Security update for qatengine, qatlib

Announcement ID:	SUSE-SU-2025:4053-1
Release Date:	2025-11-11T13:46:59Z
Rating:	moderate
References:	bsc#1233363 bsc#1233365 bsc#1233366
Cross-References:	CVE-2024-28885 CVE-2024-31074 CVE-2024-33617
CVSS scores:	CVE-2024-28885 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-28885 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-28885 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-28885 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-31074 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-31074 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-31074 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-31074 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-33617 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-33617 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-33617 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-33617 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Basesystem Module 15-SP6 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves three vulnerabilities can now be installed.

Description:

This update for qatengine, qatlib fixes the following issues:

Note that the 1.6.1 release included in 1.7.0 fixes the following vulnerabilities:

CVE-2024-28885: Fixed observable discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. (bsc#1233363)
CVE-2024-31074: Fixed observable timing discrepancy may allow information disclosure via network access (bsc#1233365)
CVE-2024-33617: Fixed insufficient control flow management may allow information disclosure via network access (bsc#1233366)

qatengine was updated to 1.7.0:

ipp-crypto name change to cryptography-primitives
QAT_SW GCM memory leak fix in cleanup function
Update limitation section in README for v1.7.0 release
Fix build with OPENSSL_NO_ENGINE
Fix for build issues with qatprovider in qatlib
Bug fixes and README updates to v1.7.0
Remove qat_contig_mem driver support
Add support for building QAT Engine ENGINE and PROVIDER modules with QuicTLS 3.x libraries
Fix for DSA issue with openssl3.2
Fix missing lower bounds check on index i
Enabled SW Fallback support for FBSD
Fix for segfault issue when SHIM config section is unavailable
Fix for Coverity & Resource leak
Fix for RSA failure with SVM enabled in openssl-3.2
SM3 Memory Leak Issue Fix
Fix qatprovider lib name issue with system openssl

Update to 1.6.0:

Fix issue with make depend for QAT_SW
QAT_HW GCM Memleak fix & bug fixes
QAT2.0 FreeBSD14 intree driver support
Fix OpenSSL 3.2 compatibility issues
Optimize hex dump logging
Clear job tlv on error
QAT_HW RSA Encrypt and Decrypt provider support
QAT_HW AES-CCM Provider support
Add ECDH keymgmt support for provider
Fix QAT_HW SM2 memory leak
Enable qaeMemFreeNonZeroNUMA() for qatlib
Fix polling issue for the process that doesn't have QAT_HW instance
Fix SHA3 qctx initialization issue & potential memleak
Fix compilation error in SM2 with qat_contig_mem
Update year in copyright information to 2024
update to 24.09.0:
Improved performance scaling in multi-thread applications
Set core affinity mapping based on NUMA (libnuma now required for building)
bug fixes, see https://github.com/intel/qatlib#resolved-issues
version update to 24.02.0
Support DC NS (NoSession) APIs
Support Symmetric Crypto SM3 & SM4
Support Asymmetric Crypto SM2
Support DC CompressBound APIs
Bug Fixes. See Resolved section in README.md

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.6
zypper in -t patch SUSE-2025-4053=1 openSUSE-SLE-15.6-2025-4053=1
Basesystem Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-4053=1

Package List:

openSUSE Leap 15.6 (x86_64)
- qatlib-24.09.0-150600.3.3.1
- qatengine-debuginfo-1.7.0-150600.3.3.1
- libusdm0-debuginfo-24.09.0-150600.3.3.1
- qatlib-debuginfo-24.09.0-150600.3.3.1
- libusdm0-24.09.0-150600.3.3.1
- libqat4-24.09.0-150600.3.3.1
- qatlib-devel-24.09.0-150600.3.3.1
- qatengine-1.7.0-150600.3.3.1
- qatengine-debugsource-1.7.0-150600.3.3.1
- libqat4-debuginfo-24.09.0-150600.3.3.1
- qatlib-debugsource-24.09.0-150600.3.3.1
Basesystem Module 15-SP6 (x86_64)
- qatlib-24.09.0-150600.3.3.1
- qatengine-debuginfo-1.7.0-150600.3.3.1
- libusdm0-debuginfo-24.09.0-150600.3.3.1
- qatlib-debuginfo-24.09.0-150600.3.3.1
- libusdm0-24.09.0-150600.3.3.1
- libqat4-24.09.0-150600.3.3.1
- qatlib-devel-24.09.0-150600.3.3.1
- qatengine-1.7.0-150600.3.3.1
- qatengine-debugsource-1.7.0-150600.3.3.1
- libqat4-debuginfo-24.09.0-150600.3.3.1
- qatlib-debugsource-24.09.0-150600.3.3.1

Security update for qatengine, qatlib

Description:

Patch Instructions:

Package List:

References: