Explore top 10 tips to secure your open-source projects now. Read More
×NNCP could allow unintended access to files.. ========================================================================== Ubuntu Security Notice USN-8359-1 June 01, 2026 nncp vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: NNCP could allow unintended access to files. Software Description: - nncp: package facilitating secure store-and-forward file and mail exchange Details: It was discovered that NNCP did not properly sanitize file paths in packet data during file requesting and file saving operations. A remote attacker could possibly use this issue to read or write arbitrary files outside of the intended directory. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 nncp 8.11.0-4+deb13u1build0.25.10.1 Ubuntu 24.04 LTS nncp 8.10.0-8ubuntu0.3+esm3 Available with Ubuntu Pro Ubuntu 22.04 LTS nncp 8.5.0-1ubuntu0.1+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8359-1 CVE-2025-60020 Package Information: https://launchpad.net/ubuntu/+source/nncp/8.11.0-4+deb13u1build0.25.10.1 . NNCP flaw in Ubuntu allows unauthorized file access. Update to protect against potential remote attacks now.. Ubuntu NNCP security Threat Protection File Access Remote Attacks. . Severity: Important. LinuxSecurity.com Team
NNCP could allow unintended access to files.. ========================================================================== Ubuntu Security Notice USN-8359-1 June 01, 2026 nncp vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: NNCP could allow unintended access to files. Software Description: - nncp: package facilitating secure store-and-forward file and mail exchange Details: It was discovered that NNCP did not properly sanitize file paths in packet data during file requesting and file saving operations. A remote attacker could possibly use this issue to read or write arbitrary files outside of the intended directory. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 nncp 8.11.0-4+deb13u1build0.25.10.1 Ubuntu 24.04 LTS nncp 8.10.0-8ubuntu0.3+esm3 Available with Ubuntu Pro Ubuntu 22.04 LTS nncp 8.5.0-1ubuntu0.1+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8359-1 CVE-2025-60020 Package Information: https://launchpad.net/ubuntu/+source/nncp/8.11.0-4+deb13u1build0.25.10.1 . NNCP vulnerability on Ubuntu allows unintended file access. Update your system to mitigate risks from CVE-2025-60020.. file access control, remote access security, NNCP update instructions. . Severity: Critical. LinuxSecurity.com Team
Update to release v5.1.4 Resolves: rhbz#2480186 Upstream fixes Update to release v5.1.3 Resolves rhbz#2458697. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-951a6725b8 2026-05-30 01:07:34.273912+00:00 -------------------------------------------------------------------------------- Name : docker-compose Product : Fedora 43 Version : 5.1.4 Release : 1.fc43 URL : https://github.com/docker/compose Summary : Define and run multi-container applications with Docker Description : Define and run multi-container applications with Docker. -------------------------------------------------------------------------------- Update Information: Update to release v5.1.4 Resolves: rhbz#2480186 Upstream fixes Update to release v5.1.3 Resolves rhbz#2458697 Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199 Resolves CVE-2026-33748: rhbz#2453089 Upstream fixes -------------------------------------------------------------------------------- ChangeLog: * Wed May 20 2026 Bradley G Smith - 5.1.4-1 - Update to release v5.1.4 - Resolves: rhbz#2480186 - Upstream fixes * Wed Apr 15 2026 Bradley G Smith - 5.1.3-1 - Update to release v5.1.3 - Resolves rhbz#2458697 - Resolves CVE-2026-33747: rhbz#2452188, rhbz#2452199 - Resolves CVE-2026-33748: rhbz#2453089 - Upstream fixes -------------------------------------------------------------------------------- References: [ 1 ] Bug #2452188 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2452188 [ 2 ] Bug #2452199 - CVE-2026-33747 docker-compose: BuildKit: Arbitrary file write and code execution via untrusted frontend [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2452199 [ 3 ] Bug #2453089 - CVE-2026-33748 docker-compose: BuildKit: Unauthorized file access via Git URL fragment subdir components[fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453089 [ 4 ] Bug #2458697 - docker-compose-5.1.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2458697 [ 5 ] Bug #2480186 - docker-compose-5.1.