<div class="container">
<h1>Security update for afterburn</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:3783-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-10-24T13:28:13Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1196972">bsc#1196972</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242665">bsc#1242665</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243850">bsc#1243850</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244199">bsc#1244199</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244675">bsc#1244675</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250471">bsc#1250471</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-24713.html">CVE-2022-24713</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-12224.html">CVE-2024-12224</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-3416.html">CVE-2025-3416</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-5791.html">CVE-2025-5791</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24713</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24713</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12224</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">2.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12224</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-12224</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-3416</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-3416</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-3416</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">3.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-5791</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.4</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-5791</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-5791</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Micro 5.2</li>
<li class="list-group-item">SUSE Linux Enterprise Micro for Rancher 5.2</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for afterburn fixes the following issues:</p>
<p>Update to version 5.9.0.git21.a73f509.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large
repetitions on empty sub-expressions can lead to excessive resource consumption and denial of service (bsc#1196972).</li>
<li>CVE-2024-12224: idna: acceptance of Punycode labels that do not produce any non-ASCII output may lead to incorrect
hostname comparisons and incorrect URL parsing (bsc#1243850).</li>
<li>CVE-2025-5791: users: <code>root</code> user being appended to group listings whenever listing does not have exactly 1024 groups
can lead to privilege escalation when information is used for access control (bsc#1244199).</li>
<li>CVE-2025-3416: openssl: passing of <code>Some(...)</code> value as <code>properties</code> argument to <code>Md::fetch</code> or <code>Cipher::fetch</code> can
lead to use-after-free (bsc#1242665).</li>
</ul>
<p>Other issues fixed:</p>
<ul>
<li>Fixed in version 5.9.0.git21.a73f509:</li>
<li>cargo: update dependencies</li>
<li>microsoft/azure: Add XML attribute alias for serde-xml-rs Fedora compat</li>
<li>microsoft/azure: Fix SharedConfig parsing of XML attributes</li>
<li>microsoft/azure: Mock goalstate.SharedConfig output in tests</li>
<li>providers/azure: switch SSH key retrieval from certs endpoint to IMDS as azure stopped providing keys in the old one (bsc#1250471).</li>
<li>upcloud: implement UpCloud provider</li>
<li>
<p>Update several build dependencies</p>
</li>
<li>
<p>Fixed in version 5.9.0:</p>
</li>
<li>cargo: update dependencies</li>
<li>dracut: Return 255 in module-setup</li>
<li>oraclecloud: add release note and move base URL to constant</li>
<li>oraclecloud: implement oraclecloud provider</li>
<li>
<p>Update several build dependencies</p>
</li>
<li>
<p>Fixed in version 5.8.2:</p>
</li>
<li>cargo: update dependencies</li>
<li>
<p>packit: add initial support</p>
</li>
<li>
<p>Fixed in version 5.7.0.git103.bae893c:</p>
</li>
<li>proxmoxve: Add more context to log messages.</li>
<li>proxmoxve: Remove unneeded fields</li>
<li>proxmoxve: Add tests for static network configuration from cloud-init.</li>
<li>proxmoxve: Add support for static network configuration from cloud-init.</li>
<li>providers/openstack: ignore ec2 metadata if not present</li>
<li>proxmox: use noop provider if no configdrive</li>
<li>
<p>Update several build dependencies</p>
</li>
<li>
<p>Fixed in version 5.7.0:</p>
</li>
<li>cargo: update dependencies</li>
<li>dhcp: replace dbus_proxy with proxy, and zbus traits</li>
<li>providers/hetzner: private ipv4 addresses in attributes</li>
<li>openstack: Document the two platforms</li>
<li>microsoft/azure: allow empty certificate chain in PKCS12 file</li>
<li>proxmoxve: implement proxmoxve provider</li>
<li>providers/hetzner: fix duplicate attribute prefix</li>
<li>lint: silence deadcode warnings</li>
<li>lint: address latest lint's from msrv update</li>
<li>cargo: update msrv to 1.75</li>
<li>providers: Add "akamai" provider</li>
<li>providers/vmware: add missing public functions for non-amd64</li>
<li>providers/vmware: Process guestinfo.metadata netplan configuration</li>
<li>kubevirt: Run afterburn-hostname service</li>
<li>providers: add support for scaleway</li>
<li>Move away from deprecated <code>users</code> to <code>uzers</code></li>
<li>providers/hetzner: add support for Hetzner Cloud</li>
<li>cargo: update MSRV to 1.71</li>
<li>cargo: specify required features for nix dependency</li>
<li>openstack: Add attribute OPENSTACK_INSTANCE_UUID</li>
<li>cargo: allow openssl 0.10.46</li>
