openSUSE-SU-2025-20123-1: important: Security update for java-21-openjdk
openSUSE-SU-2025-20122-1: moderate: Security update for openssh
openSUSE-SU-2025-20128-1: important: Security update for shadowsocks-v2ray-plugin, v2ray-core
openSUSE-SU-2025-20130-1: moderate: Security update for bash-git-prompt
openSUSE-SU-2025-20125-1: important: Security update for java-17-openjdk
openSUSE-SU-2025:0453-1: moderate: Security update for gitea-tea
openSUSE-SU-2025:0454-1: moderate: Security update for gitea-tea
SUSE-SU-2025:4313-1: low: Security update for python
openSUSE-SU-2025-20123-1: important: Security update for java-21-openjdk
openSUSE security update: security update for java-21-openjdk
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2025-20123-1
Rating: important
References:
* bsc#1246806
* bsc#1252414
* bsc#1252417
* bsc#1252418
Cross-References:
* CVE-2025-53057
* CVE-2025-53066
* CVE-2025-61748
CVSS scores:
* CVE-2025-53057 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-53057 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-53066 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-53066 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-61748 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2025-61748 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 3 vulnerabilities and has 4 bug fixes can now be installed.
Description:
This update for java-21-openjdk fixes the following issues:
Update to upstream tag jdk-21.0.9+10 (October 2025 CPU):
- CVE-2025-53066: Fixed enhance path factories (bsc#1252417).
- CVE-2025-61748: Fixed enhance string handling (bsc#1252418).
- CVE-2025-53057: Fixed enhance certificate handling (bsc#1252414).
Other bug fixes:
- Do not embed rebuild counter (bsc#1246806)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-82=1
Package List:
- openSUSE Leap 16.0:
java-21-openjdk-21.0.9.0-160000.1.1
java-21-openjdk-demo-21.0.9.0-160000.1.1
java-21-openjdk-devel-21.0.9.0-160000.1.1
java-21-openjdk-headless-21.0.9.0-160000.1.1
java-21-openjdk-javadoc-21.0.9.0-160000.1.1
java-21-openjdk-jmods-21.0.9.0-160000.1.1
java-21-openjdk-src-21.0.9.0-160000.1.1
References:
* https://www.suse.com/security/cve/CVE-2025-53057.html
* https://www.suse.com/security/cve/CVE-2025-53066.html
* https://www.suse.com/security/cve/CVE-2025-61748.html
openSUSE-SU-2025-20122-1: moderate: Security update for openssh
openSUSE security update: security update for openssh
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2025-20122-1
Rating: moderate
References:
* bsc#1251198
* bsc#1251199
Cross-References:
* CVE-2025-61984
* CVE-2025-61985
CVSS scores:
* CVE-2025-61984 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-61984 ( SUSE ): 2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2025-61985 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-61985 ( SUSE ): 2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.
Description:
This update for openssh fixes the following issues:
- CVE-2025-61984: code execution via control characters in usernames when a ProxyCommand is used (bsc#1251198).
- CVE-2025-61985: code execution via '\0' character in ssh:// URI when a ProxyCommand is used (bsc#1251199).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-81=1
Package List:
- openSUSE Leap 16.0:
openssh-10.0p2-160000.3.1
openssh-askpass-gnome-10.0p2-160000.3.1
openssh-cavs-10.0p2-160000.3.1
openssh-clients-10.0p2-160000.3.1
openssh-common-10.0p2-160000.3.1
openssh-helpers-10.0p2-160000.3.1
openssh-server-10.0p2-160000.3.1
openssh-server-config-rootlogin-10.0p2-160000.3.1
References:
* https://www.suse.com/security/cve/CVE-2025-61984.html
* https://www.suse.com/security/cve/CVE-2025-61985.html
openSUSE-SU-2025-20128-1: important: Security update for shadowsocks-v2ray-plugin, v2ray-core
openSUSE security update: security update for shadowsocks-v2ray-plugin, v2ray-core
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2025-20128-1
Rating: important
References:
* bsc#1235164
* bsc#1243946
* bsc#1243954
* bsc#1251404
Cross-References:
* CVE-2025-297850
* CVE-2025-47911
CVSS scores:
* CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 2 vulnerabilities and has 4 bug fixes can now be installed.
