SUSE 5171 Published by

SUSE Linux has been updated with several security enhancements, including critical updates for python-Django, important updates for libsoup2, moderate updates for nodejs20, important updates for python312, important updates for webkit2gtk3, and moderate updates for curl and socat.

SUSE-SU-2024:4285-1: critical: Security update for python-Django
SUSE-SU-2024:4290-1: important: Security update for libsoup2
SUSE-SU-2024:4286-1: moderate: Security update for nodejs20
SUSE-SU-2024:4291-1: important: Security update for python312
SUSE-SU-2024:4292-1: important: Security update for webkit2gtk3
SUSE-SU-2024:4288-1: moderate: Security update for curl
SUSE-SU-2024:4295-1: moderate: Security update for socat




SUSE-SU-2024:4285-1: critical: Security update for python-Django


# Security update for python-Django

Announcement ID: SUSE-SU-2024:4285-1
Release Date: 2024-12-11T08:30:27Z
Rating: critical
References:

* bsc#1234231
* bsc#1234232

Cross-References:

* CVE-2024-53907
* CVE-2024-53908

CVSS scores:

* CVE-2024-53907 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-53907 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-53908 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2024-53908 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Package Hub 15 15-SP6

An update that solves two vulnerabilities can now be installed.

## Description:

This update for python-Django fixes the following issues:

* CVE-2024-53907: Fixed denial-of-service in django.utils.html.strip_tags()
(bsc#1234232)
* CVE-2024-53908: Fixed SQL injection in HasKey(lhs, rhs) on Oracle
(bsc#1234231)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4285=1 openSUSE-SLE-15.6-2024-4285=1

* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4285=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* python311-Django-4.2.11-150600.3.12.1
* SUSE Package Hub 15 15-SP6 (noarch)
* python311-Django-4.2.11-150600.3.12.1

## References:

* https://www.suse.com/security/cve/CVE-2024-53907.html
* https://www.suse.com/security/cve/CVE-2024-53908.html
* https://bugzilla.suse.com/show_bug.cgi?id=1234231
* https://bugzilla.suse.com/show_bug.cgi?id=1234232



SUSE-SU-2024:4290-1: important: Security update for libsoup2


# Security update for libsoup2

Announcement ID: SUSE-SU-2024:4290-1
Release Date: 2024-12-11T11:10:48Z
Rating: important
References:

* bsc#1233285
* bsc#1233287
* bsc#1233292

Cross-References:

* CVE-2024-52530
* CVE-2024-52531
* CVE-2024-52532

CVSS scores:

* CVE-2024-52530 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2024-52530 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-52530 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-52531 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2024-52531 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-52531 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-52532 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-52532 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-52532 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves three vulnerabilities can now be installed.

## Description:

This update for libsoup2 fixes the following issues:

* CVE-2024-52530: Fixed HTTP request smuggling via stripping null bytes from
the ends of header names (bsc#1233285)
* CVE-2024-52531: Fixed buffer overflow via UTF-8 conversion in
soup_header_parse_param_list_strict (bsc#1233292)
* CVE-2024-52532: Fixed infinite loop while reading websocket data
(bsc#1233287)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4290=1 openSUSE-SLE-15.6-2024-4290=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4290=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* libsoup-2_4-1-debuginfo-2.74.3-150600.4.3.1
* libsoup-2_4-1-2.74.3-150600.4.3.1
* typelib-1_0-Soup-2_4-2.74.3-150600.4.3.1
* libsoup2-debugsource-2.74.3-150600.4.3.1
* libsoup2-devel-2.74.3-150600.4.3.1
* openSUSE Leap 15.6 (x86_64)
* libsoup2-devel-32bit-2.74.3-150600.4.3.1
* libsoup-2_4-1-32bit-debuginfo-2.74.3-150600.4.3.1
* libsoup-2_4-1-32bit-2.74.3-150600.4.3.1
* openSUSE Leap 15.6 (noarch)
* libsoup2-lang-2.74.3-150600.4.3.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libsoup-2_4-1-64bit-2.74.3-150600.4.3.1
* libsoup-2_4-1-64bit-debuginfo-2.74.3-150600.4.3.1
* libsoup2-devel-64bit-2.74.3-150600.4.3.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* libsoup-2_4-1-debuginfo-2.74.3-150600.4.3.1
* libsoup-2_4-1-2.74.3-150600.4.3.1
* typelib-1_0-Soup-2_4-2.74.3-150600.4.3.1
* libsoup2-debugsource-2.74.3-150600.4.3.1
* libsoup2-devel-2.74.3-150600.4.3.1
* Basesystem Module 15-SP6 (noarch)
* libsoup2-lang-2.74.3-150600.4.3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-52530.html
* https://www.suse.com/security/cve/CVE-2024-52531.html
* https://www.suse.com/security/cve/CVE-2024-52532.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233285
* https://bugzilla.suse.com/show_bug.cgi?id=1233287
* https://bugzilla.suse.com/show_bug.cgi?id=1233292