<li>build-sys: Use new tier = 2 for cargo-vendor-filterer</li>
<li>cargo: fix minimum version of openssl crate</li>
<li>microsoft/crypto/mod: replace deprecated function <code>parse</code> with <code>parse2</code></li>
<li>cli: switch to clap derive</li>
<li>cli: add descriptive value names for option arguments in --help</li>
<li>cli: have clap require exactly one of --cmdline/--provider</li>
<li>providers/<code>*</code>: move endpoint mocking into retry::Client</li>
<li>retry/client: move URL parsing into helper function</li>
<li>providers/microsoft: import crate::retry</li>
<li>providers/microsoft: use stored client for all fetches</li>
<li>providers/packet: use stored client for boot checkin</li>
<li>initrd: remember to write trailing newline to network kargs file</li>
<li>util: drop obsolete "OEM" terminology</li>
<li>Inline variables into format strings</li>
<li>
<p>Update several build dependencies</p>
</li>
<li>
<p>Fixed in version 5.4.1:</p>
</li>
<li>cargo: add configuration for cargo-vendor-filterer</li>
<li>util: support DHCP option lookup from NetworkManager</li>
<li>util: factor out retries of DHCP option lookup</li>
<li>util: refactor DHCP option query helper into an enum</li>
<li>util: move dns_lease_key_lookup() to a separate module</li>
<li>cargo: update MSRV to 1.66</li>
<li>cargo: update all packages to fix build error</li>
<li>cargo: continue to support openssh-keys 0.5</li>
<li>cargo: drop serde_derive crate in favor of serde derive feature</li>
<li>cargo: use consistent declaration syntax for slog dependency</li>
<li>cargo: drop unused dependencies</li>
<li>cargo: continue to support base64 0.13</li>
<li>cargo: continue to support mailparse 0.13.8</li>
<li>cargo: continue to support clap 3.1</li>
<li>cargo: stop enabling LTO in release builds</li>
<li>providers/ibmcloud: avoid error if an ssh key not found in metadata</li>
<li>systemd: add explicit ordering, after multi-user.target</li>
<li>network: fix clippy 1.63.0 lints</li>
<li>cargo: allow serde_yaml 0.8</li>
<li>cargo: update version ranges for post-1.x deps</li>
<li>providers: Use inline <code>format!</code> in a few places</li>
<li>*: bump MSRV to 1.58.0</li>
<li>cargo: update clap to 3.2.5</li>
<li>copr: mark git checkout as safe</li>
<li>providers/aws: expose instance availability-zone-id as AWS_AVAILABILITY_ZONE_ID</li>
<li>
<p>Update several build dependencies</p>
</li>
<li>
<p>Fixed in version 5.3.0:</p>
</li>
<li>systemd: enable sshkeys on Power VS platform</li>
<li>network: Encode information for systemd-networkd-wait-online</li>
<li>cargo: update to clap 3.1</li>
<li>cargo: enable clap wrap_help feature</li>
<li>cli: run clap tests</li>
<li>cli: avoid deprecated clap constructs</li>
<li>cargo: update to clap 3.0</li>
<li>cli: use clap mechanism to require exp subcommand</li>
<li>cargo: declare MSRV in Cargo.toml</li>
<li>cargo: update to Rust 2021; bump MSRV to 1.56.0</li>
<li>copr: abort if specfile fetch fails</li>
<li>providers/aws: add AWS_IPV6 attribute</li>
<li>providers/aws: bump metadata version to 2021-01-03</li>
<li>kubevirt: Add KubeVirt platform support</li>
<li>*.service: add/update Documentation field</li>
<li>aws/mock_tests: explicitly drop mocks before resetting</li>
<li>aws/mock_tests: split out IMDS tests</li>
<li>aws/mock_tests: factor out map building</li>
<li>*: use <code>RemainAfterExit</code> on all oneshot services</li>
<li>Update several build dependencies</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.2
<br/>
<code>zypper in -t patch SUSE-SUSE-MicroOS-5.2-2025-3783=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.2
<br/>
<code>zypper in -t patch SUSE-SUSE-MicroOS-5.2-2025-3783=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Micro 5.2 (aarch64 x86_64)
<ul>
<li>afterburn-debugsource-5.9.0.git21.a73f509-150300.3.5.1</li>
<li>afterburn-debuginfo-5.9.0.git21.a73f509-150300.3.5.1</li>
<li>afterburn-5.9.0.git21.a73f509-150300.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.2 (noarch)
<ul>
<li>afterburn-dracut-5.9.0.git21.a73f509-150300.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 x86_64)
<ul>
<li>afterburn-debugsource-5.9.0.git21.a73f509-150300.3.5.1</li>
<li>afterburn-debuginfo-5.9.0.git21.a73f509-150300.3.5.1</li>
<li>afterburn-5.9.0.git21.a73f509-150300.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.2 (noarch)
<ul>
<li>afterburn-dracut-5.9.0.git21.a73f509-150300.3.5.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-24713.html">https://www.suse.com/security/cve/CVE-2022-24713.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-12224.html">https://www.suse.com/security/cve/CVE-2024-12224.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-3416.html">https://www.suse.com/security/cve/CVE-2025-3416.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-5791.html">https://www.suse.com/security/cve/CVE-2025-5791.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1196972">https://bugzilla.suse.com/show_bug.cgi?id=1196972</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242665">https://bugzilla.suse.com/show_bug.cgi?id=1242665</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243850">https://bugzilla.suse.com/show_bug.cgi?id=1243850</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244199">https://bugzilla.suse.com/show_bug.cgi?id=1244199</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244675">https://bugzilla.suse.com/show_bug.cgi?id=1244675</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250471">https://bugzilla.suse.com/show_bug.cgi?id=1250471</a>
</li>
</ul>
</div>