Description:
This update for shadowsocks-v2ray-plugin, v2ray-core fixes the following issues:
Changes in shadowsocks-v2ray-plugin:
- Update version to 5.25.0
* Update v2ray-core to v5.25.0
- Add update-vendor.patch, update v2ray-core to v5.33.0 (boo#1243954 and CVE-2025-297850)
Changes in v2ray-core:
- Fix CVE-2025-47911 and boo#1251404
* Add fix-CVE-2025-47911.patch
* Update golang.org/x/net to 0.45.0 in vendor
- Update version to 5.38.0
* TLSMirror Connection Enrollment System
* Add TLSMirror Sequence Watermarking
* LSMirror developer preview protocol is now a part of mainline V2Ray
* proxy dns with NOTIMP error
* Add TLSMirror looks like TLS censorship resistant transport protocol
as a developer preview transport
* proxy dns with NOTIMP error
* fix false success from SOCKS server when Dispatch() fails
* HTTP inbound: Directly forward plain HTTP 1xx response header
* add a option to override domain used to query https record
* Fix bugs
* Update vendor
- Update version to 5.33.0
* bump github.com/quic-go/quic-go from 0.51.0 to 0.52.0(boo#1243946 and CVE-2025-297850)
* Update other vendor source
- Update version to 5.31.0
* Add Dns Proxy Response TTL Control
* Fix call newError Base with a nil value error
* Update vendor (boo#1235164)
- Update version to 5.29.3
* Enable restricted mode load for http protocol client
* Correctly implement QUIC sniffer when handling multiple initial packets
* Fix unreleased cache buffer in QUIC sniffing
* A temporary testing fix for the buffer corruption issue
* QUIC Sniffer Restructure
- Update version to 5.22.0
* Add packetEncoding for Hysteria
* Add ECH Client Support
* Add support for parsing some shadowsocks links
* Add Mekya Transport
* Fix bugs
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-38=1
Package List:
- openSUSE Leap 16.0:
golang-github-teddysun-v2ray-plugin-5.15.1-bp160.1.11
golang-github-v2fly-v2ray-core-5.18.0-bp160.1.13
shadowsocks-v2ray-plugin-5.15.1-bp160.1.11
v2ray-core-5.18.0-bp160.1.13
References:
* https://www.suse.com/security/cve/CVE-2025-297850.html
* https://www.suse.com/security/cve/CVE-2025-47911.html
openSUSE-SU-2025-20130-1: moderate: Security update for bash-git-prompt
openSUSE security update: security update for bash-git-prompt
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2025-20130-1
Rating: moderate
References:
* bsc#1247489
Cross-References:
* CVE-2025-61659
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves one vulnerability and has one bug fix can now be installed.
Description:
This update for bash-git-prompt fixes the following issues:
- CVE-2025-61659: Fixed an issue where predictable files in /tmp were used for a copy of the git index (bsc#1247489)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-40=1
Package List:
- openSUSE Leap 16.0:
bash-git-prompt-2.7.1-bp160.1.2
References:
* https://www.suse.com/security/cve/CVE-2025-61659.html
openSUSE-SU-2025-20125-1: important: Security update for java-17-openjdk
openSUSE security update: security update for java-17-openjdk
-------------------------------------------------------------
Announcement ID: openSUSE-SU-2025-20125-1
Rating: important
References:
* bsc#1246806
* bsc#1252414
* bsc#1252417
Cross-References:
* CVE-2025-53057
* CVE-2025-53066
CVSS scores:
* CVE-2025-53057 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-53057 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-53066 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-53066 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
An update that solves 2 vulnerabilities and has 3 bug fixes can now be installed.
Description:
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.17+10 (October 2025 CPU):
- CVE-2025-53066: Fixed enhance path factories (bsc#1252417).
- CVE-2025-53057: Fixed enhance certificate handling (bsc#1252414).
Other bug fixes:
- Do not embed rebuild counter (bsc#1246806).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-84=1
Package List:
- openSUSE Leap 16.0:
java-17-openjdk-17.0.17.0-160000.1.1
java-17-openjdk-demo-17.0.17.0-160000.1.1
java-17-openjdk-devel-17.0.17.0-160000.1.1
java-17-openjdk-headless-17.0.17.0-160000.1.1
java-17-openjdk-javadoc-17.0.17.0-160000.1.1
java-17-openjdk-jmods-17.0.17.0-160000.1.1
java-17-openjdk-src-17.0.17.0-160000.1.1
References:
* https://www.suse.com/security/cve/CVE-2025-53057.html
* https://www.suse.com/security/cve/CVE-2025-53066.html
openSUSE-SU-2025:0453-1: moderate: Security update for gitea-tea
openSUSE Security Update: Security update for gitea-tea
_______________________________
Announcement ID: openSUSE-SU-2025:0453-1
Rating: moderate
References:
Affected Products:
openSUSE Backports SLE-15-SP6
_______________________________
An update that contains security fixes can now be installed.
