* fix(misconf): check if for-each is known when expanding dyn block
[backport: release/v0.62] (#8826)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing
[backport: release/v0.62] (#8824)
* release: v0.62.0 [main] (#8669)
* feat(nodejs): add root and workspace for `yarn` packages (#8535)
* fix: unused-parameter rule from revive (#8794)
* chore(deps): Update trivy-checks (#8798)
* fix: early-return, indent-error-flow and superfluous-else rules from
revive (#8796)
* fix(k8s): remove using `last-applied-configuration` (#8791)
* refactor(misconf): remove unused methods from providers (#8781)
* refactor(misconf): remove unused methods from iac types (#8782)
* fix(misconf): filter null nodes when parsing json manifest (#8785)
* fix: testifylint last issues (#8768)
* fix(misconf): perform operations on attribute safely (#8774)
* refactor(ubuntu): update time handling for fixing time (#8780)
* chore(deps): bump golangci-lint to v2.1.2 (#8766)
* feat(image): save layers metadata into report (#8394)
* feat(misconf): convert AWS managed policy to document (#8757)
* chore(deps): bump the docker group across 1 directory with 3 updates
(#8762)
* ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1
(#8753)
* ci(helm): create a helm branch for patches from main (#8673)
* fix(terraform): hcl object expressions to return references (#8271)
* chore(terraform): option to pass in instanced logger (#8738)
* ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity`
fork (#8740)
* chore(terraform): remove os.OpenPath call from terraform file
functions (#8737)
* chore(deps): bump the common group across 1 directory with 23 updates
(#8733)
* feat(rust): add root and workspace relationships/package for `cargo`
lock files (#8676)
* refactor(misconf): remove module outputs from parser.EvaluateAll
(#8587)
* fix(misconf): populate context correctly for module instances (#8656)
* fix(misconf): check if metadata is not nil (#8647)
* refactor(misconf): switch to x/json (#8719)
* fix(report): clean buffer after flushing (#8725)
* ci: improve PR title validation workflow (#8720)
* refactor(flag): improve flag system architecture and extensibility
(#8718)
* fix(terraform): `evaluateStep` to correctly set `EvalContext` for
multiple instances of blocks (#8555)
* refactor: migrate from `github.com/aquasecurity/jfather` to
`github.com/go-json-experiment/json` (#8591)
* feat(misconf): support auto_provisioning_defaults in
google_container_cluster (#8705)
* ci: use `github.event.pull_request.user.login` for release PR check
workflow (#8702)
* refactor: add hook interface for extended functionality (#8585)
* fix(misconf): add missing variable as unknown (#8683)
* docs: Update maintainer docs (#8674)
* ci(vuln): reduce github action script injection attack risk (#8610)
* fix(secret): ignore .dist-info directories during secret scanning
(#8646)
* fix(server): fix redis key when trying to delete blob (#8649)
* chore(deps): bump the testcontainers group with 2 updates (#8650)
* test: use `aquasecurity` repository for test images (#8677)
* chore(deps): bump the aws group across 1 directory with 5 updates
(#8652)
* fix(k8s): skip passed misconfigs for the summary report (#8684)
* fix(k8s): correct compare artifact versions (#8682)
* chore: update Docker lib (#8681)
* refactor(misconf): remove unused terraform attribute methods (#8657)
* feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
* chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup
options error output (#8643)
* docs: Add info about helm charts release (#8640)
* ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0
(#8638)

- Update to version 0.61.1:
* release: v0.61.1 [release/v0.61] (#8704)
* fix(k8s): skip passed misconfigs for the summary report [backport:
release/v0.61] (#8748)
* fix(k8s): correct compare artifact versions [backport: release/v0.61]
(#8699)
* test: use `aquasecurity` repository for test images [backport:
release/v0.61] (#8698)
* release: v0.61.0 [main] (#8507)
* fix(misconf): Improve logging for unsupported checks (#8634)
* feat(k8s): add support for controllers (#8614)
* fix(debian): don't include empty licenses for `dpkgs` (#8623)
* fix(misconf): Check values wholly prior to evalution (#8604)
* chore(deps): Bump trivy-checks (#8619)
* fix(k8s): show report for `--report all` (#8613)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2
(#8597)
* refactor: rename scanner to service (#8584)
* fix(misconf): do not skip loading documents from subdirectories (#8526)
* refactor(misconf): get a block or attribute without calling HasChild
(#8586)
* fix(misconf): identify the chart file exactly by name (#8590)
* test: use table-driven tests in Helm scanner tests (#8592)
* refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
* chore(deps): bump the common group across 1 directory with 10 updates
(#8566)
* fix(misconf): do not use cty.NilVal for non-nil values (#8567)
* docs(cli): improve flag value display format (#8560)
* fix(misconf): set default values for
AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
* docs: remove slack (#8565)
* fix: use `--file-patterns` flag for all post analyzers (#7365)
* docs(python): Mention pip-compile (#8484)
* feat(misconf): adapt aws_opensearch_domain (#8550)
* feat(misconf): adapt AWS::EC2::VPC (#8534)
* docs: fix a broken link (#8546)
* fix(fs): check postAnalyzers for StaticPaths (#8543)
* refactor(misconf): remove unused methods for ec2.Instance (#8536)
* feat(misconf): adapt aws_default_security_group (#8538)
* feat(fs): optimize scanning performance by direct file access for
known paths (#8525)
* feat(misconf): adapt AWS::DynamoDB::Table (#8529)
* style: Fix MD syntax in self-hosting.md (#8523)
* perf(misconf): retrieve check metadata from annotations once (#8478)
* feat(misconf): Add support for aws_ami (#8499)
* fix(misconf): skip Azure CreateUiDefinition (#8503)
* refactor(misconf): use OPA v1 (#8518)
* fix(misconf): add ephemeral block type to config schema (#8513)
* perf(misconf): parse input for Rego once (#8483)
* feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
* chore: replace deprecated tenv linter with usetesting (#8504)
* fix(spdx): save text licenses into `otherLicenses` without normalize
(#8502)
* chore(deps): bump the common group across 1 directory with 13 updates
(#8491)
* chore: use go.mod for managing Go tools (#8493)
* ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0
(#8494)
* release: v0.60.0 [main] (#8327)
* fix(sbom): improve logic for binding direct dependency to parent
component (#8489)
* chore(deps): remove missed replace of `trivy-db` (#8492)
* chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group
across 1 directory (#8490)
* chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
* docs: add abbreviation list (#8453)
* chore(terraform): assign *terraform.Module 'parent' field (#8444)
* feat: add report summary table (#8177)
* chore(deps): bump the github-actions group with 3 updates (#8473)
* refactor(vex): improve SBOM reference handling with project standards
(#8457)
* ci: update GitHub Actions cache to v4 (#8475)
* feat: add `--vuln-severity-source` flag (#8269)
* fix(os): add mapping OS aliases (#8466)
* chore(deps): bump the aws group across 1 directory with 7 updates
(#8468)
* chore(deps): Bump trivy-checks to v1.7.1 (#8467)
* refactor(report): write tables after rendering all results (#8357)
* docs: update VEX documentation index page (#8458)
* fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
* feat(misconf): render causes for Terraform (#8360)
* fix(misconf): fix incorrect k8s locations due to JSON to YAML
conversion (#8073)
* feat(cyclonedx): Add initial support for loading external VEX files
from SBOM references (#8254)
* chore(deps): update go-rustaudit location (#8450)
* fix: update all documentation links (#8045)
* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5
(#8443)
* chore(deps): bump the common group with 6 updates (#8411)
* fix(k8s): add missed option `PkgRelationships` (#8442)
* fix(sbom): add SBOM file's filePath as Application FilePath if we
can't detect its path (#8346)
* feat(go): fix parsing main module version for go >= 1.24 (#8433)
* refactor(misconf): make Rego scanner independent of config type (#7517)
* fix(image): disable AVD-DS-0007 for history scanning (#8366)
* fix(server): secrets inspectation for the config analyzer in client
server mode (#8418)
* chore: remove mockery (#8417)
* test(server): replace mock driver with memory cache in server tests
(#8416)
* test: replace mock with memory cache and fix non-deterministic tests
(#8410)
* test: replace mock with memory cache in scanner tests (#8413)
* test: use memory cache (#8403)
* fix(spdx): init `pkgFilePaths` map for all formats (#8380)
* chore(deps): bump the common group across 1 directory with 11 updates
(#8381)
* docs: correct Ruby documentation (#8402)
* chore: bump `mockery` to update v2.52.2 version and rebuild mock files
(#8390)
* fix: don't use `scope` for `trivy registry login` command (#8393)
* fix(go): merge nested flags into string for ldflags for Go binaries
(#8368)
* chore(terraform): export module path on terraform modules (#8374)
* fix(terraform): apply parser options to submodule parsing (#8377)
* docs: Fix typos in documentation (#8361)
* docs: fix navigate links (#8336)
* ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1
(#8354)
* ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
* chore: remove debug prints (#8347)
* fix(misconf): do not log scanners when misconfig scanning is disabled
(#8345)
* fix(report): remove html escaping for `shortDescription` and
`fullDescription` fields for sarif reports (#8344)
* chore(deps): bump Go to `v1.23.5` (#8341)
* fix(python): add `poetry` v2 support (#8323)
* chore(deps): bump the github-actions group across 1 directory with 4
updates (#8331)
* fix(misconf): ecs include enhanced for container insights (#8326)
* fix(sbom): preserve OS packages from multiple SBOMs (#8325)
* ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0
(#8311)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2025-303=1

