A total of four different updates have been released to address various security issues on SUSE Linux systems. The updates include patches for python-cbor2, icinga2, and cups, all of which are classified as important security fixes. Additionally, an update has been made available for gegl-0.4.64, but it is considered moderate in severity.

openSUSE-SU-2025-20133-1: important: Security update for python-cbor2
openSUSE-SU-2025:0457-1: important: Security update for icinga2
SUSE-SU-2025:4319-1: important: Security update for cups
openSUSE-SU-2025:15793-1: moderate: gegl-0.4.64-3.1 on GA media

openSUSE-SU-2025-20133-1: important: Security update for python-cbor2

openSUSE security update: security update for python-cbor2
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20133-1
Rating: important
References:

* bsc#1220096
* bsc#1253746

Cross-References:

* CVE-2024-26134
* CVE-2025-64076

CVSS scores:

* CVE-2025-64076 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:H
* CVE-2025-64076 ( SUSE ): 5.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for python-cbor2 fixes the following issues:

- CVE-2025-64076: Fixed bug in decode_definite_long_string() that causes incorrect chunk length calculation (bsc#1253746).

Already fixed in release 5.6.3:

- CVE-2024-26134: Fixed potential crash when hashing a CBORTag (bsc#1220096).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-91=1

Package List:

- openSUSE Leap 16.0:

python313-cbor2-5.6.5-160000.3.1

References:

* https://www.suse.com/security/cve/CVE-2024-26134.html
* https://www.suse.com/security/cve/CVE-2025-64076.html

openSUSE-SU-2025:0457-1: important: Security update for icinga2

openSUSE Security Update: Security update for icinga2
_______________________________

Announcement ID: openSUSE-SU-2025:0457-1
Rating: important
References: #1084909 #1233310
Cross-References: CVE-2024-49369
CVSS scores:
CVE-2024-49369 (SUSE): 10 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Products:
openSUSE Backports SLE-15-SP7
_______________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for icinga2 fixes the following issues:

- Update to 2.14.5
* Bug Fixes
- Don't close anonymous connections before sending the response for a
certificate request #10337
- Performance data: Don't discard min/max values even if crit/warn
thresholds aren???t given #10339
- Fix a failing test case on systems time_t is only 32 bits #10343
* Documentation
- Document the -X option for the mail-host-notification and
mail-service-notification commands #10335
- Include Nagios in the migration docs #10324
- Remove RHEL 7 from installation instructions #10334
- Add instructions for installing build dependencies on Windows Server
#10336

- Update to 2.14.4
* Crash Fixes
- Invalid DateTime#format() arguments in config and console on Windows
Server 2016 and older. #10112
- Downtime scheduling at runtime with non-existent trigger. #10049
- Object creation at runtime during Icinga DB initialization. #10151
- Comment on a service of a non-existent host. #9861
* Miscellaneous Bugfixes
- Lost notifications after recovery outside the notification time
period. #10187
- TimePeriod/ScheduledDowntime exceeding specified date range. #9983
#10107
- Clean up failure for obsolete Downtimes. #10062
- ifw-api check command: use correct process-finished handler. #10140
- Email notification scripts: strip 0x0D (CR) for a proper
Content-Type. #10061
- Several fixes and improvements of the code quality. #10066 #10214
#10254 #10263 #10264
* Cluster and API
- Sync runtime objects in topological order to honor their
dependencies. #10000
- Make parallel config syncs more robust. #10013
- After object creation via API fails, clean up properly for the next
try. #10111
- Close HTTPS connections properly to prevent leaks. #10005 #10006
- Reduce the number of cluster messages in memory at the same time.
#9991 #9999 #10210
- Once a cluster connection shall be closed, stop communicating.
#10213 #10221
- Remove unnecessary blocking of semaphores. #9992 #9994
- Reduce unnecessary cluster messages setting the next check time.
#10011
* Icinga DB and IDO
- IDO: fix object relations after aborted synchronization. #10065
- Icinga DB, IDO: limit all timestamps to four year digits. #10058
#10059
- Icinga DB: limit execution_time and latency (milliseconds) to
database schema. #10060
* Troubleshooting
- Add /v1/debug/malloc_info which calls malloc_info(3) if available.
#10015
- Add log messages about own network I/O. #9993 #10141 #10207
- Several fixes and improvements of log messages. #9997 #10021 #10209
* Windows
- Update OpenSSL shipped on Windows to v3.0.15. #10170
- Update Boost shipped on Windows to v1.86. #10114
- Support CMake v3.29. #10037
- Don't require to build .msi as admin. #10137
- Build configuration scripts: allow custom $CMAKE_ARGS. #10312
* Documentation
- Distributed Monitoring: add section "External CA/PKI". #9825
- Explain how to enable/disable debug logging on the fly. #9981
- Update supported OS versions and repository configuration. #10064
#10090 #10120 #10135 #10136 #10205
- Several fixes and improvements. #9960 #10050 #10071 #10156 #10194
- Replace broken links. #10115 #10118 #10282
- Fix typographical and similarly trivial errors. #9953 #9967 #10056
#10116 #10152 #10153 #10204

- Update to 2.14.3
- Security: fix TLS certificate validation bypass. CVE-2024-49369
(boo#1233310)
- Security: update OpenSSL shipped on Windows to v3.0.15.
- Windows: sign MSI packages with a certificate the OS trusts by
default.