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2480186 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-951a6725b8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Several security issues were fixed in Docker.. ========================================================================== Ubuntu Security Notice USN-8230-1 May 06, 2026 docker.io-app vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Docker. Software Description: - docker.io-app: Linux container runtime Details: It was discovered that BuildKit, contained within Docker, incorrectly handled file path validation when processing frontend API messages. An attacker could possibly use this issue to write files outside of the intended state directory. (CVE-2026-33747) It was discovered that BuildKit, contained within Docker, incorrectly validated the subdir component of Git URL fragments. An attacker could possibly use this issue to access files outside of the checked-out repository root. (CVE-2026-33748) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS docker.io 29.1.3-0ubuntu4.1 Ubuntu 24.04 LTS docker.io 29.1.3-0ubuntu3~24.04.2 Ubuntu 22.04 LTS docker.io 29.1.3-0ubuntu3~22.04.2 Ubuntu 20.04 LTS docker.io 26.1.3-0ubuntu1~20.04.1+esm2 Available with Ubuntu Pro After a standard system update you need to restart Docker to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8230-1 CVE-2026-33747, CVE-2026-33748 Package Information: https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu4.1 https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu3~24.04.2 https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu3~22.04.2 . ==========================================================================Ubuntu Security Notice US. security, docker, ======================================================. . Severity: Critical. LinuxSecurity.com Team
An update that solves two vulnerabilities can now be installed.. # Security update for flatpak Announcement ID: SUSE-SU-2026:1541-1 Release Date: 2026-04-22T07:22:36Z Rating: important References: * bsc#1261769 * bsc#1261770 Cross-References: * CVE-2026-34078 * CVE-2026-34079 CVSS scores: * CVE-2026-34078 ( SUSE ): 6.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H * CVE-2026-34078 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H * CVE-2026-34078 ( NVD ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-34079 ( SUSE ): 4.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N * CVE-2026-34079 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L * CVE-2026-34079 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-34079 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-34079 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves two vulnerabilities can now be installed. ## Description: This update for flatpak fixes the following issues: * CVE-2026-34078: improper processing of app-controlled symlinks by sandbox- expose can lead to sandbox escape, host file access and code execution in the host context (bsc#1261769). * CVE-2026-34079: improper removal of outdated cache filesallows for arbitrary file deletion on the host filesystem (bsc#1261770). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2026-1541=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1541=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1541=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1541=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1541=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586) * libflatpak0-1.16.0-150500.3.18.1 * flatpak-debuginfo-1.16.0-150500.3.18.1 * flatpak-debugsource-1.16.0-150500.3.18.1 * flatpak-devel-1.16.0-150500.3.18.1 * flatpak-1.16.0-150500.3.18.1 * libflatpak0-debuginfo-1.16.0-150500.3.18.1 * typelib-1_0-Flatpak-1_0-1.16.0-150500.3.18.1 * openSUSE Leap 15.5 (noarch) * flatpak-zsh-completion-1.16.0-150500.3.18.1 * flatpak-remote-flathub-1.16.0-150500.3.18.1 * system-user-flatpak-1.16.0-150500.3.18.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * libflatpak0-1.16.0-150500.3.18.1 * flatpak-debuginfo-1.16.0-150500.3.18.1 * flatpak-debugsource-1.16.0-150500.3.18.1 * flatpak-devel-1.16.0-150500.3.18.1 * flatpak-1.16.0-150500.3.18.1 * libflatpak0-debuginfo-1.16.0-150500.3.18.1 * typelib-1_0-Flatpak-1_0-1.16.0-150500.3.18.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch) * flatpak-zsh-completion-1.16.0-150500.3.18.1 * flatpak-remote-flathub-1.16.0-150500.3.18.1 *system-user-flatpak-1.16.0-150500.3.18.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * libflatpak0-1.16.0-150500.3.18.1 * flatpak-debuginfo-1.16.0-150500.3.18.1 * flatpak-debugsource-1.16.0-150500.3.18.1 * flatpak-devel-1.16.0-150500.3.18.1 * flatpak-1.16.0-150500.3.18.1 * libflatpak0-debuginfo-1.16.0-150500.3.18.1 * typelib-1_0-Flatpak-1_0-1.16.0-150500.3.18.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * flatpak-zsh-completion-1.16.0-150500.3.18.1 * flatpak-remote-flathub-1.16.0-150500.3.18.1 * system-user-flatpak-1.16.0-150500.3.18.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * libflatpak0-1.16.0-150500.3.18.1 * flatpak-debuginfo-1.16.0-150500.3.18.1 * flatpak-debugsource-1.16.0-150500.3.18.1 * flatpak-devel-1.16.0-150500.3.18.1 * flatpak-1.16.0-150500.3.18.1 * libflatpak0-debuginfo-1.16.0-150500.3.18.1 * typelib-1_0-Flatpak-1_0-1.16.0-150500.3.18.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (noarch) * flatpak-zsh-completion-1.16.0-150500.3.18.1 * flatpak-remote-flathub-1.16.0-150500.3.18.1 * system-user-flatpak-1.16.0-150500.3.18.