Package List:

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

trivy-0.64.1-bp156.2.12.1

References:

https://www.suse.com/security/cve/CVE-2024-45338.html
https://www.suse.com/security/cve/CVE-2024-51744.html
https://www.suse.com/security/cve/CVE-2025-53547.html
https://bugzilla.suse.com/1232948
https://bugzilla.suse.com/1235265
https://bugzilla.suse.com/1246151



openSUSE-SU-2025:0302-1: important: Security update for trivy


openSUSE Security Update: Security update for trivy
_______________________________

Announcement ID: openSUSE-SU-2025:0302-1
Rating: important
References: #1232948 #1235265 #1246151
Cross-References: CVE-2024-45338 CVE-2024-51744 CVE-2025-53547

CVSS scores:
CVE-2024-45338 (SUSE): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2024-51744 (SUSE): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2025-53547 (SUSE): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for trivy fixes the following issues:

- CVE-2025-53547: Fixed code execution in Helm Chart (boo#1246151)

- Update to version 0.64.1:
* release: v0.64.1 [release/v0.64] (#9122)
* fix(misconf): skip rewriting expr if attr is nil [backport:
release/v0.64] (#9127)
* fix(cli): Add more non-sensitive flags to telemetry [backport:
release/v0.64] (#9124)
* fix(rootio): check full version to detect `root.io` packages
[backport: release/v0.64] (#9120)
* fix(alma): parse epochs from rpmqa file [backport: release/v0.64]
(#9119)
* release: v0.64.0 [main] (#8955)
* docs(python): fix type with METADATA file name (#9090)
* feat: reject unsupported artifact types in remote image retrieval
(#9052)
* chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to
2.3.0 (#9088)
* refactor(misconf): rewrite Rego module filtering using functional
filters (#9061)
* feat(terraform): add partial evaluation for policy templates (#8967)
* feat(vuln): add Root.io support for container image scanning (#9073)
* feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
* fix(cli): add some values to the telemetry call (#9056)
* feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
* refactor: centralize HTTP transport configuration (#9058)
* test: include integration tests in linting and fix all issues (#9060)
* chore(deps): bump the common group across 1 directory with 26 updates
(#9063)
* feat(java): dereference all maven settings.xml env placeholders (#9024)
* fix(misconf): reduce log noise on incompatible check (#9029)
* fix(misconf): .Config.User always takes precedence over USER in
.History (#9050)
* chore(deps): update Docker to v28.2.2 and fix compatibility issues
(#9037)
* docs(misconf): simplify misconfiguration docs (#9030)
* fix(misconf): move disabled checks filtering after analyzer scan
(#9002)
* docs: add PR review policy for maintainers (#9032)
* fix(sbom): remove unnecessary OS detection check in SBOM decoding
(#9034)
* test: improve and extend tests for iac/adapters/arm (#9028)
* chore: bump up Go version to 1.24.4 (#9031)
* feat(cli): add version constraints to annoucements (#9023)
* fix(misconf): correct Azure value-to-time conversion in AsTimeValue
(#9015)
* feat(ubuntu): add eol date for 20.04-ESM (#8981)
* fix(report): don't panic when report contains vulns, but doesn't
contain packages for `table` format (#8549)
* fix(nodejs): correctly parse `packages` array of `bun.lock` file
(#8998)
* refactor: use strings.SplitSeq instead of strings.Split in for-loop
(#8983)
* docs: change --disable-metrics to --disable-telemetry in example
(#8999) (#9003)
* feat(misconf): add OpenTofu file extension support (#8747)
* refactor(misconf): set Trivy version by default in Rego scanner (#9001)
* docs: fix assets with versioning (#8996)
* docs: add partners page (#8988)
* chore(alpine): add EOL date for Alpine 3.22 (#8992)
* fix: don't show corrupted trivy-db warning for first run (#8991)
* Update installation.md (#8979)
* feat(misconf): normalize CreatedBy for buildah and legacy docker
builder (#8953)
* chore(k8s): update comments with deprecated command format (#8964)
* chore: fix errors and typos in docs (#8963)
* fix: Add missing version check flags (#8951)
* feat(redhat): Add EOL date for RHEL 10. (#8910)
* fix: Correctly check for semver versions for trivy version check
(#8948)
* refactor(server): change custom advisory and vulnerability data types
fr??? (#8923)
* ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0
(#8946)
* release: v0.63.0 [main] (#8809)
* fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
* chore(deps): Bump trivy-checks (#8934)
* fix(julia): add `Relationship` field support (#8939)
* feat(minimos): Add support for MinimOS (#8792)
* feat(alpine): add maintainer field extraction for APK packages (#8930)
* feat(echo): Add Echo Support (#8833)
* fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
* fix(wolfi): support new APK database location (#8937)
* feat(k8s): get components from namespaced resources (#8918)
* refactor(cloudformation): remove unused ScanFile method from Scanner
(#8927)
* refactor(terraform): remove result sorting from scanner (#8928)
* feat(misconf): Add support for `Minimum Trivy Version` (#8880)
* docs: improve skipping files documentation (#8749)
* feat(cli): Add available version checking (#8553)
* feat(nodejs): add a bun.lock analyzer (#8897)
* feat: terraform parser option to set current working directory (#8909)
* perf(secret): only match secrets of meaningful length, allow example
strings to not be matched (#8602)
* feat(misconf): export raw Terraform data to Rego (#8741)
* refactor(terraform): simplify AllReferences method signature in
Attribute (#8906)
* fix: check post-analyzers for StaticPaths (#8904)
* feat: add Bottlerocket OS package analyzer (#8653)
* feat(license): improve work text licenses with custom classification
(#8888)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to
2.1.1 (#8901)
* chore(deps): bump the common group across 1 directory with 9 updates
(#8887)
* refactor(license): simplify compound license scanning (#8896)
* feat(license): Support compound licenses (licenses using SPDX
operators) (#8816)
* fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
* feat(nodejs): add bun.lock parser (#8851)
* feat(license): improve work with custom classification of licenses
from config file (#8861)
* fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom`
command (#8886)
* fix: julia parser panicing (#8883)
* refactor(db): change logic to detect wrong DB (#8864)
* fix(cli): don't use allow values for `--compliance` flag (#8881)
* docs(misconf): Reorganize misconfiguration scan pages (#8206)
* fix(server): add missed Relationship field for `rpc` (#8872)
* feat: add JSONC support for comments and trailing commas (#8862)
* fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
* feat(go): support license scanning in both GOPATH and vendor (#8843)
* fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
* fix: filter all files when processing files installed from package
managers (#8842)
* feat(misconf): add misconfiguration location to junit template (#8793)
* docs(vuln): remove OSV for Python from data sources (#8841)
* chore: add an issue template for maintainers (#8838)
* chore: enable staticcheck (#8815)
* ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1
(#8836)
* feat(license): scan vendor directory for license for go.mod files
(#8689)
* docs(java): Update info about dev deps in gradle lock (#8830)
* chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the
common group (#8822)
* fix(java): exclude dev dependencies in gradle lockfile (#8803)
* fix: octalLiteral from go-critic (#8811)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing
(#8818)
* chore(deps): bump the common group across 1 directory with 10 updates
(#8817)
* fix: use-any from revive (#8810)
* fix: more revive rules (#8814)
* docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
* fix(misconf): check if for-each is known when expanding dyn block
(#8808)
* ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0
(#8802)