Description:
This update for gitea-tea fixes the following issues:
- Do not make config file group-readable.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2025-453=1
Package List:
- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):
gitea-tea-0.11.1-bp156.17.1
- openSUSE Backports SLE-15-SP6 (noarch):
gitea-tea-bash-completion-0.11.1-bp156.17.1
gitea-tea-zsh-completion-0.11.1-bp156.17.1
References:
openSUSE-SU-2025:0454-1: moderate: Security update for gitea-tea
openSUSE Security Update: Security update for gitea-tea
_______________________________
Announcement ID: openSUSE-SU-2025:0454-1
Rating: moderate
References: #1251471 #1251663
Cross-References: CVE-2025-47911 CVE-2025-58190
CVSS scores:
CVE-2025-47911 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVE-2025-58190 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for gitea-tea fixes the following issues:
- Do not make config file group-readable.
- update to 0.11.1:
* 61d4e57 Fix Pr Create crash (#823)
* 4f33146 add test for matching logins (#820)
* 08b8398 Update README.md (#819)
- CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by
`html.ParseFragment` when processing specially crafted input
(boo#1251663)
- CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic
complexity when parsing HTML documents (boo#1251471)
- update to 0.11.0:
* Fix yaml output single quote (#814)
* generate man page (#811)
* feat: add validation for object-format flag in repo create command
(#741)
* Fix release version (#815)
* update gitea sdk to v0.22 (#813)
* don't fallback login directly (#806)
* Check duplicated login name in interact mode when creating new login
(#803)
* Fix bug when output json with special chars (#801)
* add debug mode and update readme (#805)
* update go.mod to retract the wrong tag v1.3.3 (#802)
* revert completion scripts removal (#808)
* Remove pagination from context (#807)
* Continue auth when failed to open browser (#794)
* Fix bug (#793)
* Fix tea login add with ssh public key bug (#789)
* Add temporary authentication via environment variables (#639)
* Fix attachment size (#787)
* deploy image when tagging (#792)
* Add Zip URL for release list (#788)
* Use bubbletea instead of survey for interacting with TUI (#786)
* capitalize a few items
* rm out of date comparison file
* README: Document logging in to gitea (#790)
* remove autocomplete command (#782)
* chore(deps): update ghcr.io/devcontainers/features/git-lfs docker tag
to v1.2.5 (#773)
* replace arch package url (#783)
* fix: Reenable -p and --limit switches (#778)
- Update to 0.10.1+git.1757695903.cc20b52:
- feat: add validation for object-format flag in repo create command
(see gh#openSUSE/openSUSE-git#60)
- Fix release version
- update gitea sdk to v0.22
- don't fallback login directly
- Check duplicated login name in interact mode when creating new login
- Fix bug when output json with special chars
- add debug mode and update readme
- update go.mod to retract the wrong tag v1.3.3
- revert completion scripts removal
- Remove pagination from context
- Continue auth when failed to open browser
- Fix bug
- Fix tea login add with ssh public key bug
- Add temporary authentication via environment variables
- Fix attachment size
- deploy image when tagging
- Add Zip URL for release list
- Use bubbletea instead of survey for interacting with TUI
- capitalize a few items
- rm out of date comparison file
- README: Document logging in to gitea
- remove autocomplete command
- chore(deps): update ghcr.io/devcontainers/features/git-lfs docker tag
to v1.2.5
- replace arch package url
- fix: Reenable `-p` and `--limit` switches
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP7:
zypper in -t patch openSUSE-2025-454=1
Package List:
- openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):
gitea-tea-0.11.1-bp157.2.9.1
- openSUSE Backports SLE-15-SP7 (noarch):
gitea-tea-bash-completion-0.11.1-bp157.2.9.1
gitea-tea-zsh-completion-0.11.1-bp157.2.9.1
References:
https://www.suse.com/security/cve/CVE-2025-47911.html
https://www.suse.com/security/cve/CVE-2025-58190.html
https://bugzilla.suse.com/1251471
https://bugzilla.suse.com/1251663
SUSE-SU-2025:4313-1: low: Security update for python
# Security update for python
Announcement ID: SUSE-SU-2025:4313-1
Release Date: 2025-12-01T09:31:56Z
Rating: low
References:
* bsc#1251305
Cross-References:
* CVE-2025-8291
CVSS scores:
* CVE-2025-8291 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-8291 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2025-8291 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Products:
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP6
* SUSE Package Hub 15 15-SP7
An update that solves one vulnerability can now be installed.
