# Security update for amber-cli

Announcement ID: SUSE-SU-2025:02769-1  
Release Date: 2025-08-12T13:49:39Z  
Rating: important  
References:

  * bsc#1047218
  * bsc#1240511

  
Cross-References:

  * CVE-2025-30204

  
CVSS scores:

  * CVE-2025-30204 ( SUSE ):  8.7
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-30204 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-30204 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * openSUSE Leap 15.6
  * Server Applications Module 15-SP6
  * Server Applications Module 15-SP7
  * SUSE Linux Enterprise Real Time 15 SP6
  * SUSE Linux Enterprise Real Time 15 SP7
  * SUSE Linux Enterprise Server 15 SP6
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP6
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

  
  
An update that solves one vulnerability and has one security fix can now be
installed.

## Description:

This update for amber-cli fixes the following issues:

  * Update to version 1.13.1+git20250329.c2e3bb8:
  * CVE-2025-30204: Fixed jwt-go excessive memory allocation during header
    parsing (bsc#1240511)
  * jwt version upgrade (#174)
  * Update policy size limit to 20k (#173)
  * Update tenant user model with latest changes (#172)
  * Fix/workflow (#171)
  * Upgrade GO version to 1.23.6 (#170)
  * Update golang jwt dependency (#169)
  * Update TMS roles struct (#167)
  * Update jwt dependency version (#165)
  * Add changes to support JWT (#163)
  * Update roles struct to be in sync with TMS (#164)
  * go upgrade to 1.22.7 (#162)
  * CASSINI-22266: Added permissions in ci workflow files (#153)
  * Add check for missing Security.md file (#150)
  * Go version upgrade to 1.22.5 (#148)
  * CLI changes (#140)
  * Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#147)
  * Update product model to include multiple plan IDs (#146)
  * Updated the help section (#145)
  * Mark policy type field as not required (#144)
  * Upgrade/goversion 1.22.3 (#143)
  * Remove policy type and attestation type check for policy creation (#142)
  * Go version upgrade 1.22.2 (#141)
  * Fix error message to include the correct set of characters (#138)
  * UT coverage 80.9% (#137)
  * Fix push installer workflow (#136)
  * 3rd party versions upgrade (#133)
  * GO version upgrade to 1.22.0 (#132)
  * Fix/go version 1.21.6 (#127)
  * Update API key validation regex as per latest changes (#125)
  * Update API key validation regex as per latest changes (#124)
  * dependency version upgrade (#123)
  * Update tag create model (#121)
  * CASSINI-10113: Add scans in CI (#99)
  * corrected minor check condition (#120)
  * Add check to validate env variable before setting (#119)
  * Add version-check script (#118)
  * Add file path check for invalid characters (#116)
  * Update compoenent version (#117)
  * Update README as per suggestions (#113) (#115)
  * Added HTTP scheme validation to avoid API Key leakage (#108)
  * CASSINI-10987 Golang version upgrade to 1.21.4 (#114)
  * Update policy model as per the latest changes (#109)
  * Remove branch info from on schedule (#106)
  * Add BDBA scan to CI (#104)
  * Update CLI URL (#105)
  * updated licenses (#102)
  * Updated version of all components to v1.0.0 for GA (#100)
  * Validate the email id input before requesting list of users (#98)
  * Remove redundant print statements (#97)
  * Request ID and trace ID should be visible on the console for errors as well
    (#96)
  * Update sample policy as per token profile update changes (#95)
  * Update CLI name from tenantclt to inteltrustauthority (#93)
  * Update the headers for request and trace id (#94)
  * cassini-9466-Go version update to 1.20.6 (#91)
  * Add retry logic to client in tenant CLI (#92)
  * Add request-id optional parameter for each command (#90)

  * Override build date with SOURCE_DATE_EPOCH (bsc#1047218)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.6  
    zypper in -t patch SUSE-2025-2769=1 openSUSE-SLE-15.6-2025-2769=1

  * Server Applications Module 15-SP6  
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2025-2769=1

  * Server Applications Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2025-2769=1

## Package List:

  * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
    * amber-cli-1.13.1+git20250329.c2e3bb8-150600.3.3.1
  * Server Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
    * amber-cli-1.13.1+git20250329.c2e3bb8-150600.3.3.1
  * Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * amber-cli-1.13.1+git20250329.c2e3bb8-150600.3.3.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-30204.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1047218
  * https://bugzilla.suse.com/show_bug.cgi?id=1240511