- Update to version 0.62.1:
* release: v0.62.1 [release/v0.62] (#8825)
* chore(deps): bump the common group across 1 directory with 10 updates
[backport: release/v0.62] (#8831)
* fix(misconf): check if for-each is known when expanding dyn block
[backport: release/v0.62] (#8826)
* fix(redhat): trim invalid suffix from content_sets in manifest parsing
[backport: release/v0.62] (#8824)
* release: v0.62.0 [main] (#8669)
* feat(nodejs): add root and workspace for `yarn` packages (#8535)
* fix: unused-parameter rule from revive (#8794)
* chore(deps): Update trivy-checks (#8798)
* fix: early-return, indent-error-flow and superfluous-else rules from
revive (#8796)
* fix(k8s): remove using `last-applied-configuration` (#8791)
* refactor(misconf): remove unused methods from providers (#8781)
* refactor(misconf): remove unused methods from iac types (#8782)
* fix(misconf): filter null nodes when parsing json manifest (#8785)
* fix: testifylint last issues (#8768)
* fix(misconf): perform operations on attribute safely (#8774)
* refactor(ubuntu): update time handling for fixing time (#8780)
* chore(deps): bump golangci-lint to v2.1.2 (#8766)
* feat(image): save layers metadata into report (#8394)
* feat(misconf): convert AWS managed policy to document (#8757)
* chore(deps): bump the docker group across 1 directory with 3 updates
(#8762)
* ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1
(#8753)
* ci(helm): create a helm branch for patches from main (#8673)
* fix(terraform): hcl object expressions to return references (#8271)
* chore(terraform): option to pass in instanced logger (#8738)
* ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity`
fork (#8740)
* chore(terraform): remove os.OpenPath call from terraform file
functions (#8737)
* chore(deps): bump the common group across 1 directory with 23 updates
(#8733)
* feat(rust): add root and workspace relationships/package for `cargo`
lock files (#8676)
* refactor(misconf): remove module outputs from parser.EvaluateAll
(#8587)
* fix(misconf): populate context correctly for module instances (#8656)
* fix(misconf): check if metadata is not nil (#8647)
* refactor(misconf): switch to x/json (#8719)
* fix(report): clean buffer after flushing (#8725)
* ci: improve PR title validation workflow (#8720)
* refactor(flag): improve flag system architecture and extensibility
(#8718)
* fix(terraform): `evaluateStep` to correctly set `EvalContext` for
multiple instances of blocks (#8555)
* refactor: migrate from `github.com/aquasecurity/jfather` to
`github.com/go-json-experiment/json` (#8591)
* feat(misconf): support auto_provisioning_defaults in
google_container_cluster (#8705)
* ci: use `github.event.pull_request.user.login` for release PR check
workflow (#8702)
* refactor: add hook interface for extended functionality (#8585)
* fix(misconf): add missing variable as unknown (#8683)
* docs: Update maintainer docs (#8674)
* ci(vuln): reduce github action script injection attack risk (#8610)
* fix(secret): ignore .dist-info directories during secret scanning
(#8646)
* fix(server): fix redis key when trying to delete blob (#8649)
* chore(deps): bump the testcontainers group with 2 updates (#8650)
* test: use `aquasecurity` repository for test images (#8677)
* chore(deps): bump the aws group across 1 directory with 5 updates
(#8652)
* fix(k8s): skip passed misconfigs for the summary report (#8684)
* fix(k8s): correct compare artifact versions (#8682)
* chore: update Docker lib (#8681)
* refactor(misconf): remove unused terraform attribute methods (#8657)
* feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
* chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup
options error output (#8643)
* docs: Add info about helm charts release (#8640)
* ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0
(#8638)

