SUSE-SU-2025:3942-1: moderate: Security update for qatengine, qatlib
SLE-UPDATES
null at suse.de
Wed Nov 5 12:31:00 UTC 2025
# Security update for qatengine, qatlib
Announcement ID: SUSE-SU-2025:3942-1
Release Date: 2025-11-05T08:16:03Z
Rating: moderate
References:
* bsc#1233363
* bsc#1233365
* bsc#1233366
Cross-References:
* CVE-2024-28885
* CVE-2024-31074
* CVE-2024-33617
CVSS scores:
* CVE-2024-28885 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-28885 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-28885 ( NVD ): 8.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-28885 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-31074 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-31074 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-31074 ( NVD ): 8.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-31074 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-33617 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-33617 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-33617 ( NVD ): 8.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-33617 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 LTS
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Retail Branch Server 4.3 LTS
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 LTS
An update that solves three vulnerabilities can now be installed.
## Description:
This update for qatengine, qatlib fixes the following issues:
Note that the 1.6.1 release included in 1.7.0 fixes the following
vulnerabilities:
* bsc#1233363 (CVE-2024-28885)
* bsc#1233365 (CVE-2024-31074)
* bsc#1233366 (CVE-2024-33617)
Update to 1.7.0:
* ipp-crypto name change to cryptography-primitives
* QAT_SW GCM memory leak fix in cleanup function
* Update limitation section in README for v1.7.0 release
* Fix build with OPENSSL_NO_ENGINE
* Fix for build issues with qatprovider in qatlib
* Bug fixes and README updates to v1.7.0
* Remove qat_contig_mem driver support
* Add support for building QAT Engine ENGINE and PROVIDER modules with QuicTLS
3.x libraries
* Fix for DSA issue with openssl3.2
* Fix missing lower bounds check on index i
* Enabled SW Fallback support for FBSD
* Fix for segfault issue when SHIM config section is unavailable
* Fix for Coverity & Resource leak
* Fix for RSA failure with SVM enabled in openssl-3.2
* SM3 Memory Leak Issue Fix
* Fix qatprovider lib name issue with system openssl
Update to 1.6.0:
* Fix issue with make depend for QAT_SW
* QAT_HW GCM Memleak fix & bug fixes
* QAT2.0 FreeBSD14 intree driver support
* Fix OpenSSL 3.2 compatibility issues
* Optimize hex dump logging
* Clear job tlv on error
* QAT_HW RSA Encrypt and Decrypt provider support
* QAT_HW AES-CCM Provider support
* Add ECDH keymgmt support for provider
* Fix QAT_HW SM2 memory leak
* Enable qaeMemFreeNonZeroNUMA() for qatlib
* Fix polling issue for the process that doesn't have QAT_HW instance
* Fix SHA3 qctx initialization issue & potential memleak
* Fix compilation error in SM2 with qat_contig_mem
* Update year in copyright information to 2024
Update to 1.5.0:
* use new --enable-qat_insecure_algorithms to avoid regressions
* improve support for SM{2,3,4} ciphers
* improve SW fallback support
* many bug fixes, refactorisations and documentation updates
* update to 0.6.18:
* Fix address sanitizer issues
* Fix issues with Babassl & Openssl3.0
* Add QAT_HW SM4 CBC support
* Refactor ECX provider code into single file
* Fix QAT_HW AES-GCM bad mac record & memleak
* Fix SHA3 memory leak
* Fix sm4-cbc build error with system default OpenSSL
* Symmetric performance Optimization & memleak fixes
* Bug fix, README & v0.6.18 Version update
* Please refer README (Software requirements section) for dependent libraries
release version and other information.