- Update to 2.14.2
- InfluxDB: truncate timestamps to whole seconds to save disk space.
#9969
- HttpServerConnection: log request processing time as well. #9970
- Update Boost shipped on Windows to v1.84. #9970

- Update to 2.14.1
* Security
- Automatically renew own root CA and distribute it to all nodes. #9933
- Update OpenSSL shipped on Windows to v3.0.12. #9946
- Disable TLS renegotiation (handshake on existing connection). #9946
* Bugfixes
- Icinga DB feature: fix crash due to missing NULL pointer check. #9946
- Icinga DB feature: fix data written into Redis crashing the Go
daemon. #9946
- GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
- Don't lose notifications due to too long output, truncate it. #9947
* Enhancements
- Discard duplicate problem notifications due to state filtering. #9932
- Speed up API filters targeting specific hosts/services to O(1). #9944
- POST /v1/console/*: return HTTP 503 while Icinga is reloading. #9947
- Update Boost shipped on Windows to v1.83. #9946
- Documentation: several fixes and improvements. #9921

- Update to 2.14.0
* Breaking Changes
- Remove CheckResultReader (which has been deprecated since v2.9).
#9714
- Remove StatusDataWriter (which has been deprecated since v2.9). #9715
- ElasticsearchWriter: drop support for Elasticsearch < v7. #9812
- Consider a checkable unreachable once one Dependency fails.
Previously all of them had to fail. (Consult the upgrading docs.)
#8218
- API: reject config modifications during reload with HTTP status 503.
#9445
- icinga2 daemon: to reduce config load time, write file needed by
icinga2 object list only if --dump-objects is given. #9586 #9591
- Default email notification scripts: link to Icinga DB Web, not the
monitoring module. (Consult the upgrading docs.) #9742 #9757
- API: for security reasons hide TicketSalt in /v1/variables. #7863
* Icinga 2 Config DSL
- Disallow global variable modification after config commit start
(i.e. inside object/apply T "x" { ... }) to reduce config load time.
#9740
- Forbid Dependency cycles at config load time. #8389
- Allow only strings in the arrays Host#groups, Service#groups and
User#groups. Needed for consistency, especially by the IDO. #9057
- Disallow empty object names. (They worked only partially anyway.)
#9409
* Enhancements
- Significantly reduce config load time of large setups. #8118 #9555
#9557 #9572 #9577 #9603 #9608 #9627 #9648 #9657 #9662
- Allow to connect dependencies via redundancy groups. Only parents
within
one group are assumed to provide redundancy for each other. #8218
- Built-in check command ifw-api, communicates directly with the
Icinga for Windows REST API. (Doesn't spawn a PowerShell process for
that.) #9062
- JournaldLogger which logs to systemd journal. #9000
- API: POST /v1/objects: allow to discard some previously modified
attributes, i.e. to restore the config files' values. #9783
- ElasticsearchWriter: support Elasticsearch v8. #9812
- Support $env.ENV_VAR_NAME$ macros. #8302
- Speed up Icinga DB config dump. #9524
- Default mail notification scripts: also print $host.notes$ and
$service.notes$. #9713
- Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers. #9811
- Clean up global default TLS cipher list to improve security. #9809
- Influxdb(2)Writer: write more precise timestamps (nanoseconds). #9599
* Bugfixes
- Icinga DB feature: normalize several Redis data not to crash the Go
daemon. #9772 #9775 #9792 #9793 #9794 #9805
- Fix parsing of perfdata across multiple lines in plugin output. #8969
- icinga check: fix last reload failure time. #8429 #9827
- Resolve macros inside custom vars of IcingaApplication. #9779
- SELinux: allow Icinga and its plugins to write to syslog. #9688
- ElasticsearchWriter: fix data buffer flush race condition during
stop. #9810
- Trigger flexible downtimes not in the past if checkable is already
down. #9726
- Send downtime expiration notifications immediately, not after up to
a minute. #9726
* Cluster
- Don't hang in timed out connection attempt. #9711 #9725
- Fix lost acknowledgements after re-connect. #9718
- cluster-zone check: don't complain about not connected
other local zone members if there aren't any. #8595
- Allow agent to update executions delegated to it via
/v1/actions/execute-command. #8627
* API
- Disallow breaking inter-object relationships by changing
relationship attributes at runtime, e.g. Service#host_name. #9407
- Correct several HTTP response status codes. #7958 #9354
- Correct Boolean field types previously reported by /v1/types as
Number. #9514
* CLI
- icinga2 daemon: fix -DConfiguration.Concurrency= flag which now
allows to override the number of threads. #9643
- icinga2 node wizard: avoid unnecessary chown(2) which may fail and
abort the wizard. #8744
- Correct several log messages. #8895 #8965 #9663
* ITL
- Add linux_netdev check command. #9045
+ Command Argument Changes
- disk: don't pass -m (disk_megabytes) by default. #9642
- disk: pass -X fuse.portal (disk_exclude_type) by default. #9459
- http: support multiple -k (http_header) as array. #8574
- icmp: double defaults for -w (icmp_wpl) and -c (icmp_cpl). #9041
- logfiles: pass --winwarncrit (logfiles_winwarncrit) without
argument. #9056
- nwc_health: pass SNMPv3-only args only when using SNMPv3. #9095
- vmware-esx-dc-runtime-tools and vmware-esx-soap-vm-runtime-tools:
- rename --open-vm-tools to --open_vm_tools_ok (vmware_openvmtools).
#9611