- Update to version 0.61.1:
* release: v0.61.1 [release/v0.61] (#8704)
* fix(k8s): skip passed misconfigs for the summary report [backport:
release/v0.61] (#8748)
* fix(k8s): correct compare artifact versions [backport: release/v0.61]
(#8699)
* test: use `aquasecurity` repository for test images [backport:
release/v0.61] (#8698)
* release: v0.61.0 [main] (#8507)
* fix(misconf): Improve logging for unsupported checks (#8634)
* feat(k8s): add support for controllers (#8614)
* fix(debian): don't include empty licenses for `dpkgs` (#8623)
* fix(misconf): Check values wholly prior to evalution (#8604)
* chore(deps): Bump trivy-checks (#8619)
* fix(k8s): show report for `--report all` (#8613)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2
(#8597)
* refactor: rename scanner to service (#8584)
* fix(misconf): do not skip loading documents from subdirectories (#8526)
* refactor(misconf): get a block or attribute without calling HasChild
(#8586)
* fix(misconf): identify the chart file exactly by name (#8590)
* test: use table-driven tests in Helm scanner tests (#8592)
* refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
* chore(deps): bump the common group across 1 directory with 10 updates
(#8566)
* fix(misconf): do not use cty.NilVal for non-nil values (#8567)
* docs(cli): improve flag value display format (#8560)
* fix(misconf): set default values for
AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
* docs: remove slack (#8565)
* fix: use `--file-patterns` flag for all post analyzers (#7365)
* docs(python): Mention pip-compile (#8484)
* feat(misconf): adapt aws_opensearch_domain (#8550)
* feat(misconf): adapt AWS::EC2::VPC (#8534)
* docs: fix a broken link (#8546)
* fix(fs): check postAnalyzers for StaticPaths (#8543)
* refactor(misconf): remove unused methods for ec2.Instance (#8536)
* feat(misconf): adapt aws_default_security_group (#8538)
* feat(fs): optimize scanning performance by direct file access for
known paths (#8525)
* feat(misconf): adapt AWS::DynamoDB::Table (#8529)
* style: Fix MD syntax in self-hosting.md (#8523)
* perf(misconf): retrieve check metadata from annotations once (#8478)
* feat(misconf): Add support for aws_ami (#8499)
* fix(misconf): skip Azure CreateUiDefinition (#8503)
* refactor(misconf): use OPA v1 (#8518)
* fix(misconf): add ephemeral block type to config schema (#8513)
* perf(misconf): parse input for Rego once (#8483)
* feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
* chore: replace deprecated tenv linter with usetesting (#8504)
* fix(spdx): save text licenses into `otherLicenses` without normalize
(#8502)
* chore(deps): bump the common group across 1 directory with 13 updates
(#8491)
* chore: use go.mod for managing Go tools (#8493)
* ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0
(#8494)
* release: v0.60.0 [main] (#8327)
* fix(sbom): improve logic for binding direct dependency to parent
component (#8489)
* chore(deps): remove missed replace of `trivy-db` (#8492)
* chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group
across 1 directory (#8490)
* chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
* docs: add abbreviation list (#8453)
* chore(terraform): assign *terraform.Module 'parent' field (#8444)
* feat: add report summary table (#8177)
* chore(deps): bump the github-actions group with 3 updates (#8473)
* refactor(vex): improve SBOM reference handling with project standards
(#8457)
* ci: update GitHub Actions cache to v4 (#8475)
* feat: add `--vuln-severity-source` flag (#8269)
* fix(os): add mapping OS aliases (#8466)
* chore(deps): bump the aws group across 1 directory with 7 updates
(#8468)
* chore(deps): Bump trivy-checks to v1.7.1 (#8467)
* refactor(report): write tables after rendering all results (#8357)
* docs: update VEX documentation index page (#8458)
* fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
* feat(misconf): render causes for Terraform (#8360)
* fix(misconf): fix incorrect k8s locations due to JSON to YAML
conversion (#8073)
* feat(cyclonedx): Add initial support for loading external VEX files
from SBOM references (#8254)
* chore(deps): update go-rustaudit location (#8450)
* fix: update all documentation links (#8045)
* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5
(#8443)
* chore(deps): bump the common group with 6 updates (#8411)
* fix(k8s): add missed option `PkgRelationships` (#8442)
* fix(sbom): add SBOM file's filePath as Application FilePath if we
can't detect its path (#8346)
* feat(go): fix parsing main module version for go >= 1.24 (#8433)
* refactor(misconf): make Rego scanner independent of config type (#7517)
* fix(image): disable AVD-DS-0007 for history scanning (#8366)
* fix(server): secrets inspectation for the config analyzer in client
server mode (#8418)
* chore: remove mockery (#8417)
* test(server): replace mock driver with memory cache in server tests
(#8416)
* test: replace mock with memory cache and fix non-deterministic tests
(#8410)
* test: replace mock with memory cache in scanner tests (#8413)
* test: use memory cache (#8403)
* fix(spdx): init `pkgFilePaths` map for all formats (#8380)
* chore(deps): bump the common group across 1 directory with 11 updates
(#8381)
* docs: correct Ruby documentation (#8402)
* chore: bump `mockery` to update v2.52.2 version and rebuild mock files
(#8390)
* fix: don't use `scope` for `trivy registry login` command (#8393)
* fix(go): merge nested flags into string for ldflags for Go binaries
(#8368)
* chore(terraform): export module path on terraform modules (#8374)
* fix(terraform): apply parser options to submodule parsing (#8377)
* docs: Fix typos in documentation (#8361)
* docs: fix navigate links (#8336)
* ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1
(#8354)
* ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
* chore: remove debug prints (#8347)
* fix(misconf): do not log scanners when misconfig scanning is disabled
(#8345)
* fix(report): remove html escaping for `shortDescription` and
`fullDescription` fields for sarif reports (#8344)
* chore(deps): bump Go to `v1.23.5` (#8341)
* fix(python): add `poetry` v2 support (#8323)
* chore(deps): bump the github-actions group across 1 directory with 4
updates (#8331)
* fix(misconf): ecs include enhanced for container insights (#8326)
* fix(sbom): preserve OS packages from multiple SBOMs (#8325)
* ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0
(#8311)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2025-302=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

trivy-0.64.1-bp157.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-45338.html
https://www.suse.com/security/cve/CVE-2024-51744.html
https://www.suse.com/security/cve/CVE-2025-53547.html
https://bugzilla.suse.com/1232948
https://bugzilla.suse.com/1235265
https://bugzilla.suse.com/1246151



SUSE-SU-2025:02849-1: important: Security update for the Linux Kernel


# Security update for the Linux Kernel

Announcement ID: SUSE-SU-2025:02849-1
Release Date: 2025-08-18T15:57:08Z
Rating: important
References:

* bsc#1206051
* bsc#1221829
* bsc#1229334
* bsc#1234863
* bsc#1236104
* bsc#1236333
* bsc#1238160
* bsc#1239644
* bsc#1240185
* bsc#1240799
* bsc#1242414
* bsc#1242780
* bsc#1244309
* bsc#1245217
* bsc#1245431
* bsc#1245506
* bsc#1245711
* bsc#1245986
* bsc#1246000
* bsc#1246029
* bsc#1246037
* bsc#1246045
* bsc#1246073
* bsc#1246186
* bsc#1246781
* bsc#1247314
* bsc#1247347
* bsc#1247348
* bsc#1247349
* bsc#1247437

Cross-References:

* CVE-2022-49138
* CVE-2022-49770
* CVE-2023-52923
* CVE-2023-52927
* CVE-2023-53117
* CVE-2024-26643
* CVE-2024-42265
* CVE-2024-53164
* CVE-2024-57947
* CVE-2025-21881
* CVE-2025-21971
* CVE-2025-37798
* CVE-2025-38079
* CVE-2025-38088
* CVE-2025-38120
* CVE-2025-38177
* CVE-2025-38181
* CVE-2025-38200
* CVE-2025-38206
* CVE-2025-38212
* CVE-2025-38213
* CVE-2025-38257
* CVE-2025-38350
* CVE-2025-38468
* CVE-2025-38477
* CVE-2025-38494
* CVE-2025-38495
* CVE-2025-38497

CVSS scores:

* CVE-2022-49138 ( SUSE ): 2.0
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2022-49138 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2022-49770 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-52923 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2023-52923 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-52927 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2023-52927 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52927 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-53117 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2023-53117 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-26643 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-26643 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-42265 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2024-53164 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-53164 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-57947 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-57947 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-21881 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-21971 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-21971 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-37798 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38088 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38088 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38120 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-38120 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-38177 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38177 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38181 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38181 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38200 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38200 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
* CVE-2025-38206 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38206 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38212 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38212 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38213 ( SUSE ): 8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38213 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38257 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38257 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38350 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38350 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
* CVE-2025-38468 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38468 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38477 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38477 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38497 ( SUSE ): 5.8
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38497 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Availability Extension 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Live Patching 15-SP4
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 LTS
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Retail Branch Server 4.3 LTS
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 LTS

An update that solves 28 vulnerabilities and has two security fixes can now be
installed.