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * libflatpak0-1.16.0-150500.3.18.1 * flatpak-debuginfo-1.16.0-150500.3.18.1 * flatpak-debugsource-1.16.0-150500.3.18.1 * flatpak-devel-1.16.0-150500.3.18.1 * flatpak-1.16.0-150500.3.18.1 * libflatpak0-debuginfo-1.16.0-150500.3.18.1 * typelib-1_0-Flatpak-1_0-1.16.0-150500.3.18.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch) * flatpak-zsh-completion-1.16.0-150500.3.18.1 * flatpak-remote-flathub-1.16.0-150500.3.18.1 * system-user-flatpak-1.16.0-150500.3.18.1 ## References: * https://www.suse.com/security/cve/CVE-2026-34078.html * https://www.suse.com/security/cve/CVE-2026-34079.html * https://bugzilla.suse.com/show_bug.cgi?id=1261769 *https://bugzilla.suse.com/show_bug.cgi?id=1261770 . Critical update for flatpak addresses important security issues in SUSE, enhancing host system protection against exploits.. flatpak security update,suse vulnerabilities,suse flatpak patch. . Severity: Important. LinuxSecurity.com Team
An update that solves two vulnerabilities can now be installed.. # Security update for strongswan Announcement ID: SUSE-SU-2026:21203-1 Release Date: 2026-04-16T09:06:50Z Rating: important References: * bsc#1257359 * bsc#1259472 Cross-References: * CVE-2025-9615 * CVE-2026-25075 CVSS scores: * CVE-2025-9615 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2025-9615 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-25075 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-25075 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-25075 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-25075 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves two vulnerabilities can now be installed. ## Description: This update for strongswan fixes the following issues: Update to strongswan 6.0.4: * CVE-2025-9615: NetworkManager File Access (bsc#1257359). * CVE-2026-25075: Integer Underflow When Handling EAP-TTLS AVP (bsc#1259472). Changes for strongswan: * Fixed a vulnerability in the NetworkManager plugin that potentially allows using credentials of other local users. This vulnerability has been registered as CVE-2025-9615. * The maximum supported length for section names in swanctl.conf has been increased to the upper limit of 256 characters that's enforced by VICI. * Prevent a crash if a confused peer rekeys a Child SA twice before sending a delete. * Fixed a memory leak if a peer's self-signed certificate is untrusted. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypperpatch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-570=1 * SUSE Linux Enterprise Server for SAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-570=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * strongswan-sqlite-6.0.4-160000.1.1 * strongswan-fips-6.0.4-160000.1.1 * strongswan-6.0.4-160000.1.1 * strongswan-ipsec-debuginfo-6.0.4-160000.1.1 * strongswan-mysql-6.0.4-160000.1.1 * strongswan-nm-6.0.4-160000.1.1 * strongswan-ipsec-6.0.4-160000.1.1 * strongswan-nm-debuginfo-6.0.4-160000.1.1 * strongswan-sqlite-debuginfo-6.0.4-160000.1.1 * strongswan-mysql-debuginfo-6.0.4-160000.1.1 * strongswan-debugsource-6.0.4-160000.1.1 * strongswan-debuginfo-6.0.4-160000.1.1 * SUSE Linux Enterprise Server 16.0 (noarch) * strongswan-doc-6.0.4-160000.1.1 * SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64) * strongswan-sqlite-6.0.4-160000.1.1 * strongswan-fips-6.0.4-160000.1.1 * strongswan-6.0.4-160000.1.1 * strongswan-ipsec-debuginfo-6.0.4-160000.1.1 * strongswan-mysql-6.0.4-160000.1.1 * strongswan-nm-6.0.4-160000.1.1 * strongswan-ipsec-6.0.4-160000.1.1 * strongswan-nm-debuginfo-6.0.4-160000.1.1 * strongswan-sqlite-debuginfo-6.0.4-160000.1.1 * strongswan-mysql-debuginfo-6.0.4-160000.1.1 * strongswan-debugsource-6.0.4-160000.1.1 * strongswan-debuginfo-6.0.4-160000.1.1 * SUSE Linux Enterprise Server for SAP applications 16.0 (noarch) * strongswan-doc-6.0.4-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-9615.html * https://www.suse.com/security/cve/CVE-2026-25075.html * https://bugzilla.suse.com/show_bug.cgi?id=1257359 * https://bugzilla.suse.com/show_bug.cgi?id=1259472 . Update for strongswan resolves important vulnerabilities related to file access and integer underflow in SUSE.. SUSE Update, strongswan,vulnerability fix, security update, important patch. . Severity: Important. LinuxSecurity.com Team
The Internet Archive Python Library would allow unintended access to files.. ========================================================================== Ubuntu Security Notice USN-7989-1 February 02, 2026 python-internetarchive vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: The Internet Archive Python Library would allow unintended access to files. Software Description: - python-internetarchive: A Python and Command-Line Interface to Archive.org Details: Pengo Wray discovered that The Internet Archive Python Library incorrectly handled certain file paths when downloading files. An attacker could possibly use this issue to write files to arbitrary locations on the file system. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 internetarchive 5.4.0-1ubuntu0.1 python3-internetarchive 5.4.0-1ubuntu0.1 Ubuntu 24.04 LTS internetarchive 3.5.0-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-internetarchive 3.5.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS internetarchive 1.9.9-1ubuntu0.1 python3-internetarchive 1.9.9-1ubuntu0.1 Ubuntu 20.04 LTS internetarchive 1.9.0-3ubuntu0.1~esm1 Available with Ubuntu Pro python3-internetarchive 1.9.0-3ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7989-1 CVE-2025-58438 Package Information: https://launchpad.net/ubuntu/+source/python-internetarchive/5.4.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/python-internetarchive/1.9.9-1ubuntu0.1 . The Internet Archive Python Library has a security issue allowing unintended file access in multiple Ubuntu releases. Update necessary.. Python Library, Internet Archive, Ubuntu Security, File Access Issue, Ubuntu Update. . Severity: Important. LinuxSecurity.com Team
* bsc#1241772 * bsc#1250683 * bsc#1253181 * bsc#1253185 * bsc#1253186 . # Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t Announcement ID: SUSE-SU-2025:4330-1 Release Date: 2025-12-09T11:34:00Z Rating: important References: * bsc#1241772 * bsc#1250683 * bsc#1253181 * bsc#1253185 * bsc#1253186 * bsc#1253194 * bsc#1253384 * bsc#1253748 Cross-References: * CVE-2025-22872 * CVE-2025-64324 * CVE-2025-64432 * CVE-2025-64433 * CVE-2025-64434 * CVE-2025-64437 CVSS scores: * CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L * CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2025-22872 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2025-64324 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-64324 ( SUSE ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2025-64324 ( NVD ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-64324 ( NVD ): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2025-64432 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2025-64432 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2025-64432 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2025-64432 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2025-64433 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-64433 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N *CVE-2025-64433 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2025-64434 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-64434 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H * CVE-2025-64434 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2025-64434 ( NVD ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H * CVE-2025-64437 ( SUSE ): 1.8 CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-64437 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L * CVE-2025-64437 ( NVD ): 5.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L Affected Products: * Containers Module 15-SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves six vulnerabilities and has two security fixes can now be installed. ## Description: This update for kubevirt, virt-api-container, virt-controller-container, virt- exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator- container, virt-pr-helper-container fixes the following issues: Updated kubevirt to version 1.6.3: * CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM construction in golang.org/x/net/html (bsc#1241772) * CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client TLS certificate (bsc#1253181) * CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185) * CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler instance (bsc#1253186) * CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194) * CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more privilegedusers (bsc#1253748) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Containers Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Containers-15-SP7-2025-4330=1 ## Package List: * Containers Module 15-SP7 (aarch64 x86_64) * kubevirt-virtctl-debuginfo-1.6.3-150700.3.13.1 * kubevirt-virtctl-1.6.3-150700.3.13.1 * kubevirt-manifests-1.6.3-150700.3.13.1 ## References: * https://www.suse.com/security/cve/CVE-2025-22872.html * https://www.suse.com/security/cve/CVE-2025-64324.html * https://www.suse.com/security/cve/CVE-2025-64432.html * https://www.suse.com/security/cve/CVE-2025-64433.html * https://www.suse.com/security/cve/CVE-2025-64434.html * https://www.suse.com/security/cve/CVE-2025-64437.html * https://bugzilla.suse.com/show_bug.cgi?id=1241772 * https://bugzilla.suse.com/show_bug.cgi?id=1250683 * https://bugzilla.suse.com/show_bug.cgi?id=1253181 * https://bugzilla.suse.com/show_bug.cgi?id=1253185 * https://bugzilla.suse.com/show_bug.cgi?id=1253186 * https://bugzilla.suse.com/show_bug.cgi?id=1253194 * https://bugzilla.suse.com/show_bug.cgi?id=1253384 * https://bugzilla.suse.com/show_bug.cgi?id=1253748 . SUSE updates for kubevirt and related containers address multiple security flaws affecting container operations.. Kubevirt Security SUSE Update CVE Container. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.