security update for git, git-lfs, obs-scm-bridge, python-PyYAML

Announcement ID:	SUSE-SU-2025:03012-1
Release Date:	2025-08-29T00:08:05Z
Rating:	important
References:	bsc#1212476 bsc#1216545 bsc#1218588 bsc#1218664 bsc#1243197 bsc#1245938 bsc#1245939 bsc#1245942 bsc#1245943 bsc#1245946
Cross-References:	CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385
CVSS scores:	CVE-2025-27613 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-27613 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-27613 ( NVD ): 3.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVE-2025-27614 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-27614 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-27614 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2025-46835 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-46835 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-46835 ( NVD ): 8.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L CVE-2025-48384 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-48384 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-48384 ( NVD ): 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2025-48385 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-48385 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-48385 ( NVD ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:	Basesystem Module 15-SP6 Basesystem Module 15-SP7 Development Tools Module 15-SP6 Development Tools Module 15-SP7 openSUSE Leap 15.6 Python 3 Module 15-SP6 Python 3 Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves five vulnerabilities and has five security fixes can now be installed.

Description:

This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues:

git was updated from version 2.43.0 to 2.51.0 (bsc#1243197):

• Security issues fixed:

• CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938)

• CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939)
• CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942)
• CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943)

• CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946)

• Other changes and bugs fixed:

• Other changes and bugs fixed:

• Added SHA256 support (bsc#1243197)

• Git moved to /usr/libexec/git/git and updated AppArmor profile accordingly (bsc#1218588)
• gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664)
• Do not replace apparmor configuration (bsc#1216545)

• Fixed the Python version required (bsc#1212476)

• Version Updates Release Notes:

• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc

• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc
• https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc

git-lfs is included in version 3.7.0.

python-PyYAML was updated from version 6.0.1 to 6.0.2:

• Added support for Cython 3.x and Python 3.13

obs-scm-bridge was updated from version 0.5.4 to 0.7.4:

• New Features and Improvements:

• Manifest File Support: Support has been added for a _manifest file, which serves as a successor to the _subdirs file.

• Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary files.
• Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch during checkout.
• Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources.
• SSH URL Support: ssh:// SCM URLs can now be used.
• Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved.
• Standardized Config Location: In project mode, the _config file is now always located in the top-level directory, even when using subdirs.
• Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided.
• Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled.

• Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo.

• Bugs fixed:

• Syntax Fix: A syntax issue was corrected.

• Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and tabs.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2025-3012=1 openSUSE-SLE-15.6-2025-3012=1
• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-3012=1
• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-3012=1
• Development Tools Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-3012=1
• Development Tools Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3012=1
• Python 3 Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2025-3012=1
• Python 3 Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-3012=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • python311-PyYAML-debuginfo-6.0.2-150600.10.3.1
  • perl-Git-2.51.0-150600.3.12.1
  • python-PyYAML-debugsource-6.0.2-150600.10.3.1
  • python311-PyYAML-6.0.2-150600.10.3.1
  • git-email-2.51.0-150600.3.12.1
  • git-core-debuginfo-2.51.0-150600.3.12.1
  • git-lfs-3.7.0-150600.13.3.1
  • git-core-2.51.0-150600.3.12.1
  • git-gui-2.51.0-150600.3.12.1
  • git-p4-2.51.0-150600.3.12.1
  • git-cvs-2.51.0-150600.3.12.1
  • git-credential-libsecret-debuginfo-2.51.0-150600.3.12.1
  • git-2.51.0-150600.3.12.1
  • git-daemon-2.51.0-150600.3.12.1
  • git-arch-2.51.0-150600.3.12.1
  • gitk-2.51.0-150600.3.12.1
  • git-web-2.51.0-150600.3.12.1
  • git-debuginfo-2.51.0-150600.3.12.1
  • git-svn-2.51.0-150600.3.12.1
  • git-debugsource-2.51.0-150600.3.12.1
  • git-credential-libsecret-2.51.0-150600.3.12.1
  • git-daemon-debuginfo-2.51.0-150600.3.12.1
• openSUSE Leap 15.6 (noarch)
  • git-doc-2.51.0-150600.3.12.1
  • obs-scm-bridge-0.7.4-150600.14.4.1
• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • git-debugsource-2.51.0-150600.3.12.1
  • git-core-2.51.0-150600.3.12.1
  • git-core-debuginfo-2.51.0-150600.3.12.1
  • git-debuginfo-2.51.0-150600.3.12.1
• Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • git-debugsource-2.51.0-150600.3.12.1
  • git-core-2.51.0-150600.3.12.1
  • git-core-debuginfo-2.51.0-150600.3.12.1
  • git-debuginfo-2.51.0-150600.3.12.1
• Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • git-arch-2.51.0-150600.3.12.1
  • git-gui-2.51.0-150600.3.12.1
  • gitk-2.51.0-150600.3.12.1
  • perl-Git-2.51.0-150600.3.12.1
  • git-web-2.51.0-150600.3.12.1
  • git-debugsource-2.51.0-150600.3.12.1
  • git-cvs-2.51.0-150600.3.12.1
  • git-debuginfo-2.51.0-150600.3.12.1
  • git-daemon-debuginfo-2.51.0-150600.3.12.1
  • git-2.51.0-150600.3.12.1
  • git-email-2.51.0-150600.3.12.1
  • git-daemon-2.51.0-150600.3.12.1
  • git-svn-2.51.0-150600.3.12.1
  • git-lfs-3.7.0-150600.13.3.1
• Development Tools Module 15-SP6 (noarch)
  • git-doc-2.51.0-150600.3.12.1
  • obs-scm-bridge-0.7.4-150600.14.4.1
• Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • git-arch-2.51.0-150600.3.12.1
  • git-gui-2.51.0-150600.3.12.1
  • gitk-2.51.0-150600.3.12.1
  • perl-Git-2.51.0-150600.3.12.1
  • git-web-2.51.0-150600.3.12.1
  • git-debugsource-2.51.0-150600.3.12.1
  • git-cvs-2.51.0-150600.3.12.1
  • git-debuginfo-2.51.0-150600.3.12.1
  • git-daemon-debuginfo-2.51.0-150600.3.12.1
  • git-2.51.0-150600.3.12.1
  • git-email-2.51.0-150600.3.12.1
  • git-daemon-2.51.0-150600.3.12.1
  • git-svn-2.51.0-150600.3.12.1
  • git-lfs-3.7.0-150600.13.3.1
• Development Tools Module 15-SP7 (noarch)
  • git-doc-2.51.0-150600.3.12.1
  • obs-scm-bridge-0.7.4-150600.14.4.1
• Python 3 Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • python311-PyYAML-6.0.2-150600.10.3.1
  • python-PyYAML-debugsource-6.0.2-150600.10.3.1
  • python311-PyYAML-debuginfo-6.0.2-150600.10.3.1
• Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • python311-PyYAML-6.0.2-150600.10.3.1
  • python-PyYAML-debugsource-6.0.2-150600.10.3.1
  • python311-PyYAML-debuginfo-6.0.2-150600.10.3.1

References:

• https://www.suse.com/security/cve/CVE-2025-27613.html
• https://www.suse.com/security/cve/CVE-2025-27614.html
• https://www.suse.com/security/cve/CVE-2025-46835.html
• https://www.suse.com/security/cve/CVE-2025-48384.html
• https://www.suse.com/security/cve/CVE-2025-48385.html
• https://bugzilla.suse.com/show_bug.cgi?id=1212476
• https://bugzilla.suse.com/show_bug.cgi?id=1216545
• https://bugzilla.suse.com/show_bug.cgi?id=1218588
• https://bugzilla.suse.com/show_bug.cgi?id=1218664
• https://bugzilla.suse.com/show_bug.cgi?id=1243197
• https://bugzilla.suse.com/show_bug.cgi?id=1245938
• https://bugzilla.suse.com/show_bug.cgi?id=1245939
• https://bugzilla.suse.com/show_bug.cgi?id=1245942
• https://bugzilla.suse.com/show_bug.cgi?id=1245943
• https://bugzilla.suse.com/show_bug.cgi?id=1245946