## Description:

This update provides the initial livepatch for this kernel update. This update
does not contain any fixes and will be updated with livepatches later.

## Special Instructions and Notes:

* Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise High Availability Extension 15 SP4
zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2025-2849=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-2849=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-2849=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-2849=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-2849=1

* SUSE Manager Proxy 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-2849=1

* SUSE Manager Retail Branch Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-LTS-2025-2849=1

* SUSE Manager Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-LTS-2025-2849=1

* SUSE Linux Enterprise Live Patching 15-SP4
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2025-2849=1
Please note that this is the initial kernel livepatch without fixes itself, this
package is later updated by separate standalone kernel livepatch updates.

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-2849=1

* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-2849=1

* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-2849=1

* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-2849=1

* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-2849=1

## Package List:

* SUSE Linux Enterprise High Availability Extension 15 SP4 (aarch64 ppc64le
s390x x86_64)
* dlm-kmp-default-5.14.21-150400.24.173.1
* gfs2-kmp-default-debuginfo-5.14.21-150400.24.173.1
* ocfs2-kmp-default-5.14.21-150400.24.173.1
* ocfs2-kmp-default-debuginfo-5.14.21-150400.24.173.1
* dlm-kmp-default-debuginfo-5.14.21-150400.24.173.1
* cluster-md-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* gfs2-kmp-default-5.14.21-150400.24.173.1
* cluster-md-kmp-default-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Availability Extension 15 SP4 (nosrc)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
nosrc)
* kernel-64kb-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64)
* kernel-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-debugsource-5.14.21-150400.24.173.1
* kernel-64kb-devel-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 nosrc
x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-obs-build-debugsource-5.14.21-150400.24.173.1
* kernel-syms-5.14.21-150400.24.173.1
* reiserfs-kmp-default-5.14.21-150400.24.173.1
* reiserfs-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-obs-build-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch nosrc)
* kernel-docs-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 nosrc)
* kernel-64kb-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64)
* kernel-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-debugsource-5.14.21-150400.24.173.1
* kernel-64kb-devel-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 nosrc
x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-obs-build-debugsource-5.14.21-150400.24.173.1
* kernel-syms-5.14.21-150400.24.173.1
* reiserfs-kmp-default-5.14.21-150400.24.173.1
* reiserfs-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-obs-build-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch nosrc)
* kernel-docs-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 nosrc)
* kernel-64kb-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64)
* kernel-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-debugsource-5.14.21-150400.24.173.1
* kernel-64kb-devel-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64
nosrc)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* kernel-obs-build-debugsource-5.14.21-150400.24.173.1
* kernel-syms-5.14.21-150400.24.173.1
* reiserfs-kmp-default-5.14.21-150400.24.173.1
* reiserfs-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-obs-build-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch nosrc)
* kernel-docs-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (nosrc s390x)
* kernel-zfcpdump-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (s390x)
* kernel-zfcpdump-debugsource-5.14.21-150400.24.173.1
* kernel-zfcpdump-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (nosrc ppc64le
x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-obs-build-debugsource-5.14.21-150400.24.173.1
* kernel-syms-5.14.21-150400.24.173.1
* reiserfs-kmp-default-5.14.21-150400.24.173.1
* reiserfs-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-obs-build-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch nosrc)
* kernel-docs-5.14.21-150400.24.173.1
* SUSE Manager Proxy 4.3 LTS (nosrc x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Manager Proxy 4.3 LTS (x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-syms-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Manager Proxy 4.3 LTS (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Manager Retail Branch Server 4.3 LTS (nosrc x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Manager Retail Branch Server 4.3 LTS (x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Manager Retail Branch Server 4.3 LTS (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* SUSE Manager Server 4.3 LTS (nosrc ppc64le s390x x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Manager Server 4.3 LTS (ppc64le x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Manager Server 4.3 LTS (ppc64le s390x x86_64)
* kernel-syms-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Manager Server 4.3 LTS (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* SUSE Manager Server 4.3 LTS (nosrc s390x)
* kernel-zfcpdump-5.14.21-150400.24.173.1
* SUSE Manager Server 4.3 LTS (s390x)
* kernel-zfcpdump-debugsource-5.14.21-150400.24.173.1
* kernel-zfcpdump-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Live Patching 15-SP4 (nosrc)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64)
* kernel-livepatch-SLE15-SP4_Update_43-debugsource-1-150400.9.3.1
* kernel-default-livepatch-5.14.21-150400.24.173.1
* kernel-livepatch-5_14_21-150400_24_173-default-1-150400.9.3.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-livepatch-5_14_21-150400_24_173-default-debuginfo-1-150400.9.3.1
* kernel-default-livepatch-devel-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (noarch nosrc)
* kernel-docs-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (noarch)
* kernel-devel-5.14.21-150400.24.173.1
* kernel-macros-5.14.21-150400.24.173.1
* kernel-source-vanilla-5.14.21-150400.24.173.1
* kernel-docs-html-5.14.21-150400.24.173.1
* kernel-source-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64 ppc64le x86_64)
* kernel-kvmsmall-debugsource-5.14.21-150400.24.173.1
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-kvmsmall-debuginfo-5.14.21-150400.24.173.1
* kernel-kvmsmall-devel-debuginfo-5.14.21-150400.24.173.1
* kernel-default-base-rebuild-5.14.21-150400.24.173.1.150400.24.88.1
* kernel-kvmsmall-devel-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* dlm-kmp-default-5.14.21-150400.24.173.1
* gfs2-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-obs-build-debugsource-5.14.21-150400.24.173.1
* cluster-md-kmp-default-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-extra-5.14.21-150400.24.173.1
* kernel-syms-5.14.21-150400.24.173.1
* kselftests-kmp-default-5.14.21-150400.24.173.1
* cluster-md-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-debugsource-5.14.21-150400.24.173.1
* gfs2-kmp-default-5.14.21-150400.24.173.1
* reiserfs-kmp-default-5.14.21-150400.24.173.1
* kernel-default-extra-debuginfo-5.14.21-150400.24.173.1
* reiserfs-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kselftests-kmp-default-debuginfo-5.14.21-150400.24.173.1
* dlm-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-devel-5.14.21-150400.24.173.1
* kernel-obs-build-5.14.21-150400.24.173.1
* kernel-default-optional-debuginfo-5.14.21-150400.24.173.1
* kernel-obs-qa-5.14.21-150400.24.173.1
* kernel-default-livepatch-5.14.21-150400.24.173.1
* ocfs2-kmp-default-5.14.21-150400.24.173.1
* kernel-default-devel-debuginfo-5.14.21-150400.24.173.1
* ocfs2-kmp-default-debuginfo-5.14.21-150400.24.173.1
* kernel-default-optional-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 nosrc)
* kernel-default-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (ppc64le s390x x86_64)
* kernel-livepatch-5_14_21-150400_24_173-default-1-150400.9.3.1
* kernel-livepatch-SLE15-SP4_Update_43-debugsource-1-150400.9.3.1
* kernel-livepatch-5_14_21-150400_24_173-default-debuginfo-1-150400.9.3.1
* kernel-default-livepatch-devel-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64 nosrc ppc64le x86_64)
* kernel-kvmsmall-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (nosrc s390x)
* kernel-zfcpdump-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (s390x)
* kernel-zfcpdump-debugsource-5.14.21-150400.24.173.1
* kernel-zfcpdump-debuginfo-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (nosrc)
* dtb-aarch64-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64)
* kselftests-kmp-64kb-5.14.21-150400.24.173.1
* dtb-sprd-5.14.21-150400.24.173.1
* gfs2-kmp-64kb-5.14.21-150400.24.173.1
* gfs2-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* dtb-lg-5.14.21-150400.24.173.1
* dtb-socionext-5.14.21-150400.24.173.1
* dtb-qcom-5.14.21-150400.24.173.1
* dtb-rockchip-5.14.21-150400.24.173.1
* dtb-freescale-5.14.21-150400.24.173.1
* cluster-md-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* dlm-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-debuginfo-5.14.21-150400.24.173.1
* dtb-hisilicon-5.14.21-150400.24.173.1
* dtb-apple-5.14.21-150400.24.173.1
* dtb-amazon-5.14.21-150400.24.173.1
* kernel-64kb-devel-5.14.21-150400.24.173.1
* kernel-64kb-debugsource-5.14.21-150400.24.173.1
* dlm-kmp-64kb-5.14.21-150400.24.173.1
* dtb-amlogic-5.14.21-150400.24.173.1
* reiserfs-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* dtb-exynos-5.14.21-150400.24.173.1
* dtb-marvell-5.14.21-150400.24.173.1
* ocfs2-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-devel-debuginfo-5.14.21-150400.24.173.1
* dtb-allwinner-5.14.21-150400.24.173.1
* dtb-mediatek-5.14.21-150400.24.173.1
* dtb-broadcom-5.14.21-150400.24.173.1
* cluster-md-kmp-64kb-5.14.21-150400.24.173.1
* dtb-arm-5.14.21-150400.24.173.1
* dtb-apm-5.14.21-150400.24.173.1
* dtb-amd-5.14.21-150400.24.173.1
* kernel-64kb-optional-debuginfo-5.14.21-150400.24.173.1
* ocfs2-kmp-64kb-5.14.21-150400.24.173.1
* dtb-altera-5.14.21-150400.24.173.1
* kernel-64kb-extra-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-optional-5.14.21-150400.24.173.1
* dtb-renesas-5.14.21-150400.24.173.1
* reiserfs-kmp-64kb-5.14.21-150400.24.173.1
* dtb-nvidia-5.14.21-150400.24.173.1
* kselftests-kmp-64kb-debuginfo-5.14.21-150400.24.173.1
* kernel-64kb-extra-5.14.21-150400.24.173.1
* dtb-xilinx-5.14.21-150400.24.173.1
* dtb-cavium-5.14.21-150400.24.173.1
* openSUSE Leap 15.4 (aarch64 nosrc)
* kernel-64kb-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 nosrc s390x x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 nosrc s390x x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 nosrc s390x x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 nosrc s390x x86_64)
* kernel-default-5.14.21-150400.24.173.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 x86_64)
* kernel-default-base-5.14.21-150400.24.173.1.150400.24.88.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
* kernel-default-debugsource-5.14.21-150400.24.173.1
* kernel-default-debuginfo-5.14.21-150400.24.173.1