* update to v0.6.17:
* Add security policy - c1a7a96
* Add dependancy update tool file - 522c41d
* Release v0.6.17 version update - c1a7a96
* Enable QAT_SW RSA & ECDSA support for BoringSSL - 1035e82
* Fix QAT_SW SM2 ECDSA Performance issue - f44a564
* CPP check and Makefile Bug fixes - 98ccbe8
* Fix buffer overflow issue with SHA3 and ECX - cab65f3
* Update version and README for v0.6.16 - 1c95fd7
* Split --with-qat_sw_install_dir into seperate configures - d5f5656
* Add seperate err files for Boringssl - 1a09627
* Fix QAT_HW & QAT_SW AES-GCM issue with s_server in provider - c775f5c
* Fix issue with disable flags in provider - 2e00636
* Fix coredump issue in provider with qat_sw gcm - 6703c13
* Fix err files regeneration failure - 510f3dc
* Add Provider Support for ChachaPoly and SM2 - a98e51d
* Bug Fixes in testapp and with disable flags. - 0945535
* QAT HW&SW Co-existence dynamic mechanism support. - 5baf5aa
* Fix issue with SIGUSR1 during reload. - 00ea833
* Refactor qat_hw instances based on Sym/Asym capabilities. - bb10128
* Replace deprecated pthread_yield with sched_yield. - d514406
* BoringSSL support for RSA and ECDSA. - 41c67c7
* Fix s_server lseek forever issue with qatprovider. - cb3db21
* Fix aes-cbc failure issue in testapp. - a530427
* Fix glibc version test - 2461966
* Fix issue with generator param and ECDSA verify. - c51fc17
* Provider Support for DSA, DH, HKDF, PRF, SHA3 & aes-cbc - 7cc5eb9
* Fix testapp issues and optimization - e7c2ba8
* Optimize setup and clear async event notification - 573fe48
* Fix Nginx worker process core dump in QAT_SW with pkill/killall - 4eb4473
* Add Cofactor to take optimized path in ECDH API - 9a23c7e
* Fix double free issue with QAT_SW - 1a16708
* Add thread mapping to specific QAT_HW instance - 5ee799a
* OpenSSL 3.0 Provider Support - 38086fa
* Update README and version to v0.6.12 - dca2957
* Fixed worker process hung forever after nginx reload - bfe97aa
* Remove OpenSSL 1.1.0 Support - da8682a
* Add QAT_SW SM2 ECDH & SM3 support - 04a6af2
* QAT_SW ECDSA SM2 sign and verify Support - d44ae7e
* Disable SM3, Bug fixes, Readme & version update - d995046
qatlib was updated to:
Update to 24.09.0:
* Improved performance scaling in multi-thread applications
* Set core affinity mapping based on NUMA (libnuma now required for building)
* bug fixes, see https://github.com/intel/qatlib#resolved-issues
Version update to 24.02.0
* Support DC NS (NoSession) APIs
* Support Symmetric Crypto SM3 & SM4
* Support Asymmetric Crypto SM2
* Support DC CompressBound APIs
* Bug Fixes. See Resolved section in README.md
Update to 23.11.0:
* use new --enable-legacy-algorithms to avoid regressions
* add support for data compression chaining (hash then compress)
* add support for additional configuration profiles
* add support DC NS (NoSession) APIs
* add support DC CompressBound APIs
* add Support for Chinese SM{2,3,4} ciphers
* bump shared library major to 4
* refactoring, bug fixes and documentation updates
Update to 22.07.2:
* Changed from yasm to nasm for assembly compilation
* Added configuration option to use C implementation of soft CRC
implementation instead of asm
* Added support for pkg-config
* Added missing lock around accesses to some global data in qatmgr
* Fix for QATE-86605 – improve error checking on size param used by qatmgr
debug function.
* Fix for issue #10
* Fixed link to Programmer's Guide
* Added support for Compression LZ4 and LZ4s algorithms
* Added support for Compression end-to-end integrity checks
* Added support for PKE Generic Point Multiply APIs
* Added support for CPM2.0b
* Updated library to support new version of QAT APIs
* Updated qat service to allow compression only and crypto only configurations
* Created qatlib-tests rpm package
* Added option to configure script to skip building sample code
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-3942=1
* SUSE Manager Proxy 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-3942=1
* SUSE Manager Retail Branch Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-LTS-2025-3942=1
* SUSE Manager Server 4.3 LTS
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-LTS-2025-3942=1
* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-3942=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-3942=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-3942=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-3942=1
## Package List:
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Manager Proxy 4.3 LTS (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Manager Retail Branch Server 4.3 LTS (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Manager Server 4.3 LTS (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* openSUSE Leap 15.4 (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (x86_64)
* libqat4-24.09.0-150400.3.6.1
* qatzip-debugsource-1.1.0-150400.3.3.1
* libqatzip3-1.1.0-150400.3.3.1
* qatlib-debugsource-24.09.0-150400.3.6.1
* libqat4-debuginfo-24.09.0-150400.3.6.1
* qatzip-1.1.0-150400.3.3.1
* qatengine-debugsource-1.7.0-150400.3.6.1
* qatlib-24.09.0-150400.3.6.1
* libqatzip3-debuginfo-1.1.0-150400.3.3.1
* libusdm0-debuginfo-24.09.0-150400.3.6.1
* qatlib-debuginfo-24.09.0-150400.3.6.1
* qatzip-devel-1.1.0-150400.3.3.1
* qatengine-debuginfo-1.7.0-150400.3.6.1
* qatengine-1.7.0-150400.3.6.1
* qatlib-devel-24.09.0-150400.3.6.1
* libusdm0-24.09.0-150400.3.6.1
* qatzip-debuginfo-1.1.0-150400.3.3.1
## References:
* https://www.suse.com/security/cve/CVE-2024-28885.html
* https://www.suse.com/security/cve/CVE-2024-31074.html
* https://www.suse.com/security/cve/CVE-2024-33617.html
* https://bugzilla.suse.com/show_bug.cgi?id=1233363
* https://bugzilla.suse.com/show_bug.cgi?id=1233365
* https://bugzilla.suse.com/show_bug.cgi?id=1233366
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20251105/729ff814/attachment.htm>
More information about the sle-updates
mailing list