- Update to 2.13.8
* Bugfixes
- Icinga DB feature: normalize several Redis data not to crash the Go
daemon. #9814
- Don't hang in timed out connection attempt. #9815
- Trigger flexible downtimes not in the past if checkable is already
down. #9817
- ElasticsearchWriter: fix data buffer flush race condition during
stop. #9818
- SELinux: allow Icinga and its plugins to write to syslog. #9819
- Fix lost acknowledgements after re-connect. #9820
- Fix parsing of perfdata across multiple lines in plugin output. #9821
- cluster-zone check: don't complain about not connected
other local zone members if there aren't any. #9822
* Updates
- Update Boost shipped on Windows to v1.82. #9816
- Update OpenSSL shipped on Windows to v3.0.9. #9816
- Update vendored https://github.com/nlohmann/json to v3.9.1. #9816
- Update vendored https://github.com/nemtrif/utfcpp to v3.2.3. #9816

- Update to 2.13.7
* Security
- Windows: update bundled OpenSSL to v1.1.1t. #9672
* Bugfixes
- SELinux: fix user and domain creation by explicitly setting the
role. #9690
- Signal handlers: don't interrupt and break plugins spawning. #9682
- Icinga DB: take check\_period into account during overdue
calculation. #9679
- Avoid corrupted files: use fsync(2)/FlushFileBuffers() everywhere.
#9681
- Solaris: fix compile error. #9680
* Enhancements
- Windows: update bundled Boost to v1.81. #9678
- Documentation: several fixes and improvements. #9671

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2025-457=1

Package List:

- openSUSE Backports SLE-15-SP7 (aarch64 i586 x86_64):

icinga2-2.14.5-bp157.3.3.1
icinga2-bin-2.14.5-bp157.3.3.1
icinga2-common-2.14.5-bp157.3.3.1
icinga2-doc-2.14.5-bp157.3.3.1
icinga2-ido-mysql-2.14.5-bp157.3.3.1
icinga2-ido-pgsql-2.14.5-bp157.3.3.1
nano-icinga2-2.14.5-bp157.3.3.1
vim-icinga2-2.14.5-bp157.3.3.1

References:

https://www.suse.com/security/cve/CVE-2024-49369.html
https://bugzilla.suse.com/1084909
https://bugzilla.suse.com/1233310

SUSE-SU-2025:4319-1: important: Security update for cups

# Security update for cups

Announcement ID: SUSE-SU-2025:4319-1
Release Date: 2025-12-03T12:34:37Z
Rating: important
References:

* bsc#1254353

Cross-References:

* CVE-2025-58436

CVSS scores:

* CVE-2025-58436 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-58436 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-58436 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP6
* Basesystem Module 15-SP7
* Desktop Applications Module 15-SP6
* Desktop Applications Module 15-SP7
* Development Tools Module 15-SP6
* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Micro for Rancher 5.2
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

## Description:

This update for cups fixes the following issues:

* The fix for CVE-2025-58436 causes a regression where GTK applications will
hang. (bsc#1254353)

See also https://github.com/OpenPrinting/cups/issues/1429

The fix has been temporary disabled.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-4319=1

* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-4319=1

* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-4319=1

* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-4319=1

* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-4319=1

* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2025-4319=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-4319=1

* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-4319=1

* Desktop Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-4319=1

* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-4319=1

* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-4319=1

* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-4319=1

* SUSE Linux Enterprise Micro 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2025-4319=1