## References:

* https://www.suse.com/security/cve/CVE-2022-49138.html
* https://www.suse.com/security/cve/CVE-2022-49770.html
* https://www.suse.com/security/cve/CVE-2023-52923.html
* https://www.suse.com/security/cve/CVE-2023-52927.html
* https://www.suse.com/security/cve/CVE-2023-53117.html
* https://www.suse.com/security/cve/CVE-2024-26643.html
* https://www.suse.com/security/cve/CVE-2024-42265.html
* https://www.suse.com/security/cve/CVE-2024-53164.html
* https://www.suse.com/security/cve/CVE-2024-57947.html
* https://www.suse.com/security/cve/CVE-2025-21881.html
* https://www.suse.com/security/cve/CVE-2025-21971.html
* https://www.suse.com/security/cve/CVE-2025-37798.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38088.html
* https://www.suse.com/security/cve/CVE-2025-38120.html
* https://www.suse.com/security/cve/CVE-2025-38177.html
* https://www.suse.com/security/cve/CVE-2025-38181.html
* https://www.suse.com/security/cve/CVE-2025-38200.html
* https://www.suse.com/security/cve/CVE-2025-38206.html
* https://www.suse.com/security/cve/CVE-2025-38212.html
* https://www.suse.com/security/cve/CVE-2025-38213.html
* https://www.suse.com/security/cve/CVE-2025-38257.html
* https://www.suse.com/security/cve/CVE-2025-38350.html
* https://www.suse.com/security/cve/CVE-2025-38468.html
* https://www.suse.com/security/cve/CVE-2025-38477.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://www.suse.com/security/cve/CVE-2025-38497.html
* https://bugzilla.suse.com/show_bug.cgi?id=1206051
* https://bugzilla.suse.com/show_bug.cgi?id=1221829
* https://bugzilla.suse.com/show_bug.cgi?id=1229334
* https://bugzilla.suse.com/show_bug.cgi?id=1234863
* https://bugzilla.suse.com/show_bug.cgi?id=1236104
* https://bugzilla.suse.com/show_bug.cgi?id=1236333
* https://bugzilla.suse.com/show_bug.cgi?id=1238160
* https://bugzilla.suse.com/show_bug.cgi?id=1239644
* https://bugzilla.suse.com/show_bug.cgi?id=1240185
* https://bugzilla.suse.com/show_bug.cgi?id=1240799
* https://bugzilla.suse.com/show_bug.cgi?id=1242414
* https://bugzilla.suse.com/show_bug.cgi?id=1242780
* https://bugzilla.suse.com/show_bug.cgi?id=1244309
* https://bugzilla.suse.com/show_bug.cgi?id=1245217
* https://bugzilla.suse.com/show_bug.cgi?id=1245431
* https://bugzilla.suse.com/show_bug.cgi?id=1245506
* https://bugzilla.suse.com/show_bug.cgi?id=1245711
* https://bugzilla.suse.com/show_bug.cgi?id=1245986
* https://bugzilla.suse.com/show_bug.cgi?id=1246000
* https://bugzilla.suse.com/show_bug.cgi?id=1246029
* https://bugzilla.suse.com/show_bug.cgi?id=1246037
* https://bugzilla.suse.com/show_bug.cgi?id=1246045
* https://bugzilla.suse.com/show_bug.cgi?id=1246073
* https://bugzilla.suse.com/show_bug.cgi?id=1246186
* https://bugzilla.suse.com/show_bug.cgi?id=1246781
* https://bugzilla.suse.com/show_bug.cgi?id=1247314
* https://bugzilla.suse.com/show_bug.cgi?id=1247347
* https://bugzilla.suse.com/show_bug.cgi?id=1247348
* https://bugzilla.suse.com/show_bug.cgi?id=1247349
* https://bugzilla.suse.com/show_bug.cgi?id=1247437



SUSE-SU-2025:02852-1: important: Security update for the Linux Kernel


# Security update for the Linux Kernel

Announcement ID: SUSE-SU-2025:02852-1
Release Date: 2025-08-18T15:58:14Z
Rating: important
References:

