Security update for snpguest

Announcement ID:	SUSE-SU-2026:0620-1
Release Date:	2026-02-24T16:36:36Z
Rating:	important
References:	bsc#1242601 bsc#1243869 bsc#1257877 bsc#1257927
Cross-References:	CVE-2024-12224 CVE-2025-3416 CVE-2026-25727
CVSS scores:	CVE-2024-12224 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-12224 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-3416 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-3416 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-3416 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-25727 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-25727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-25727 ( NVD ): 6.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-25727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15-SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves three vulnerabilities and has one security fix can now be installed.

Description:

This update for snpguest fixes the following issues:

Update to version 0.10.0.

Security issues fixed:

• CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257927).
• CVE-2025-3416: openssl: Use-After-Free in Md::fetch and Cipher::fetch in rust-openssl crate (bsc#1242601).
• CVE-2024-12224: idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded (bcs#1243869).

Other updates and bugfixes:

• Update to version 0.10.0

• fails to generate attestation reports on SEV-SNP guests with firmware API (bsc#1257877).

• chore: updating tool version to 0.10.0
• refactor(certs): remove redundant branch in file-write logic
• Docs: Adding verify measure, host-data, report-data to docs
• verify: verify measurent, host data, and report data attributes from the attestation report.
• library: Updating sev library to 7.1.0
• ci: replace deprecated gh actions
• feat: multi-format integer parsing for key subcommand arguments
• chore(main): remove unused import clap::arg
• feat(fetch): add fetch crl subcommand
• .github/lint: Bump toolchain version to 1.86
• Bump rust version to 1.86
• feat: bumping tool to version 0.9.2
• fix(verify): silence mismatched_lifetime_syntaxes in SnpOid::oid
• feat: support SEV-SNP ABI Spec 1.58 (bump sev to v6.3.0)
• docs: restore and clarify Global Options section
• doc: fix CL argument orders + address recent changes
• fix(hyperv): downgrade VMPL check from error to warning
• fix(report.rs): remove conflict check between --random flag and Hyper-V
• fix(report.rs): Decouple runtime behavior from hyperv build feature
• refactor: clarify --platform error message
• docs: add Azure/Hyper-V build note for --platform
• report: Writing Req Data as Binary (#101)
• deps: bump virtee/sev to 6.2.1 (fix TCB-serialization bug) (#99)
• Updating SEV library to 6.1.0 and updating version to 0.9.1
• Update version (0.9.0)
• HyperV: Fixing report command failure on Azure confidential VM
• Removing intird and append requirement for kernel measurements (#93)
• Updating to version 6 of library and fixing attestation (#89)
• CI: Fixing create_release workflow (#91)
• Minor update (0.8.3)
• Adding build script
• Update preattestation.rs
• Fix certificate fetch bug for Turin
• Minor update
• Update bitfield to 0.15.0
• Update to 0.8.1
• Update asn1-rs and x509-parser
• Update to 0.8.0
• key: Fix guest_field_select typo
• Adding Turin support and updating ASK cn

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-620=1

Package List:

• Server Applications Module 15-SP7 (x86_64)
  • snpguest-debugsource-0.10.0-150700.3.3.1
  • snpguest-debuginfo-0.10.0-150700.3.3.1
  • snpguest-0.10.0-150700.3.3.1

References:

• https://www.suse.com/security/cve/CVE-2024-12224.html
• https://www.suse.com/security/cve/CVE-2025-3416.html
• https://www.suse.com/security/cve/CVE-2026-25727.html
• https://bugzilla.suse.com/show_bug.cgi?id=1242601
• https://bugzilla.suse.com/show_bug.cgi?id=1243869
• https://bugzilla.suse.com/show_bug.cgi?id=1257877
• https://bugzilla.suse.com/show_bug.cgi?id=1257927