SUSE-SU-2025:03012-1: important: security update for git, git-lfs, obs-scm-bridge, python-PyYAML
SLE-UPDATES
null at suse.de
Fri Aug 29 08:30:18 UTC 2025
# security update for git, git-lfs, obs-scm-bridge, python-PyYAML
Announcement ID: SUSE-SU-2025:03012-1
Release Date: 2025-08-29T00:08:05Z
Rating: important
References:
* bsc#1212476
* bsc#1216545
* bsc#1218588
* bsc#1218664
* bsc#1243197
* bsc#1245938
* bsc#1245939
* bsc#1245942
* bsc#1245943
* bsc#1245946
Cross-References:
* CVE-2025-27613
* CVE-2025-27614
* CVE-2025-46835
* CVE-2025-48384
* CVE-2025-48385
CVSS scores:
* CVE-2025-27613 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-27613 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2025-27613 ( NVD ): 3.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
* CVE-2025-27614 ( SUSE ): 7.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-27614 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-27614 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2025-46835 ( SUSE ): 6.7
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-46835 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2025-46835 ( NVD ): 8.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
* CVE-2025-48384 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-48384 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-48384 ( NVD ): 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
* CVE-2025-48385 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-48385 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-48385 ( NVD ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* Basesystem Module 15-SP6
* Basesystem Module 15-SP7
* Development Tools Module 15-SP6
* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* Python 3 Module 15-SP6
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves five vulnerabilities and has five security fixes can now
be installed.
## Description:
This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following
issues:
git was updated from version 2.43.0 to 2.51.0 (bsc#1243197):
* Security issues fixed:
* CVE-2025-27613 Fixed arbitrary writable file creation and truncation in
Gitk(bsc#1245938)
* CVE-2025-27614 Fixed arbitrary script execution via repository clonation in
gitk(bsc#1245939)
* CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when
untrusted repository is cloned (bsc#1245942)
* CVE-2025-48384 Fixed the unintentional execution of a script after checkout
due to CRLF transforming (bsc#1245943)
* CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via
fetching advertised bundle(bsc#1245946)
* Other changes and bugs fixed:
* Other changes and bugs fixed:
* Added SHA256 support (bsc#1243197)
* Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly
(bsc#1218588)
* gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664)
* Do not replace apparmor configuration (bsc#1216545)
* Fixed the Python version required (bsc#1212476)
* Version Updates Release Notes:
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc
*
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc
git-lfs is included in version 3.7.0.
python-PyYAML was updated from version 6.0.1 to 6.0.2:
* Added support for Cython 3.x and Python 3.13
obs-scm-bridge was updated from version 0.5.4 to 0.7.4:
* New Features and Improvements:
* Manifest File Support: Support has been added for a `_manifest file`, which
serves as a successor to the `_subdirs` file.
* Control Over Git Information: A new noobsinfo query parameter was added to
hide git information in source and binary files.
* Enhanced Submodule Handling: The system now records the configured branch of
submodules and stays on that branch during checkout.
* Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of
md5sum to track package sources.
* SSH URL Support: ssh:// SCM URLs can now be used.
* Improved Error Messages: Error reporting for invalid files within package
subdirectories has been improved.
* Standardized Config Location: In project mode, the _config file is now
always located in the top-level directory, even when using subdirs.
* Reduced Unnecessary Changes: In project mode, unnecessary modifications to
the package meta URL are now avoided.
* Limit Asset Handling: A new mechanism has been introduced to limit how
assets are handled.
* Branch Information Export: The trackingbranch is now exported to
scmsync.obsinfo.
* Bugs fixed:
* Syntax Fix: A syntax issue was corrected.
* Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly
handle files that contain a mix of spaces and tabs.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-3012=1 openSUSE-SLE-15.6-2025-3012=1
* Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-3012=1
* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-3012=1
* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-3012=1
* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3012=1
* Python 3 Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2025-3012=1
* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-3012=1
## Package List:
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* python311-PyYAML-debuginfo-6.0.2-150600.10.3.1
* perl-Git-2.51.0-150600.3.12.1
* python-PyYAML-debugsource-6.0.2-150600.10.3.1
* python311-PyYAML-6.0.2-150600.10.3.1
* git-email-2.51.0-150600.3.12.1
* git-core-debuginfo-2.51.0-150600.3.12.1
* git-lfs-3.7.0-150600.13.3.1
* git-core-2.51.0-150600.3.12.1
* git-gui-2.51.0-150600.3.12.1
* git-p4-2.51.0-150600.3.12.1
* git-cvs-2.51.0-150600.3.12.1
* git-credential-libsecret-debuginfo-2.51.0-150600.3.12.1
* git-2.51.0-150600.3.12.1
* git-daemon-2.51.0-150600.3.12.1
* git-arch-2.51.0-150600.3.12.1
* gitk-2.51.0-150600.3.12.1
* git-web-2.51.0-150600.3.12.1
* git-debuginfo-2.51.0-150600.3.12.1
* git-svn-2.51.0-150600.3.12.1
* git-debugsource-2.51.0-150600.3.12.1
* git-credential-libsecret-2.51.0-150600.3.12.1
* git-daemon-debuginfo-2.51.0-150600.3.12.1
* openSUSE Leap 15.6 (noarch)
* git-doc-2.51.0-150600.3.12.1
* obs-scm-bridge-0.7.4-150600.14.4.1
* Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* git-debugsource-2.51.0-150600.3.12.1
* git-core-2.51.0-150600.3.12.1
* git-core-debuginfo-2.51.0-150600.3.12.1
* git-debuginfo-2.51.0-150600.3.12.1
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* git-debugsource-2.51.0-150600.3.12.1
* git-core-2.51.0-150600.3.12.1
* git-core-debuginfo-2.51.0-150600.3.12.1
* git-debuginfo-2.51.0-150600.3.12.1
* Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* git-arch-2.51.0-150600.3.12.1
* git-gui-2.51.0-150600.3.12.1
* gitk-2.51.0-150600.3.12.1
* perl-Git-2.51.0-150600.3.12.1
* git-web-2.51.0-150600.3.12.1
* git-debugsource-2.51.0-150600.3.12.1
* git-cvs-2.51.0-150600.3.12.1
* git-debuginfo-2.51.0-150600.3.12.1
* git-daemon-debuginfo-2.51.0-150600.3.12.1
* git-2.51.0-150600.3.12.1
* git-email-2.51.0-150600.3.12.1
* git-daemon-2.51.0-150600.3.12.1
* git-svn-2.51.0-150600.3.12.1
* git-lfs-3.7.0-150600.13.3.1
* Development Tools Module 15-SP6 (noarch)
* git-doc-2.51.0-150600.3.12.1
* obs-scm-bridge-0.7.4-150600.14.4.1
* Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* git-arch-2.51.0-150600.3.12.1
* git-gui-2.51.0-150600.3.12.1
* gitk-2.51.0-150600.3.12.1
* perl-Git-2.51.0-150600.3.12.1
* git-web-2.51.0-150600.3.12.1
* git-debugsource-2.51.0-150600.3.12.1
* git-cvs-2.51.0-150600.3.12.1
* git-debuginfo-2.51.0-150600.3.12.1
* git-daemon-debuginfo-2.51.0-150600.3.12.1
* git-2.51.0-150600.3.12.1
* git-email-2.51.0-150600.3.12.1
* git-daemon-2.51.0-150600.3.12.1
* git-svn-2.51.0-150600.3.12.1
* git-lfs-3.7.0-150600.13.3.1
* Development Tools Module 15-SP7 (noarch)
* git-doc-2.51.0-150600.3.12.1
* obs-scm-bridge-0.7.4-150600.14.4.1
* Python 3 Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* python311-PyYAML-6.0.2-150600.10.3.1
* python-PyYAML-debugsource-6.0.2-150600.10.3.1
* python311-PyYAML-debuginfo-6.0.2-150600.10.3.1
* Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python311-PyYAML-6.0.2-150600.10.3.1
* python-PyYAML-debugsource-6.0.2-150600.10.3.1
* python311-PyYAML-debuginfo-6.0.2-150600.10.3.1
## References:
* https://www.suse.com/security/cve/CVE-2025-27613.html
* https://www.suse.com/security/cve/CVE-2025-27614.html
* https://www.suse.com/security/cve/CVE-2025-46835.html
* https://www.suse.com/security/cve/CVE-2025-48384.html
* https://www.suse.com/security/cve/CVE-2025-48385.html
* https://bugzilla.suse.com/show_bug.cgi?id=1212476
* https://bugzilla.suse.com/show_bug.cgi?id=1216545
* https://bugzilla.suse.com/show_bug.cgi?id=1218588
* https://bugzilla.suse.com/show_bug.cgi?id=1218664
* https://bugzilla.suse.com/show_bug.cgi?id=1243197
* https://bugzilla.suse.com/show_bug.cgi?id=1245938
* https://bugzilla.suse.com/show_bug.cgi?id=1245939
* https://bugzilla.suse.com/show_bug.cgi?id=1245942
* https://bugzilla.suse.com/show_bug.cgi?id=1245943
* https://bugzilla.suse.com/show_bug.cgi?id=1245946
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250829/22bf2079/attachment.htm>
More information about the sle-updates
mailing list