🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: openSUSE Tumbleweed

📖 ~4 min read  •  Source: SUSE advisory SUSE-SU-2025:0005-1 (see also SUSE bugzilla)

Related CVEs: CVE-2024-37305

Upstream summary: oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On openSUSE Tumbleweed hosts that have oqs-provider installed, administrators report behaviour consistent with SUSE advisory SUSE-SU-2025:0005-1: zypper dup --dry-run shows pending rolling updates, services backed by oqs-provider fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever oqs-provider sits on the serving path.

Environment & Reproduction

Reproduction targets openSUSE Tumbleweed. Confirm release and installed package:

cat /etc/os-release
rpm -q oqs-provider
zypper info oqs-provider | head -20
zypper lr -E                              # enabled repositories

Trigger the workflow that exposes oqs-provider — vulnerability — patch and remediation guide while collecting:

sudo journalctl -u oqs-provider -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo journalctl -k | grep -i apparmor | tail -100
# Bundle evidence for SUSE / community support:
sudo supportconfig -R /var/tmp -B oqs-provider

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SU-2025:0005-1. openSUSE security maintainers shipped fixes in the corresponding oqs-provider update for openSUSE Tumbleweed; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep oqs-provider
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules
snapper list | tail -20         # snapshots taken around each zypper transaction

Quick Triage

Run these on openSUSE Tumbleweed to capture the current state of oqs-provider:

rpm -q oqs-provider                              # installed NVR
rpm -V oqs-provider                              # verify shipped files
sudo zypper ref                            # refresh repos
sudo zypper dup --dry-run                  # pending rolling updates
systemctl --failed --no-pager
sudo firewall-cmd --list-all
sudo aa-status                             # AppArmor profiles
# If oqs-provider ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i oqs | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for oqs-provider and the system bus.

    sudo journalctl -u oqs-provider -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture (firewalld is the default on openSUSE).

    sudo firewall-cmd --list-all-zones --permanent
sudo nft list ruleset 2>/dev/null | head -50

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
sudo aa-complain /etc/apparmor.d/usr.sbin.oqs-provider 2>/dev/null || true

  5. Verify oqs-provider integrity and reinstall if anything is altered.

    sudo rpm -V oqs-provider
sudo zypper verify
sudo zypper install --force oqs-provider

  6. Inspect Snapper snapshots to know exactly which transaction introduced the regression.

    sudo snapper list | tail -20
sudo snapper status <pre-id>..<post-id>

  7. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory SUSE-SU-2025:0005-1 to pin the change that introduced oqs-provider — vulnerability — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SU-2025:0005-1, then reload affected systemd units:

sudo zypper ref                                      # refresh repos
# Tumbleweed is a rolling release — use 'dup', not 'patch':
sudo zypper dup --no-allow-vendor-change             # rolling distribution upgrade
# To target only the affected package while still on rolling:
sudo zypper dup --no-allow-vendor-change oqs-provider
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i oqs | head
sudo systemctl restart oqs-provider
rpm -q oqs-provider                                          # confirm new NVR
systemctl is-active oqs-provider 2>/dev/null                 # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl rolls a reboot is required. Tumbleweed does not ship Live Patching, so plan a maintenance window or use Snapper to roll back if a regression appears:

sudo zypper ps -s                      # services using deleted libs
sudo snapper list | tail -5            # confirm pre/post snapshots exist
sudo systemctl reboot                  # or: sudo shutdown -r now

Need help rolling this patch across an openSUSE fleet? Our IT Solutions & Services team supports openSUSE Leap and Tumbleweed estates with snapper-backed rollback workflows and salt-driven patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary fix is not viable, choose from these:

  • Roll back via Snapper (Btrfs snapshots are taken automatically before zypper transactions on openSUSE Tumbleweed). This is the primary safety net for openSUSE administrators:

    sudo snapper list
sudo snapper status <pre-id>..<post-id>   # diff between two snapshot numbers
sudo snapper undochange <pre-id>..<post-id>
sudo snapper rollback <pre-id>            # boot the host into the chosen snapshot
sudo systemctl reboot

  • Lock the package so zypper cannot upgrade it:

    sudo zypper al oqs-provider                   # add lock
zypper ll | grep oqs-provider                 # list locks
sudo zypper rl oqs-provider                   # remove lock

  • Install an older NVR if a regression is suspected:

    zypper se -s oqs-provider                     # show all available versions
sudo zypper install --oldpackage oqs-provider-<older-NVR>

  • Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

    sudo aa-disable /etc/apparmor.d/usr.sbin.oqs-provider
# reproduce, capture denials in the journal:
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.sbin.oqs-provider

  • Pin Tumbleweed to a known-good snapshot from the openSUSE history server while you investigate. This keeps the rolling release reproducible across a fleet:

    # Edit /etc/zypp/repos.d/repo-oss.repo and point baseurl at
#   http://download.opensuse.org/history/<YYYYMMDD>/tumbleweed/repo/oss/
sudo zypper ref
sudo zypper dup --no-allow-vendor-change

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q oqs-provider                                            # expected fixed NVR
sudo zypper dup --dry-run                                # no pending rolls expected
systemctl is-active oqs-provider 2>/dev/null
sudo journalctl -u oqs-provider --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for oqs-provider — vulnerability — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change. On openSUSE, Snapper is the canonical rollback path:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-oqs-provider'   # explicit named snapshot
sudo snapper list | head

To revert if the patch / roll is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper list
sudo snapper rollback <pre-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage oqs-provider-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart oqs-provider
# Custom AppArmor profile cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.oqs-provider

Prevention & Hardening

Reduce the chance of this recurring on openSUSE Tumbleweed:

  • Run rolling upgrades on a schedule — Tumbleweed receives a snapshot most weekdays. Stagger across the fleet so any regression is caught early:

    sudo zypper ref
sudo zypper dup --no-allow-vendor-change
# Optional: drive from salt/ansible with a maintenance window per host group.

  • Subscribe to opensuse-security-announce and watch suse.com/support/update.

  • Lock sensitive packages so they cannot be auto-upgraded:

    sudo zypper al oqs-provider

  • Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction. This is the cornerstone of safe openSUSE patching:

    sudo snapper -c root get-config | head
# Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin
sudo snapper list | tail -10

  • Monitor file integrity with AIDE:

    sudo zypper install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

  • Apply CIS / openSUSE hardening guidance and use salt or ansible to enforce baseline state across the fleet.

Issues that commonly surface alongside oqs-provider — vulnerability — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo snapper list | tail

View all opensuse-tumbleweed tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SU-2025:0005-1 (see also SUSE bugzilla). Manual pages useful on openSUSE Tumbleweed:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status

Other resources: openSUSE documentation, suse.com/security, openSUSE security portal, and per-package notes in /usr/share/doc/packages/oqs-provider/ for components implicated in oqs-provider — vulnerability — patch and remediation guide.


View all openSUSE Tumbleweed tutorials on the Tutorials Hub →