SUSE-SU-2024:4286-1: moderate: Security update for nodejs20


# Security update for nodejs20

Announcement ID: SUSE-SU-2024:4286-1
Release Date: 2024-12-11T08:30:46Z
Rating: moderate
References:

* bsc#1233856

Cross-References:

* CVE-2024-21538

CVSS scores:

* CVE-2024-21538 ( SUSE ): 5.6
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-21538 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-21538 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* Web and Scripting Module 15-SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for nodejs20 fixes the following issues:

* CVE-2024-21538: Fixed regular expression denial of service in cross-spawn
dependency (bsc#1233856)

Other fixes: \- Updated to 20.18.1: * Experimental Network Inspection Support in
Node.js * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext * New
option for vm.createContext() to create a context with a freezable globalThis *
buffer: optimize createFromString \- Changes in 20.17.0: * module: support
require()ing synchronous ESM graphs * path: add matchesGlob method * stream:
expose DuplexPair API \- Changes in 20.16.0: * process: add
process.getBuiltinModule(id) * inspector: fix disable async hooks on
Debugger.setAsyncCallStackDepth * buffer: add .bytes() method to Blob

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4286=1 openSUSE-SLE-15.6-2024-4286=1

* Web and Scripting Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2024-4286=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* nodejs20-debugsource-20.18.1-150600.3.6.1
* nodejs20-devel-20.18.1-150600.3.6.1
* nodejs20-20.18.1-150600.3.6.1
* nodejs20-debuginfo-20.18.1-150600.3.6.1
* corepack20-20.18.1-150600.3.6.1
* npm20-20.18.1-150600.3.6.1
* openSUSE Leap 15.6 (noarch)
* nodejs20-docs-20.18.1-150600.3.6.1
* Web and Scripting Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* nodejs20-debugsource-20.18.1-150600.3.6.1
* nodejs20-devel-20.18.1-150600.3.6.1
* nodejs20-20.18.1-150600.3.6.1
* nodejs20-debuginfo-20.18.1-150600.3.6.1
* npm20-20.18.1-150600.3.6.1
* Web and Scripting Module 15-SP6 (noarch)
* nodejs20-docs-20.18.1-150600.3.6.1

## References:

* https://www.suse.com/security/cve/CVE-2024-21538.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233856



SUSE-SU-2024:4291-1: important: Security update for python312


# Security update for python312

Announcement ID: SUSE-SU-2024:4291-1
Release Date: 2024-12-11T11:24:51Z
Rating: important
References:

* bsc#1231795
* bsc#1234290

Cross-References:

* CVE-2024-12254

CVSS scores:

* CVE-2024-12254 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-12254 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-12254 ( NVD ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products:

* openSUSE Leap 15.6
* Python 3 Module 15-SP6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability and has one security fix can now be
installed.

## Description:

This update for python312 fixes the following issues:

* CVE-2024-12254: Fixed unbounded memory buffering in
SelectorSocketTransport.writelines() (bsc#1234290)

Other fixes: \- Updated to version 3.12.8 \- Remove -IVendor/ from python-config
(bsc#1231795)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4291=1 openSUSE-SLE-15.6-2024-4291=1

