Xorg-X11, Rav1e, Chromium, Flake-Pilot, Redis updates for SUSE

SUSE 5474 Published by

Security updates have been released for SUSE Linux to address various vulnerabilities. The updates include patches for the xorg-x11-server, rav1e, chromium, and flake-pilot packages. Among these updates, the patch for Chromium is classified as critical, indicating a higher severity level. Additionally, recommended and moderate-level updates have also been released for Redis 8.2.3.

SUSE-SU-2025:3909-1: important: Security update for xorg-x11-server
SUSE-SU-2025:3911-1: moderate: Security update for rav1e
openSUSE-SU-2025-20003-1: critical: Security update for chromium
openSUSE-SU-2025-20000-1: moderate: Recommended update of flake-pilot
openSUSE-SU-2025:15698-1: moderate: redis-8.2.3-1.1 on GA media




SUSE-SU-2025:3909-1: important: Security update for xorg-x11-server


# Security update for xorg-x11-server

Announcement ID: SUSE-SU-2025:3909-1
Release Date: 2025-11-02T12:16:51Z
Rating: important
References:

* bsc#1251958
* bsc#1251959
* bsc#1251960

Cross-References:

* CVE-2025-62229
* CVE-2025-62230
* CVE-2025-62231

CVSS scores:

* CVE-2025-62229 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-62229 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-62229 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
* CVE-2025-62230 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-62230 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-62230 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
* CVE-2025-62231 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-62231 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-62231 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Affected Products:

* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 LTS
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Retail Branch Server 4.3 LTS
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 LTS

An update that solves three vulnerabilities can now be installed.

## Description:

This update for xorg-x11-server fixes the following issues:

* Fixed use-after-free in XPresentNotify structures creation (CVE-2025-62229,
bsc#1251958)
* Fixed use-after-free in Xkb client resource removal (CVE-2025-62230,
bsc#1251959)
* Fixed value overflow in Xkb extension XkbSetCompatMap() (CVE-2025-62231,
bsc#1251960)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-3909=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-3909=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-3909=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-3909=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-3909=1

* SUSE Manager Proxy 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-3909=1

* SUSE Manager Retail Branch Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-LTS-2025-3909=1

* SUSE Manager Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-LTS-2025-3909=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-source-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-sdk-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-sdk-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-sdk-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-sdk-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-sdk-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Manager Proxy 4.3 LTS (x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Manager Retail Branch Server 4.3 LTS (x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1
* SUSE Manager Server 4.3 LTS (ppc64le s390x x86_64)
* xorg-x11-server-1.20.3-150400.38.63.1
* xorg-x11-server-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-debuginfo-1.20.3-150400.38.63.1
* xorg-x11-server-extra-1.20.3-150400.38.63.1
* xorg-x11-server-debugsource-1.20.3-150400.38.63.1

## References:

* https://www.suse.com/security/cve/CVE-2025-62229.html
* https://www.suse.com/security/cve/CVE-2025-62230.html
* https://www.suse.com/security/cve/CVE-2025-62231.html
* https://bugzilla.suse.com/show_bug.cgi?id=1251958
* https://bugzilla.suse.com/show_bug.cgi?id=1251959
* https://bugzilla.suse.com/show_bug.cgi?id=1251960



SUSE-SU-2025:3911-1: moderate: Security update for rav1e


# Security update for rav1e

Announcement ID: SUSE-SU-2025:3911-1
Release Date: 2025-11-02T12:18:39Z
Rating: moderate
References:

* bsc#1196972

Cross-References:

* CVE-2022-24713

CVSS scores:

* CVE-2022-24713 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2022-24713 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.4

An update that solves one vulnerability can now be installed.

## Description:

This update for rav1e fixes the following issues:

* CVE-2022-24713: Updated crate regex to 1.5.5 that resolves a ReDoS issue
(bsc#1196972)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-3911=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* rav1e-0.5.1+0-150400.3.6.1
* rav1e-debugsource-0.5.1+0-150400.3.6.1
* librav1e0-0.5.1+0-150400.3.6.1
* rav1e-devel-0.5.1+0-150400.3.6.1
* librav1e0-debuginfo-0.5.1+0-150400.3.6.1
* rav1e-debuginfo-0.5.1+0-150400.3.6.1
* openSUSE Leap 15.4 (x86_64)
* librav1e0-32bit-debuginfo-0.5.1+0-150400.3.6.1
* librav1e0-32bit-0.5.1+0-150400.3.6.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* librav1e0-64bit-0.5.1+0-150400.3.6.1
* librav1e0-64bit-debuginfo-0.5.1+0-150400.3.6.1

## References:

* https://www.suse.com/security/cve/CVE-2022-24713.html
* https://bugzilla.suse.com/show_bug.cgi?id=1196972



openSUSE-SU-2025-20003-1: critical: Security update for chromium


openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20003-1
Rating: critical
References:

* bsc#1250472
* bsc#1250780
* bsc#1251334

Cross-References:

* CVE-2025-10890
* CVE-2025-10891
* CVE-2025-10892
* CVE-2025-11205
* CVE-2025-11206
* CVE-2025-11207
* CVE-2025-11208
* CVE-2025-11209
* CVE-2025-11210
* CVE-2025-11211
* CVE-2025-11212
* CVE-2025-11213
* CVE-2025-11215
* CVE-2025-11216
* CVE-2025-11219
* CVE-2025-11458
* CVE-2025-11460

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 17 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for chromium fixes the following issues:

Chromium 141.0.7390.76:

* Do not send URLs as AIM input. This is to resolve a privacy
concern, around passing urls to AI Mode.