* SUSE Linux Enterprise Micro for Rancher 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2025-4319=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* cups-2.2.7-150000.3.80.1
* cups-config-2.2.7-150000.3.80.1
* cups-ddk-debuginfo-2.2.7-150000.3.80.1
* libcupscgi1-debuginfo-2.2.7-150000.3.80.1
* cups-client-debuginfo-2.2.7-150000.3.80.1
* cups-client-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcupsimage2-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcupscgi1-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-2.2.7-150000.3.80.1
* libcupsppdc1-2.2.7-150000.3.80.1
* libcupsimage2-debuginfo-2.2.7-150000.3.80.1
* cups-devel-2.2.7-150000.3.80.1
* libcupsppdc1-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* cups-ddk-2.2.7-150000.3.80.1
* openSUSE Leap 15.6 (x86_64)
* libcupsmime1-32bit-debuginfo-2.2.7-150000.3.80.1
* libcupsimage2-32bit-2.2.7-150000.3.80.1
* cups-devel-32bit-2.2.7-150000.3.80.1
* libcupscgi1-32bit-2.2.7-150000.3.80.1
* libcupsmime1-32bit-2.2.7-150000.3.80.1
* libcupsimage2-32bit-debuginfo-2.2.7-150000.3.80.1
* libcups2-32bit-debuginfo-2.2.7-150000.3.80.1
* libcupsppdc1-32bit-2.2.7-150000.3.80.1
* libcupsppdc1-32bit-debuginfo-2.2.7-150000.3.80.1
* libcups2-32bit-2.2.7-150000.3.80.1
* libcupscgi1-32bit-debuginfo-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* cups-2.2.7-150000.3.80.1
* cups-config-2.2.7-150000.3.80.1
* libcupscgi1-debuginfo-2.2.7-150000.3.80.1
* cups-client-debuginfo-2.2.7-150000.3.80.1
* cups-client-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcupsimage2-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcupscgi1-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-2.2.7-150000.3.80.1
* libcupsppdc1-2.2.7-150000.3.80.1
* libcupsimage2-debuginfo-2.2.7-150000.3.80.1
* cups-devel-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* libcupsppdc1-debuginfo-2.2.7-150000.3.80.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* cups-2.2.7-150000.3.80.1
* cups-config-2.2.7-150000.3.80.1
* libcupscgi1-debuginfo-2.2.7-150000.3.80.1
* cups-client-debuginfo-2.2.7-150000.3.80.1
* cups-client-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcupsimage2-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcupscgi1-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-debuginfo-2.2.7-150000.3.80.1
* libcupsmime1-2.2.7-150000.3.80.1
* libcupsppdc1-2.2.7-150000.3.80.1
* libcupsimage2-debuginfo-2.2.7-150000.3.80.1
* cups-devel-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* libcupsppdc1-debuginfo-2.2.7-150000.3.80.1
* Desktop Applications Module 15-SP6 (x86_64)
* libcups2-32bit-debuginfo-2.2.7-150000.3.80.1
* libcups2-32bit-2.2.7-150000.3.80.1
* Desktop Applications Module 15-SP7 (x86_64)
* libcups2-32bit-debuginfo-2.2.7-150000.3.80.1
* libcups2-32bit-2.2.7-150000.3.80.1
* Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* cups-ddk-debuginfo-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* cups-ddk-2.2.7-150000.3.80.1
* Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* cups-ddk-debuginfo-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* cups-ddk-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1
* SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
* cups-config-2.2.7-150000.3.80.1
* cups-debuginfo-2.2.7-150000.3.80.1
* libcups2-2.2.7-150000.3.80.1
* libcups2-debuginfo-2.2.7-150000.3.80.1
* cups-debugsource-2.2.7-150000.3.80.1

## References:

* https://www.suse.com/security/cve/CVE-2025-58436.html
* https://bugzilla.suse.com/show_bug.cgi?id=1254353

openSUSE-SU-2025:15793-1: moderate: gegl-0.4.64-3.1 on GA media

# gegl-0.4.64-3.1 on GA media

Announcement ID: openSUSE-SU-2025:15793-1
Rating: moderate

Cross-References:

* CVE-2025-10921

CVSS scores:

* CVE-2025-10921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-10921 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the gegl-0.4.64-3.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* gegl 0.4.64-3.1
* gegl-0_4 0.4.64-3.1
* gegl-0_4-lang 0.4.64-3.1
* gegl-devel 0.4.64-3.1
* gegl-doc 0.4.64-3.1
* libgegl-0_4-0 0.4.64-3.1
* typelib-1_0-Gegl-0_4 0.4.64-3.1

## References:

* https://www.suse.com/security/cve/CVE-2025-10921.html