Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP6)

This update for the Linux Kernel 6.4.0-150600108 fixes several issues. The following security issues were fixed: CVE-2025-38477: net/sched: schqfq: Fix race condition on qfqaggregate bsc1247315. CVE-2024-53168: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket bsc1243650. CVE-2024-5015...

CVE-2025-59152 X-Forwarded-For Header Spoofing Bypasses Litestar Rate Limiting

Litestar is an Asynchronous Server Gateway Interface ASGI framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses...

AZL-67919 CVE-2025-11083 affecting package binutils for versions less than 2.41-9

A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elfswapshdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public an...

AZL-67925 CVE-2025-11082 affecting package crash for versions less than 8.0.4-5

A flaw has been found in GNU Binutils 2.45. Impacted is the function bfdelfparseehframe of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be use...

SUSE-SU-2025:03315-1 Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP6)

This update for the Linux Kernel 6.4.0-150600108 fixes several issues. The following security issues were fixed: - CVE-2024-49860: ACPI: sysfs: validate return type of STR method bsc1231862. - CVE-2025-38177: schhfsc: make hfscqlennotify idempotent bsc1246356. - CVE-2025-38109: net/mlx5: fix ECVF...

PT-2025-39750

Name of the Vulnerable Software and Affected Versions GNU Binutils versions prior to 2.46 Description A flaw exists in the Linker component of GNU Binutils. Specifically, the issue resides within the elf swap shdr function located in the bfd/elfcode.h library. This can lead to a heap-based buffer...

CVE-2023-53364

In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: better fix null deref with partial DT Two versions of the original patch were sent but V1 was merged instead of V2 due to a mistake. So update to V2. The advantage of V2 is that it completely avoids dereferenci...

CVE-2025-59142 [email protected] contains malware after npm account takeover

color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to...

Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP6)

This update for the Linux Kernel 6.4.0-1506002314 fixes several issues. The following security issues were fixed: CVE-2024-56664: bpf, sockmap: Fix race between element replace and close bsc1235250. CVE-2025-37797: netsched: hfsc: Fix a UAF vulnerability in class handling bsc1245793...

AZL-62426 CVE-2025-47947 affecting package mod_security 2.9.7-8

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case in stable released versions: when the payload's content type is application/json, and there is at...

SUSE CVE-2024-53861

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "abc". This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstanceissuer, list to isinstanceissuer, Sequence. Since st...

CVE-2023-48365

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backe...

Zyxel ATP 操作系统命令注入漏洞

Zyxel ATP is a firewall from Zyxel China. Zyxel ATP ZLD V5.00 to V5.36 Patch 2, USG FLEX ZLD V5.00 to V5.36 Patch 2, USG FLEX 50W / USG20W-VPN ZLD V5.00 to V5.36 Patch 2, VPN ZLD V5.00 to V5.36. An operating system command injection vulnerability exists in Patch 2 release, which stems from a...

CVE-2022-40980

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files. This issue was resolved in 9.8 SP5 Critical Patch 2...

CVE-2022-36002

TensorFlow is an open source platform for machine learning. When Unbatch receives a nonscalar input id, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f. The fix will be included in TensorFlow...

GHSA-WC69-RHJR-HC9G Moment.js vulnerable to Inefficient Regular Expression Complexity

Impact using string-to-date parsing in moment more specifically rfc2822 parsing, which is tried by default has quadratic N^2 complexity on specific inputs noticeable slowdown is observed with inputs above 10k characters users who pass user-provided strings without sanity length checks to moment...

PYSEC-2022-92

Tensorflow is an Open Source Machine Learning Framework. A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer...

PYSEC-2021-277

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a read from outside of bounds of heap allocated data by sending invalid arguments to tf.rawops.ResourceScatterUpdate. The implementation has an incomplete validation of the...

PYSEC-2021-712

TensorFlow is an end-to-end open source platform for machine learning. Optimized pooling implementations in TFLite fail to check that the stride arguments are not 0 before calling...

CVE-2020-29536

Archer before 6.8 P2 6.8.0.2 is affected by a path exposure vulnerability. A remote authenticated malicious attacker with access to service files may obtain sensitive information to use it in further attacks...