Python-Jinja2, Liboqs, OQS-Provider, Velero updates for SUSE

SUSE 5190 Published by

SUSE Linux has been updated with security enhancements for Python-Jinja2, liboqs, oqs-provider, and velero:

SUSE-SU-2025:0006-1: important: Security update for python-Jinja2
SUSE-SU-2025:0005-1: important: Security update for liboqs, oqs-provider
openSUSE-SU-2025:14613-1: moderate: velero-1.15.1-1.1 on GA media




SUSE-SU-2025:0006-1: important: Security update for python-Jinja2


# Security update for python-Jinja2

Announcement ID: SUSE-SU-2025:0006-1
Release Date: 2025-01-02T08:45:38Z
Rating: important
References:

* bsc#1234808
* bsc#1234809

Cross-References:

* CVE-2024-56201
* CVE-2024-56326

CVSS scores:

* CVE-2024-56201 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-56201 ( NVD ): 5.4
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-56201 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-56326 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-56326 ( NVD ): 5.4
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-56326 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* Public Cloud Module 15-SP4
* Python 3 Module 15-SP6
* SUSE Linux Enterprise Desktop 15 SP4 LTSS
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves two vulnerabilities can now be installed.

## Description:

This update for python-Jinja2 fixes the following issues:

* CVE-2024-56201: Fixed sandbox breakout through malicious content and
filename of a template (bsc#1234808)
* CVE-2024-56326: Fixed sandbox breakout through indirect reference to format
method (bsc#1234809)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-6=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2025-6=1

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-6=1

* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2025-6=1

* Python 3 Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2025-6=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-6=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-6=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-6=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-6=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2025-6=1

* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-6=1

* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-6=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-6=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-6=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* python311-Jinja2-3.1.2-150400.12.11.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* Python 3 Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64
x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64
x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS (x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
* python311-Jinja2-3.1.2-150400.12.11.1

## References:

* https://www.suse.com/security/cve/CVE-2024-56201.html
* https://www.suse.com/security/cve/CVE-2024-56326.html
* https://bugzilla.suse.com/show_bug.cgi?id=1234808
* https://bugzilla.suse.com/show_bug.cgi?id=1234809



SUSE-SU-2025:0005-1: important: Security update for liboqs, oqs-provider


# Security update for liboqs, oqs-provider

Announcement ID: SUSE-SU-2025:0005-1
Release Date: 2025-01-02T08:01:46Z
Rating: important
References:

* bsc#1226162
* bsc#1226468
* bsc#1234292

Cross-References:

* CVE-2024-36405
* CVE-2024-37305
* CVE-2024-54137

CVSS scores:

* CVE-2024-36405 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-37305 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2024-54137 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2024-54137 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:

* Basesystem Module 15-SP6
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves three vulnerabilities can now be installed.

## Description:

This update for liboqs, oqs-provider fixes the following issues:

This update supplies the new FIPS standardized ML-KEM, ML-DSA, SHL-DSA
algorithms.

This update liboqs to 0.12.0:

* This release updates the ML-DSA implementation to the final FIPS 204
version. This release still includes the NIST Round 3 version of Dilithium
for interoperability purposes, but we plan to remove Dilithium Round 3 in a
future release.
* This will be the last release of liboqs to include Kyber (that is, the NIST
Round 3 version of Kyber, prior to its standardization by NIST as ML-KEM in
FIPS 203). Applications should switch to ML-KEM (FIPS 203).
* The addition of ML-DSA FIPS 204 final version to liboqs has introduced a new
signature API which includes a context string parameter. We are planning to
remove the old version of the API without a context string in the next
release to streamline the API and bring it in line with NIST specifications.
Users who have an opinion on this removal are invited to provide input at
https://github.com/open-quantum-safe/liboqs/issues/2001.

Security issues:

* CVE-2024-54137: Fixed bug in HQC decapsulation that leads to incorrect
shared secret value during decapsulation when called with an invalid
ciphertext. (bsc#1234292)
* new library major version 7

Updated to 0.11.0:

* This release updates ML-KEM implementations to their final FIPS 203
https://csrc.nist.gov/pubs/fips/203/final versions .
* This release still includes the NIST Round 3 version of Kyber for
interoperability purposes, but we plan to remove Kyber Round 3 in a future
release.
* Additionally, this release adds support for MAYO and CROSS digital signature
schemes from [NIST Additional Signatures Round 1
https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures
along with stateful hash-based signature schemes XMSS
https://datatracker.ietf.org/doc/html/rfc8391 and LMS
https://datatracker.ietf.org/doc/html/rfc8554.
* Finally, this release provides formally verified implementations of
Kyber-512 and Kyber-768 from libjade https://github.com/formosa-
crypto/libjade/releases/tag/release%2F2023.05-2
* LMS and XMSS are disabled by default due to the security risks associated
with their use in software. See the note on stateful hash-based signatures
in CONFIGURE.md
* Key encapsulation mechanisms:
* Kyber: Added formally-verified portable C and AVX2 implementations of
Kyber-512 and Kyber-768 from libjade.
* ML-KEM: Updated portable C and AVX2 implementations of ML-KEM-512, ML-
KEM-768, and ML-KEM-1024 to FIP 203 version.
* Kyber: Patched ARM64 implementations of Kyber-512, Kyber-768, and Kyber-1024
to work with AddressSanitizer.
* Digital signature schemes:
* LMS/XMSS: Added implementations of stateful hash-based signature schemes:
XMSS and LMS
* MAYO: Added portable C and AVX2 implementations of MAYO signature scheme
from NIST Additional Signatures Round 1.
* CROSS: Added portable C and AVX2 implementations of CROSS signature scheme
from NIST Additional Signatures Round 1.
* Other changes:
* Added callback API to use custom implementations of AES, SHA2, and SHA3.
* Refactor SHA3 implementation to use OpenSSL's EVP_DigestSqueeze() API.