Chromium 141.0.7390.65 (boo#1251334):

* CVE-2025-11458: Heap buffer overflow in Sync
* CVE-2025-11460: Use after free in Storage
* CVE-2025-11211: Out of bounds read in WebCodecs

Chromium 141.0.7390.54 (stable released 2025-09-30) (boo#1250780)

* CVE-2025-11205: Heap buffer overflow in WebGPU
* CVE-2025-11206: Heap buffer overflow in Video
* CVE-2025-11207: Side-channel information leakage in Storage
* CVE-2025-11208: Inappropriate implementation in Media
* CVE-2025-11209: Inappropriate implementation in Omnibox
* CVE-2025-11210: Side-channel information leakage in Tab
* CVE-2025-11211: Out of bounds read in Media
* CVE-2025-11212: Inappropriate implementation in Media
* CVE-2025-11213: Inappropriate implementation in Omnibox
* CVE-2025-11215: Off by one error in V8
* CVE-2025-11216: Inappropriate implementation in Storage
* CVE-2025-11219: Use after free in V8
* Various fixes from internal audits, fuzzing and other initiatives

Chromium 141.0.7390.37 (beta released 2025-09-24)

Chromium 140.0.7339.207 (boo#1250472)

* CVE-2025-10890: Side-channel information leakage in V8
* CVE-2025-10891: Integer overflow in V8
* CVE-2025-10892: Integer overflow in V8

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-1=1

Package List:

- openSUSE Leap 16.0:

chromedriver-141.0.7390.76-bp160.1.1
chromium-141.0.7390.76-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-10890.html
* https://www.suse.com/security/cve/CVE-2025-10891.html
* https://www.suse.com/security/cve/CVE-2025-10892.html
* https://www.suse.com/security/cve/CVE-2025-11205.html
* https://www.suse.com/security/cve/CVE-2025-11206.html
* https://www.suse.com/security/cve/CVE-2025-11207.html
* https://www.suse.com/security/cve/CVE-2025-11208.html
* https://www.suse.com/security/cve/CVE-2025-11209.html
* https://www.suse.com/security/cve/CVE-2025-11210.html
* https://www.suse.com/security/cve/CVE-2025-11211.html
* https://www.suse.com/security/cve/CVE-2025-11212.html
* https://www.suse.com/security/cve/CVE-2025-11213.html
* https://www.suse.com/security/cve/CVE-2025-11215.html
* https://www.suse.com/security/cve/CVE-2025-11216.html
* https://www.suse.com/security/cve/CVE-2025-11219.html
* https://www.suse.com/security/cve/CVE-2025-11458.html
* https://www.suse.com/security/cve/CVE-2025-11460.html



openSUSE-SU-2025-20000-1: moderate: Recommended update of flake-pilot


openSUSE security update: recommended update of flake-pilot
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20000-1
Rating: moderate
References:

* bsc#1248004

Cross-References:

* CVE-2025-55159

CVSS scores:

* CVE-2025-55159 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2025-55159 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for flake-pilot fixes the following issues:

Update version to 3.1.22.

- Fixes to use flakes as normal user

Running a flake is a container based instance provisioning
and startup. Some part of this process requires root permissions
for example mounting the container instance store for the
provisioning step. This commit fixes the required calls to
be properly managed by sudo.

- seed from entropy

- Fix assignment of random sequence number

We should use a seed for the sequence as described in
https://rust-random.github.io/book/guide-seeding.html#a-simple-number
In addition the logic when a random sequence number should
be used was wrong and needed a fix regarding resume and
attach type flakes which must not use a random sequence

- Pass --init option for resume type flakes

In resume mode a sleep command is used to keep the container
open. However, without the --init option there is no signal
handling available. This commit fixes it

- Revert "kill prior remove when using %remove flag"

This reverts commit 06c7d4aa71f74865dfecba399fd08cc2fde2e1f2.
no hard killing needed with the event loop entrypoint

- Fixed CVE-2025-55159 slab: incorrect bounds check

Update to slab 0.4.11 to fix the mentioned CVE.
This Fixes bsc#1248004

- Apply clippy fixes

- Create sequence number for the same invocation

If a flake which is not a resume or attach flake is called twice
with the same invocation arguments an error message is displayed
to give this invocation a new name via the @NAME runtime option.
This commit makes this more comfortable and automatically assigns
a random sequence number for the call if no @NAME is given.

- kill prior remove when using %remove flag

In case the container instance should be removed via the %remove
flag, send a kill first, followed by a force remove. The reason
for this is because we use a never ending sleep command as entry
point for resume type containers. If they should be removed the
standard signal send on podman rm will not stop the sleep and
after a period of 10 seconds podman sends a kill signal itself.
We can speedup this process as we know the entry point command
and send the kill signal first followed by the remove which
saves us some wait time spent in podman otherwise.

- Fix clippy hints

variables can be used directly in the format! string

- Prune old images after load

Make sure no image references stay in the registry

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-2=1

Package List:

- openSUSE Leap 16.0:

flake-pilot-3.1.22-160000.1.1
flake-pilot-firecracker-3.1.22-160000.1.1
flake-pilot-firecracker-dracut-netstart-3.1.22-160000.1.1
flake-pilot-firecracker-guestvm-tools-3.1.22-160000.1.1
flake-pilot-podman-3.1.22-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-55159.html



openSUSE-SU-2025:15698-1: moderate: redis-8.2.3-1.1 on GA media


# redis-8.2.3-1.1 on GA media

Announcement ID: openSUSE-SU-2025:15698-1
Rating: moderate

Cross-References:

* CVE-2025-62507

CVSS scores:

* CVE-2025-62507 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-62507 ( SUSE ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the redis-8.2.3-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* redis 8.2.3-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-62507.html


.NET and Webkit2GTK3 updates for AlmaLinux

Google Guest Agent update for Ubuntu

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...