{"affected":[{"ecosystem_specific":{"binaries":[{"sbctl":"0.18-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"sbctl","purl":"pkg:rpm/opensuse/sbctl&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.18-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for sbctl fixes the following issues:\n\nChanges in sbctl:\n\n- Upgrade the embedded golang.org/x/net to 0.46.0\n  * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with\n    quadratic complexity when parsing HTML documents\n  * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption\n    by 'html.ParseFragment' when processing specially crafted input\n\n- Update to version 0.18:\n  * logging: fixup new go vet warning\n  * workflows: add cc for cross compile\n  * workflow: add sudo to apt\n  * workflow: add pcsclite to ci\n  * workflow: try enable cgo\n  * go.mod: update golang.org/x/ dependencies\n  * fix: avoid adding bogus Country attribute to subject DNs\n  * sbctl: only store file if we did actually sign the file\n  * installkernel: add post install hook for Debian's traditional installkernel\n  * CI: missing libpcsclite pkg\n  * workflows: add missing depends and new pattern keyword\n  * Add yubikey example for create keys to the README\n  * Initial yubikey backend keytype support\n  * verify: ensure we pass args in correct order\n\n- bsc#1248949 (CVE-2025-58058):\n  Bump xz to 0.5.14\n\n- Update to version 0.17:\n  * Ensure we don't wrongly compare input/output files when signing\n  * Added --json supprt to sbctl verify\n  * Ensure sbctl setup with no arguments returns a helpful output\n  * Import latest Microsoft keys for KEK and db databases\n  * Ensure we print the path of the file when encountering an invalid PE file\n  * Misc fixups in tests\n  * Misc typo fixes in prints\n\n- Update to version 0.16:\n  * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is\n    present\n  * Fixed a bug where sbctl would abort if the TPM eventlog\n    contains the same byte multiple times\n  * Fixed a landlock bug where enroll-keys --export did not work\n  * Fixed a bug where an ESP mounted to multiple paths would not be\n    detected\n  * Exporting keys without efivars present work again\n  * sbctl sign will now use the saved output path if the signed\n    file is enrolled\n  * enroll-keys --append will now work without --force.\n- Updates from version 0.15.4:\n  * Fixed an issue where sign-all did not report a non-zero exit\n    code when something failed\n  * Fixed and issue where we couldn't write to a file with landlock\n  * Fixed an issue where --json would print the human readable\n    output and the json\n  * Fixes landlock for UKI/bundles by disabling the sandbox feature\n  * Some doc fixups that mentioned /usr/share/\n","id":"openSUSE-SU-2026:20105-1","modified":"2026-01-23T10:02:42Z","published":"2026-01-23T10:02:42Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1248949"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251399"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251609"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47911"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58058"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58190"}],"related":["CVE-2025-47911","CVE-2025-58058","CVE-2025-58190"],"summary":"Security update for sbctl","upstream":["CVE-2025-47911","CVE-2025-58058","CVE-2025-58190"]}