* Python 3 Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2024-4291=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* python312-doc-devhelp-3.12.8-150600.3.12.1
* python312-tools-3.12.8-150600.3.12.1
* libpython3_12-1_0-debuginfo-3.12.8-150600.3.12.1
* python312-dbm-debuginfo-3.12.8-150600.3.12.1
* python312-tk-3.12.8-150600.3.12.1
* python312-idle-3.12.8-150600.3.12.1
* python312-base-3.12.8-150600.3.12.1
* python312-curses-3.12.8-150600.3.12.1
* python312-testsuite-debuginfo-3.12.8-150600.3.12.1
* python312-debugsource-3.12.8-150600.3.12.1
* libpython3_12-1_0-3.12.8-150600.3.12.1
* python312-tk-debuginfo-3.12.8-150600.3.12.1
* python312-testsuite-3.12.8-150600.3.12.1
* python312-3.12.8-150600.3.12.1
* python312-curses-debuginfo-3.12.8-150600.3.12.1
* python312-doc-3.12.8-150600.3.12.1
* python312-base-debuginfo-3.12.8-150600.3.12.1
* python312-dbm-3.12.8-150600.3.12.1
* python312-debuginfo-3.12.8-150600.3.12.1
* python312-devel-3.12.8-150600.3.12.1
* python312-core-debugsource-3.12.8-150600.3.12.1
* openSUSE Leap 15.6 (x86_64)
* python312-32bit-3.12.8-150600.3.12.1
* libpython3_12-1_0-32bit-debuginfo-3.12.8-150600.3.12.1
* libpython3_12-1_0-32bit-3.12.8-150600.3.12.1
* python312-base-32bit-debuginfo-3.12.8-150600.3.12.1
* python312-32bit-debuginfo-3.12.8-150600.3.12.1
* python312-base-32bit-3.12.8-150600.3.12.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* python312-64bit-debuginfo-3.12.8-150600.3.12.1
* libpython3_12-1_0-64bit-debuginfo-3.12.8-150600.3.12.1
* python312-64bit-3.12.8-150600.3.12.1
* python312-base-64bit-3.12.8-150600.3.12.1
* python312-base-64bit-debuginfo-3.12.8-150600.3.12.1
* libpython3_12-1_0-64bit-3.12.8-150600.3.12.1
* Python 3 Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* python312-dbm-debuginfo-3.12.8-150600.3.12.1
* python312-tk-debuginfo-3.12.8-150600.3.12.1
* python312-3.12.8-150600.3.12.1
* python312-curses-debuginfo-3.12.8-150600.3.12.1
* python312-debugsource-3.12.8-150600.3.12.1
* python312-tools-3.12.8-150600.3.12.1
* python312-tk-3.12.8-150600.3.12.1
* python312-devel-3.12.8-150600.3.12.1
* python312-curses-3.12.8-150600.3.12.1
* python312-base-debuginfo-3.12.8-150600.3.12.1
* libpython3_12-1_0-3.12.8-150600.3.12.1
* python312-idle-3.12.8-150600.3.12.1
* python312-dbm-3.12.8-150600.3.12.1
* python312-debuginfo-3.12.8-150600.3.12.1
* python312-core-debugsource-3.12.8-150600.3.12.1
* python312-base-3.12.8-150600.3.12.1
* libpython3_12-1_0-debuginfo-3.12.8-150600.3.12.1

## References:

* https://www.suse.com/security/cve/CVE-2024-12254.html
* https://bugzilla.suse.com/show_bug.cgi?id=1231795
* https://bugzilla.suse.com/show_bug.cgi?id=1234290



SUSE-SU-2024:4292-1: important: Security update for webkit2gtk3


# Security update for webkit2gtk3

Announcement ID: SUSE-SU-2024:4292-1
Release Date: 2024-12-11T11:41:37Z
Rating: important
References:

* bsc#1233631
* bsc#1233632

Cross-References:

* CVE-2024-44308
* CVE-2024-44309

CVSS scores:

* CVE-2024-44308 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-44308 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-44308 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-44309 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2024-44309 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
* CVE-2024-44309 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:

* Basesystem Module 15-SP6
* Desktop Applications Module 15-SP6
* Development Tools Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves two vulnerabilities can now be installed.