* bsc#1206051
* bsc#1221829
* bsc#1233551
* bsc#1234480
* bsc#1234863
* bsc#1236104
* bsc#1236333
* bsc#1237164
* bsc#1238160
* bsc#1239644
* bsc#1240799
* bsc#1242414
* bsc#1242417
* bsc#1244309
* bsc#1244523
* bsc#1245217
* bsc#1245431
* bsc#1245506
* bsc#1245711
* bsc#1245986
* bsc#1246000
* bsc#1246029
* bsc#1246037
* bsc#1246045
* bsc#1246073
* bsc#1246186
* bsc#1246287
* bsc#1246555
* bsc#1246781
* bsc#1247314
* bsc#1247347
* bsc#1247348
* bsc#1247349
* bsc#1247437

Cross-References:

* CVE-2022-49138
* CVE-2022-49770
* CVE-2023-52923
* CVE-2023-52927
* CVE-2024-26643
* CVE-2024-53057
* CVE-2024-53164
* CVE-2024-57947
* CVE-2025-21701
* CVE-2025-21971
* CVE-2025-37797
* CVE-2025-37798
* CVE-2025-38079
* CVE-2025-38088
* CVE-2025-38120
* CVE-2025-38177
* CVE-2025-38181
* CVE-2025-38200
* CVE-2025-38206
* CVE-2025-38212
* CVE-2025-38213
* CVE-2025-38257
* CVE-2025-38289
* CVE-2025-38350
* CVE-2025-38468
* CVE-2025-38477
* CVE-2025-38494
* CVE-2025-38495
* CVE-2025-38497

CVSS scores:

* CVE-2022-49138 ( SUSE ): 2.0
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2022-49138 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2022-49770 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-52923 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2023-52923 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-52927 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2023-52927 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-52927 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-26643 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-26643 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-53057 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-53057 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-53057 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-53164 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-53164 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-57947 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-57947 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-21701 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-21971 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-21971 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-37797 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-37798 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38088 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38088 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38120 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-38120 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-38177 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38177 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38181 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38181 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38200 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38200 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
* CVE-2025-38206 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38206 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38212 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38212 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38213 ( SUSE ): 8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38213 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38257 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38257 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38289 ( SUSE ): 8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38289 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38350 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38350 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
* CVE-2025-38468 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38468 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38477 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38477 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38497 ( SUSE ): 5.8
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38497 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H

Affected Products:

* openSUSE Leap 15.5
* SUSE Linux Enterprise Micro 5.5

An update that solves 29 vulnerabilities and has five security fixes can now be
installed.

## Description:

The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various
security bugfixes.

The following security bugs were fixed:

* CVE-2022-49138: Bluetooth: hci_event: Fix checking conn for
le_conn_complete_evt (bsc#1238160).
* CVE-2023-52923: netfilter: nf_tables: split async and sync catchall in two
functions (bsc#1236104).
* CVE-2023-52927: netfilter: allow exp not to be removed in
nf_ct_find_expectation (bsc#1239644).
* CVE-2024-26643: Fixed mark set as dead when unbinding anonymous set with
timeout (bsc#1221829).
* CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
(bsc#1233551).
* CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1234863).
* CVE-2025-21701: net: avoid race between device unregistration and ethnl ops
(bsc#1237164).
* CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT
(bsc#1240799).
* CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling
(bsc#1242417).
* CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept
(bsc#1245217).
* CVE-2025-38181: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr()
(bsc#1246000).
* CVE-2025-38200: i40e: fix MMIO write access to an invalid page in
i40e_clear_hw (bsc#1246045).
* CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073).
* CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029).
* CVE-2025-38213: vgacon: Add check for vc_origin address range in
vgacon_scroll() (bsc#1246037).
* CVE-2025-38257: s390/pkey: Prevent overflow in size calculation for
memdup_user() (bsc#1246186).
* CVE-2025-38289: scsi: lpfc: Avoid potential ndlp use-after-free in
dev_loss_tmo_callbk (bsc#1246287).
* CVE-2025-38350: net/sched: Always pass notifications when child class
becomes empty (bsc#1246781).
* CVE-2025-38468: net/sched: Return NULL when htb_lookup_leaf encounters an
empty rbtree (bsc#1247437).
* CVE-2025-38477: net/sched: sch_qfq: Avoid triggering might_sleep in atomic
context in qfq_delete_class (bsc#1247314).
* CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247349).
* CVE-2025-38495: HID: core: ensure the allocated report buffer can contain
the reserved report ID (bsc#1247348).
* CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write
(bsc#1247347).

The following non-security bugs were fixed:

* Revert "hugetlb: unshare some PMDs when splitting VMAs" (bsc#1245431).
* Revert "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race"
* Revert "mm/hugetlb: unshare page tables during VMA split, not before"
* bnxt_en: Fix GSO type for HW GRO packets on 5750X chips (bsc#1244523).
* net: usb: usbnet: restore usb%d name exception for local mac addresses
(bsc#1234480 bsc#1246555).

## Special Instructions and Notes:

* Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.5
zypper in -t patch SUSE-2025-2852=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2025-2852=1

## Package List:

* openSUSE Leap 15.5 (noarch)
* kernel-source-rt-5.14.21-150500.13.103.2
* kernel-devel-rt-5.14.21-150500.13.103.2
* openSUSE Leap 15.5 (x86_64)
* kernel-rt-livepatch-5.14.21-150500.13.103.2
* kselftests-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* reiserfs-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt_debug-vdso-debuginfo-5.14.21-150500.13.103.2
* ocfs2-kmp-rt-5.14.21-150500.13.103.2
* reiserfs-kmp-rt-5.14.21-150500.13.103.2
* kselftests-kmp-rt-5.14.21-150500.13.103.2
* kernel-rt-devel-5.14.21-150500.13.103.2
* kernel-rt-vdso-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-optional-debuginfo-5.14.21-150500.13.103.2
* kernel-rt_debug-debugsource-5.14.21-150500.13.103.2
* gfs2-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-optional-5.14.21-150500.13.103.2
* ocfs2-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-devel-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-extra-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-vdso-5.14.21-150500.13.103.2
* cluster-md-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* cluster-md-kmp-rt-5.14.21-150500.13.103.2
* kernel-rt_debug-vdso-5.14.21-150500.13.103.2
* kernel-rt_debug-devel-debuginfo-5.14.21-150500.13.103.2
* dlm-kmp-rt-5.14.21-150500.13.103.2
* kernel-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-extra-5.14.21-150500.13.103.2
* gfs2-kmp-rt-5.14.21-150500.13.103.2
* kernel-rt-livepatch-devel-5.14.21-150500.13.103.2
* kernel-rt_debug-debuginfo-5.14.21-150500.13.103.2
* dlm-kmp-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt_debug-devel-5.14.21-150500.13.103.2
* kernel-rt-debugsource-5.14.21-150500.13.103.2
* openSUSE Leap 15.5 (nosrc x86_64)
* kernel-rt-5.14.21-150500.13.103.2
* kernel-rt_debug-5.14.21-150500.13.103.2
* SUSE Linux Enterprise Micro 5.5 (noarch)
* kernel-source-rt-5.14.21-150500.13.103.2
* kernel-devel-rt-5.14.21-150500.13.103.2
* SUSE Linux Enterprise Micro 5.5 (nosrc x86_64)
* kernel-rt-5.14.21-150500.13.103.2
* SUSE Linux Enterprise Micro 5.5 (x86_64)
* kernel-rt-debuginfo-5.14.21-150500.13.103.2
* kernel-rt-debugsource-5.14.21-150500.13.103.2