* new library major version 6

Updated to 0.10.1:

* This release is a security release which fixes potential non-constant-time
behaviour in ML-KEM and Kyber. (bsc#1226162 CVE-2024-36405) It also includes
a fix for incorrectly named macros in the ML-DSA implementation.

updated to 0.10.0:

Key encapsulation mechanisms:

* BIKE: Updated portable C implementation to include constant-time fixes from
upstream.
* HQC: Updated to NIST Round 4 version.
* ML-KEM: Added portable C and AVX2 implementations of Initial Public Draft
(IPD) versions of ML-KEM-512, ML-KEM-768, and ML-KEM-1024.

Digital signature schemes:

* Falcon: Updated portable C, AVX2, and AArch64 implementations to support
fixed-length (PADDED-format) signatures. Fixed the maximum length of
variable-length signatures to comply with the NIST Round 3 specification.
* ML-DSA: Added portable C and AVX2 implementations of Initial Public Draft
(IPD) versions of ML-DSA-44, ML-DSA-65, and ML-DSA-87.

Other changes:

* Improved thread safety.
* Removed support for the "NIST-KAT" DRBG.
* Added extended KAT test programs.

* library major version changed from 4 to 5

This update also updates oqs-provider to 0.7.0:

* Adds support for MAYO from Round 1 of NIST’s Post-Quantum Signature On-Ramp
process.
* Adds support for CROSS from Round 1 of NIST’s Post-Quantum Signature On-Ramp
process.
* Updates ML-KEM's code points in line with internet draft draft-kwiatkowski-
tls-ecdhe-mlkem-02.
* Reverses keyshares for X25519MLKEM768 and X448-ML-KEM-768 TLS hybrids in
line with draft-kwiatkowski-tls-ecdhe-mlkem-02.

Updated to 0.6.1:

* CVE-2024-37305: Fixed buffer overflow in deserialization of hybrid keys and
signatures (bsc#1226468)

Updated to 0.6.0:

* First availability of standardized PQ algorithms, e.g., ML-KEM, ML-DSA
* Support for Composite PQ operations
* Alignment with PQ algorithm implementations as provided by liboqs 0.10.0,
most notably updating HQC and Falcon.
* Implementation of security code review recommendations
* Support for more hybrid operations as fully documented here.
* Support for extraction of classical and hybrid key material

Updated to 0.5.3:

* only tracking parallel liboqs security update

Updated to 0.5.2:

* Algorithm updates as documented in the liboqs 0.9.0 release notes
* Standard coding style
* Enhanced memory leak protection
* Added community cooperation documentation
* (optional) KEM algorithm en-/decoder feature

Updated to 0.5.1:

* Documentation update
* document specs
* General documentation overhaul
* change TLS demo to use QSC alg
* Build a module instead of a shared library.
* explain groups in USAGE

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-5=1 openSUSE-SLE-15.6-2025-5=1

* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-5=1

## Package List:

* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* oqs-provider-debuginfo-0.7.0-150600.3.3.1
* liboqs7-debuginfo-0.12.0-150600.3.3.1
* oqs-provider-0.7.0-150600.3.3.1
* liboqs7-0.12.0-150600.3.3.1
* liboqs-devel-0.12.0-150600.3.3.1
* openSUSE Leap 15.6 (x86_64)
* liboqs7-32bit-0.12.0-150600.3.3.1
* liboqs7-32bit-debuginfo-0.12.0-150600.3.3.1
* liboqs-devel-32bit-0.12.0-150600.3.3.1
* openSUSE Leap 15.6 (aarch64_ilp32)
* liboqs7-64bit-0.12.0-150600.3.3.1
* liboqs-devel-64bit-0.12.0-150600.3.3.1
* liboqs7-64bit-debuginfo-0.12.0-150600.3.3.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* oqs-provider-debuginfo-0.7.0-150600.3.3.1
* liboqs7-debuginfo-0.12.0-150600.3.3.1
* oqs-provider-0.7.0-150600.3.3.1
* liboqs7-0.12.0-150600.3.3.1
* liboqs-devel-0.12.0-150600.3.3.1

## References:

* https://www.suse.com/security/cve/CVE-2024-36405.html
* https://www.suse.com/security/cve/CVE-2024-37305.html
* https://www.suse.com/security/cve/CVE-2024-54137.html
* https://bugzilla.suse.com/show_bug.cgi?id=1226162
* https://bugzilla.suse.com/show_bug.cgi?id=1226468
* https://bugzilla.suse.com/show_bug.cgi?id=1234292



openSUSE-SU-2025:14613-1: moderate: velero-1.15.1-1.1 on GA media


# velero-1.15.1-1.1 on GA media

Announcement ID: openSUSE-SU-2025:14613-1
Rating: moderate

Cross-References:

* CVE-2024-45337
* CVE-2024-45338

CVSS scores:

* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 2 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the velero-1.15.1-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* velero 1.15.1-1.1
* velero-bash-completion 1.15.1-1.1
* velero-fish-completion 1.15.1-1.1
* velero-zsh-completion 1.15.1-1.1

## References:

* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2024-45338.html


OpenShift Container Platform 4.15.42 bug fix and Python-Requests updates for RHEL

Linux Kernel security update for Debian 11 LTS

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.org  I ...