## Description:

This update for webkit2gtk3 fixes the following issues:

* CVE-2024-44308: Fixed processing maliciously crafted web content that may
lead to arbitrary code execution (bsc#1233631)
* CVE-2024-44309: Fixed data isolation bypass vulnerability (bsc#1233632)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4292=1 openSUSE-SLE-15.6-2024-4292=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4292=1

* Desktop Applications Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP6-2024-4292=1

* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-4292=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* WebKitGTK-6.0-lang-2.46.3-150600.12.21.1
* WebKitGTK-4.0-lang-2.46.3-150600.12.21.1
* WebKitGTK-4.1-lang-2.46.3-150600.12.21.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* webkit2gtk3-soup2-devel-2.46.3-150600.12.21.1
* libwebkitgtk-6_0-4-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2WebExtension-4_1-2.46.3-150600.12.21.1
* webkit2gtk4-minibrowser-2.46.3-150600.12.21.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.46.3-150600.12.21.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.46.3-150600.12.21.1
* webkit2gtk-4_0-injected-bundles-2.46.3-150600.12.21.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2-4_0-2.46.3-150600.12.21.1
* webkit-jsc-4.1-2.46.3-150600.12.21.1
* webkit2gtk4-devel-2.46.3-150600.12.21.1
* webkit-jsc-4-debuginfo-2.46.3-150600.12.21.1
* webkit2gtk3-soup2-minibrowser-2.46.3-150600.12.21.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-debuginfo-2.46.3-150600.12.21.1
* webkit-jsc-4.1-debuginfo-2.46.3-150600.12.21.1
* webkit-jsc-6.0-2.46.3-150600.12.21.1
* webkit-jsc-4-2.46.3-150600.12.21.1
* webkit2gtk3-soup2-debugsource-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-6_0-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2WebExtension-4_0-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-2.46.3-150600.12.21.1
* webkit2gtk3-minibrowser-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.46.3-150600.12.21.1
* webkit-jsc-6.0-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-4_1-2.46.3-150600.12.21.1
* webkit2gtk-4_1-injected-bundles-2.46.3-150600.12.21.1
* libjavascriptcoregtk-6_0-1-2.46.3-150600.12.21.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* webkit2gtk3-devel-2.46.3-150600.12.21.1
* webkit2gtk4-debugsource-2.46.3-150600.12.21.1
* webkit2gtk4-minibrowser-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-WebKit-6_0-2.46.3-150600.12.21.1
* libwebkitgtk-6_0-4-2.46.3-150600.12.21.1
* webkit2gtk3-minibrowser-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-4_0-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-2.46.3-150600.12.21.1
* webkitgtk-6_0-injected-bundles-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2-4_1-2.46.3-150600.12.21.1
* webkit2gtk3-soup2-minibrowser-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-2.46.3-150600.12.21.1
* webkit2gtk3-debugsource-2.46.3-150600.12.21.1
* openSUSE Leap 15.6 (x86_64)
* libwebkit2gtk-4_0-37-32bit-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-32bit-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-32bit-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-32bit-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-32bit-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-32bit-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-32bit-2.46.3-150600.12.21.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libjavascriptcoregtk-4_0-18-64bit-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-64bit-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-64bit-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-64bit-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-64bit-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-64bit-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-64bit-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-64bit-2.46.3-150600.12.21.1
* Basesystem Module 15-SP6 (noarch)
* WebKitGTK-4.0-lang-2.46.3-150600.12.21.1
* WebKitGTK-6.0-lang-2.46.3-150600.12.21.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* webkit2gtk-4_0-injected-bundles-2.46.3-150600.12.21.1
* webkit2gtk3-soup2-devel-2.46.3-150600.12.21.1
* webkitgtk-6_0-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2-4_0-2.46.3-150600.12.21.1
* libwebkitgtk-6_0-4-2.46.3-150600.12.21.1
* libwebkitgtk-6_0-4-debuginfo-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-4_0-2.46.3-150600.12.21.1
* webkit2gtk3-soup2-debugsource-2.46.3-150600.12.21.1
* webkitgtk-6_0-injected-bundles-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2WebExtension-4_0-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-2.46.3-150600.12.21.1
* libwebkit2gtk-4_0-37-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-6_0-1-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_0-18-debuginfo-2.46.3-150600.12.21.1
* libjavascriptcoregtk-6_0-1-2.46.3-150600.12.21.1
* webkit2gtk4-debugsource-2.46.3-150600.12.21.1
* webkit2gtk-4_0-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* Desktop Applications Module 15-SP6 (noarch)
* WebKitGTK-4.1-lang-2.46.3-150600.12.21.1
* Desktop Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* webkit2gtk3-devel-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2WebExtension-4_1-2.46.3-150600.12.21.1
* typelib-1_0-WebKit2-4_1-2.46.3-150600.12.21.1
* webkit2gtk3-debugsource-2.46.3-150600.12.21.1
* webkit2gtk-4_1-injected-bundles-debuginfo-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-debuginfo-2.46.3-150600.12.21.1
* webkit2gtk-4_1-injected-bundles-2.46.3-150600.12.21.1
* libwebkit2gtk-4_1-0-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-4_1-2.46.3-150600.12.21.1
* libjavascriptcoregtk-4_1-0-debuginfo-2.46.3-150600.12.21.1
* Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* typelib-1_0-WebKit-6_0-2.46.3-150600.12.21.1
* typelib-1_0-JavaScriptCore-6_0-2.46.3-150600.12.21.1
* webkit2gtk4-devel-2.46.3-150600.12.21.1
* typelib-1_0-WebKitWebProcessExtension-6_0-2.46.3-150600.12.21.1
* webkit2gtk4-debugsource-2.46.3-150600.12.21.1