## References:

* https://www.suse.com/security/cve/CVE-2022-49138.html
* https://www.suse.com/security/cve/CVE-2022-49770.html
* https://www.suse.com/security/cve/CVE-2023-52923.html
* https://www.suse.com/security/cve/CVE-2023-52927.html
* https://www.suse.com/security/cve/CVE-2024-26643.html
* https://www.suse.com/security/cve/CVE-2024-53057.html
* https://www.suse.com/security/cve/CVE-2024-53164.html
* https://www.suse.com/security/cve/CVE-2024-57947.html
* https://www.suse.com/security/cve/CVE-2025-21701.html
* https://www.suse.com/security/cve/CVE-2025-21971.html
* https://www.suse.com/security/cve/CVE-2025-37797.html
* https://www.suse.com/security/cve/CVE-2025-37798.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38088.html
* https://www.suse.com/security/cve/CVE-2025-38120.html
* https://www.suse.com/security/cve/CVE-2025-38177.html
* https://www.suse.com/security/cve/CVE-2025-38181.html
* https://www.suse.com/security/cve/CVE-2025-38200.html
* https://www.suse.com/security/cve/CVE-2025-38206.html
* https://www.suse.com/security/cve/CVE-2025-38212.html
* https://www.suse.com/security/cve/CVE-2025-38213.html
* https://www.suse.com/security/cve/CVE-2025-38257.html
* https://www.suse.com/security/cve/CVE-2025-38289.html
* https://www.suse.com/security/cve/CVE-2025-38350.html
* https://www.suse.com/security/cve/CVE-2025-38468.html
* https://www.suse.com/security/cve/CVE-2025-38477.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://www.suse.com/security/cve/CVE-2025-38497.html
* https://bugzilla.suse.com/show_bug.cgi?id=1206051
* https://bugzilla.suse.com/show_bug.cgi?id=1221829
* https://bugzilla.suse.com/show_bug.cgi?id=1233551
* https://bugzilla.suse.com/show_bug.cgi?id=1234480
* https://bugzilla.suse.com/show_bug.cgi?id=1234863
* https://bugzilla.suse.com/show_bug.cgi?id=1236104
* https://bugzilla.suse.com/show_bug.cgi?id=1236333
* https://bugzilla.suse.com/show_bug.cgi?id=1237164
* https://bugzilla.suse.com/show_bug.cgi?id=1238160
* https://bugzilla.suse.com/show_bug.cgi?id=1239644
* https://bugzilla.suse.com/show_bug.cgi?id=1240799
* https://bugzilla.suse.com/show_bug.cgi?id=1242414
* https://bugzilla.suse.com/show_bug.cgi?id=1242417
* https://bugzilla.suse.com/show_bug.cgi?id=1244309
* https://bugzilla.suse.com/show_bug.cgi?id=1244523
* https://bugzilla.suse.com/show_bug.cgi?id=1245217
* https://bugzilla.suse.com/show_bug.cgi?id=1245431
* https://bugzilla.suse.com/show_bug.cgi?id=1245506
* https://bugzilla.suse.com/show_bug.cgi?id=1245711
* https://bugzilla.suse.com/show_bug.cgi?id=1245986
* https://bugzilla.suse.com/show_bug.cgi?id=1246000
* https://bugzilla.suse.com/show_bug.cgi?id=1246029
* https://bugzilla.suse.com/show_bug.cgi?id=1246037
* https://bugzilla.suse.com/show_bug.cgi?id=1246045
* https://bugzilla.suse.com/show_bug.cgi?id=1246073
* https://bugzilla.suse.com/show_bug.cgi?id=1246186
* https://bugzilla.suse.com/show_bug.cgi?id=1246287
* https://bugzilla.suse.com/show_bug.cgi?id=1246555
* https://bugzilla.suse.com/show_bug.cgi?id=1246781
* https://bugzilla.suse.com/show_bug.cgi?id=1247314
* https://bugzilla.suse.com/show_bug.cgi?id=1247347
* https://bugzilla.suse.com/show_bug.cgi?id=1247348
* https://bugzilla.suse.com/show_bug.cgi?id=1247349
* https://bugzilla.suse.com/show_bug.cgi?id=1247437



SUSE-SU-2025:02857-1: important: Security update for the Linux Kernel (Live Patch 57 for SLE 15 SP3)


# Security update for the Linux Kernel (Live Patch 57 for SLE 15 SP3)

Announcement ID: SUSE-SU-2025:02857-1
Release Date: 2025-08-18T17:33:52Z
Rating: important
References:

* bsc#1244631
* bsc#1245218
* bsc#1245350
* bsc#1247350
* bsc#1247351

Cross-References:

* CVE-2024-36978
* CVE-2025-38079
* CVE-2025-38083
* CVE-2025-38494
* CVE-2025-38495

CVSS scores:

* CVE-2024-36978 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-36978 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38079 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38083 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38494 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38495 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.3
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise Live Patching 15-SP3
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves five vulnerabilities can now be installed.

## Description:

This update for the Linux Kernel 5.3.18-150300_59_204 fixes several issues.

The following security issues were fixed:

* CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247350).
* CVE-2025-38495: HID: core: ensure the allocated report buffer can contain
the reserved report ID (bsc#1247351).
* CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept
(bsc#1245218).
* CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245350).
* CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in
multiq_tune() (bsc#1244631).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.3
zypper in -t patch SUSE-2025-2857=1

* SUSE Linux Enterprise Live Patching 15-SP3
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2025-2857=1

## Package List:

* openSUSE Leap 15.3 (ppc64le s390x x86_64)
* kernel-livepatch-SLE15-SP3_Update_57-debugsource-4-150300.2.1
* kernel-livepatch-5_3_18-150300_59_204-default-debuginfo-4-150300.2.1
* kernel-livepatch-5_3_18-150300_59_204-default-4-150300.2.1
* openSUSE Leap 15.3 (x86_64)
* kernel-livepatch-5_3_18-150300_59_204-preempt-debuginfo-4-150300.2.1
* kernel-livepatch-5_3_18-150300_59_204-preempt-4-150300.2.1
* SUSE Linux Enterprise Live Patching 15-SP3 (ppc64le s390x x86_64)
* kernel-livepatch-SLE15-SP3_Update_57-debugsource-4-150300.2.1
* kernel-livepatch-5_3_18-150300_59_204-default-debuginfo-4-150300.2.1
* kernel-livepatch-5_3_18-150300_59_204-default-4-150300.2.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36978.html
* https://www.suse.com/security/cve/CVE-2025-38079.html
* https://www.suse.com/security/cve/CVE-2025-38083.html
* https://www.suse.com/security/cve/CVE-2025-38494.html
* https://www.suse.com/security/cve/CVE-2025-38495.html
* https://bugzilla.suse.com/show_bug.cgi?id=1244631
* https://bugzilla.suse.com/show_bug.cgi?id=1245218
* https://bugzilla.suse.com/show_bug.cgi?id=1245350
* https://bugzilla.suse.com/show_bug.cgi?id=1247350
* https://bugzilla.suse.com/show_bug.cgi?id=1247351


Go-Toolset, Kernel, Go, OpenJPEG, Toolbox updates for AlmaLinux

Kernel and OpenLDAP updates for Ubuntu

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...