## Description:
This update for python fixes the following issues:
* CVE-2025-8291: Check the validity the ZIP64 End of Central Directory (EOCD).
(bsc#1251305)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4313=1
* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4313=1
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-4313=1
## Package List:
* SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
* python-base-debugsource-2.7.18-150000.86.1
* python-curses-2.7.18-150000.86.1
* python-gdbm-2.7.18-150000.86.1
* python-xml-2.7.18-150000.86.1
* python-gdbm-debuginfo-2.7.18-150000.86.1
* python-xml-debuginfo-2.7.18-150000.86.1
* python-2.7.18-150000.86.1
* python-debuginfo-2.7.18-150000.86.1
* libpython2_7-1_0-2.7.18-150000.86.1
* python-curses-debuginfo-2.7.18-150000.86.1
* libpython2_7-1_0-debuginfo-2.7.18-150000.86.1
* python-debugsource-2.7.18-150000.86.1
* python-base-2.7.18-150000.86.1
* python-base-debuginfo-2.7.18-150000.86.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* python-base-debugsource-2.7.18-150000.86.1
* python-curses-2.7.18-150000.86.1
* python-gdbm-2.7.18-150000.86.1
* python-xml-2.7.18-150000.86.1
* python-gdbm-debuginfo-2.7.18-150000.86.1
* python-xml-debuginfo-2.7.18-150000.86.1
* python-2.7.18-150000.86.1
* python-debuginfo-2.7.18-150000.86.1
* libpython2_7-1_0-2.7.18-150000.86.1
* python-curses-debuginfo-2.7.18-150000.86.1
* libpython2_7-1_0-debuginfo-2.7.18-150000.86.1
* python-debugsource-2.7.18-150000.86.1
* python-base-2.7.18-150000.86.1
* python-base-debuginfo-2.7.18-150000.86.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* python-base-debugsource-2.7.18-150000.86.1
* python-curses-2.7.18-150000.86.1
* python-devel-2.7.18-150000.86.1
* python-gdbm-2.7.18-150000.86.1
* python-gdbm-debuginfo-2.7.18-150000.86.1
* python-xml-2.7.18-150000.86.1
* python-xml-debuginfo-2.7.18-150000.86.1
* python-tk-2.7.18-150000.86.1
* python-idle-2.7.18-150000.86.1
* python-2.7.18-150000.86.1
* python-debuginfo-2.7.18-150000.86.1
* libpython2_7-1_0-2.7.18-150000.86.1
* python-curses-debuginfo-2.7.18-150000.86.1
* python-demo-2.7.18-150000.86.1
* libpython2_7-1_0-debuginfo-2.7.18-150000.86.1
* python-debugsource-2.7.18-150000.86.1
* python-tk-debuginfo-2.7.18-150000.86.1
* python-base-2.7.18-150000.86.1
* python-base-debuginfo-2.7.18-150000.86.1
* openSUSE Leap 15.6 (x86_64)
* libpython2_7-1_0-32bit-debuginfo-2.7.18-150000.86.1
* python-base-32bit-debuginfo-2.7.18-150000.86.1
* python-base-32bit-2.7.18-150000.86.1
* python-32bit-debuginfo-2.7.18-150000.86.1
* python-32bit-2.7.18-150000.86.1
* libpython2_7-1_0-32bit-2.7.18-150000.86.1
* openSUSE Leap 15.6 (noarch)
* python-doc-pdf-2.7.18-150000.86.1
* python-doc-2.7.18-150000.86.1
## References:
* https://www.suse.com/security/cve/CVE-2025-8291.html
* https://bugzilla.suse.com/show_bug.cgi?id=1251305