## References:

* https://www.suse.com/security/cve/CVE-2024-44308.html
* https://www.suse.com/security/cve/CVE-2024-44309.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233631
* https://bugzilla.suse.com/show_bug.cgi?id=1233632



SUSE-SU-2024:4288-1: moderate: Security update for curl


# Security update for curl

Announcement ID: SUSE-SU-2024:4288-1
Release Date: 2024-12-11T08:31:36Z
Rating: moderate
References:

* bsc#1234068

Cross-References:

* CVE-2024-11053

CVSS scores:

* CVE-2024-11053 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for curl fixes the following issues:

* CVE-2024-11053: Fixed password leak used for the first host to the followed-
to host under certain circumstances (bsc#1234068)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4288=1 openSUSE-SLE-15.6-2024-4288=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4288=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* curl-8.6.0-150600.4.15.1
* libcurl-devel-8.6.0-150600.4.15.1
* libcurl4-debuginfo-8.6.0-150600.4.15.1
* libcurl4-8.6.0-150600.4.15.1
* curl-debuginfo-8.6.0-150600.4.15.1
* curl-debugsource-8.6.0-150600.4.15.1
* openSUSE Leap 15.6 (x86_64)
* libcurl4-32bit-8.6.0-150600.4.15.1
* libcurl-devel-32bit-8.6.0-150600.4.15.1
* libcurl4-32bit-debuginfo-8.6.0-150600.4.15.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* libcurl4-64bit-debuginfo-8.6.0-150600.4.15.1
* libcurl4-64bit-8.6.0-150600.4.15.1
* libcurl-devel-64bit-8.6.0-150600.4.15.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* curl-8.6.0-150600.4.15.1
* libcurl-devel-8.6.0-150600.4.15.1
* libcurl4-debuginfo-8.6.0-150600.4.15.1
* libcurl4-8.6.0-150600.4.15.1
* curl-debuginfo-8.6.0-150600.4.15.1
* curl-debugsource-8.6.0-150600.4.15.1
* Basesystem Module 15-SP6 (x86_64)
* libcurl4-32bit-8.6.0-150600.4.15.1
* libcurl4-32bit-debuginfo-8.6.0-150600.4.15.1

## References:

* https://www.suse.com/security/cve/CVE-2024-11053.html
* https://bugzilla.suse.com/show_bug.cgi?id=1234068



SUSE-SU-2024:4295-1: moderate: Security update for socat


# Security update for socat

Announcement ID: SUSE-SU-2024:4295-1
Release Date: 2024-12-11T14:41:01Z
Rating: moderate
References:

* bsc#1225462

Cross-References:

* CVE-2024-54661

CVSS scores:

* CVE-2024-54661 ( SUSE ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-54661 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves one vulnerability can now be installed.

## Description:

This update for socat fixes the following issues:

* CVE-2024-54661: Fixed arbitrary file overwrite via predictable /tmp
directory in socat readline.sh (bsc#1225462)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-4295=1 openSUSE-SLE-15.6-2024-4295=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4295=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* socat-extra-1.8.0.0-150600.20.6.1
* socat-1.8.0.0-150600.20.6.1
* socat-debugsource-1.8.0.0-150600.20.6.1
* socat-debuginfo-1.8.0.0-150600.20.6.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* socat-1.8.0.0-150600.20.6.1
* socat-debugsource-1.8.0.0-150600.20.6.1
* socat-debuginfo-1.8.0.0-150600.20.6.1

## References:

* https://www.suse.com/security/cve/CVE-2024-54661.html
* https://bugzilla.suse.com/show_bug.cgi?id=1225462