SUSE-IU-2025:834-1: Security update of suse/sl-micro/6.0/baremetal-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 3 07:03:54 UTC 2025
SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:834-1
Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.6 , suse/sl-micro/6.0/baremetal-os-container:latest
Image Release : 6.6
Severity : important
Type : security
References : 1186673 1213004 1213008 1221063 1221928 1222834 1222840 1224113
1224167 1225904 1227456 1229010 1229072 1229449 1231472 1233289
1233322 1234660 1236567 1236619 1236826 1237040 1237041 1237498
CVE-2025-24528 CVE-2025-26465 CVE-2025-26466
-----------------------------------------------------------------
The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 243
Released: Fri Mar 14 09:40:18 2025
Summary: Recommended update for aardvark-dns, netavark
Type: recommended
Severity: moderate
References: 1224167,1234660,1236567
This update for aardvark-dns, netavark fixes the following issues:
- Update to version 1.12.2
-----------------------------------------------------------------
Advisory ID: 244
Released: Fri Mar 14 12:51:07 2025
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1231472
This update for findutils fixes the following issues:
- do not crash when file system loop was encountered (bsc#1231472)
- added patches
- modified patches
-----------------------------------------------------------------
Advisory ID: 245
Released: Fri Mar 14 12:55:02 2025
Summary: Recommended update for elemental-toolkit
Type: recommended
Severity: moderate
References: 1233289,1233322
This update for elemental-toolkit fixes the following issues:
- Bump yip to v1.9.6 (bsc#1233322)
- Make lint happy
- Fixes squashfs images creation (bsc#1233289)
-----------------------------------------------------------------
Advisory ID: 251
Released: Wed Mar 19 11:42:10 2025
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1236619,CVE-2025-24528
This update for krb5 fixes the following issues:
- CVE-2025-24528: Prevent overflow when calculating ulog block size.
An authenticated attacker can cause kadmind to write beyond the end
of the mapped region for the iprop log file, likely causing a process
crash (bsc#1236619).
-----------------------------------------------------------------
Advisory ID: 259
Released: Tue Mar 25 10:02:20 2025
Summary: Security update for openssh
Type: security
Severity: important
References: 1186673,1213004,1213008,1221063,1221928,1222840,1225904,1227456,1229010,1229072,1229449,1236826,1237040,1237041,CVE-2025-26465,CVE-2025-26466
This update for openssh fixes the following issues:
- CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040).
- CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041).
Other bugfixes:
- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826).
- Add #include <stdlib.h> in some files added by the ldap patch to fix build with gcc14 (bsc#1225904).
- Added missing struct initializer, added missing parameter (bsc#1222840).
- Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream (bsc#1221928).
- Use %config(noreplace) for sshd_config. In any case, it's recommended to drop a file in sshd_config.d instead of editing sshd_config (bsc#1221063).
- Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow (bsc#1229449).
- Drop keycat binary that is not supported, except of the code that is used by other SELinux patches (bsc#1229072).
- Fix RFC4256 implementation that keyboard-interactive authentication method can send instructions and sshd shows them to users (bsc#1229010).
- Add attempts to mitigate instances of secrets lingering in memory after a session exits (bsc#1186673, bsc#1213004, bsc#1213008).
- Remove empty line at the end of sshd-sle.pamd (bsc#1227456)
-----------------------------------------------------------------
Advisory ID: 262
Released: Mon Mar 31 08:37:17 2025
Summary: Recommended update for elemental-operator
Type: recommended
Severity: moderate
References: 1237498
This update for elemental-operator fixes the following issues:
- Update to version 1.6.7:
* Bump default operator channel to Micro 6.1 images
* [v1.6.x][BACKPORT] seedimage: clean-up service on image download deadline (bsc#1237498)
* No need to install yq neither to create a GH release
-----------------------------------------------------------------
Advisory ID: 269
Released: Wed Apr 2 16:29:28 2025
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1222834,1224113
This update for mozilla-nss fixes the following issues:
- FIPS: Do not pass in bad targetKeyLength parameters when checking for
FIPS approval after keygen. This was causing false rejections.
- FIPS: Approve RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
The following package changes have been done:
- findutils-4.9.0-4.1 updated
- SL-Micro-release-6.0-25.12 updated
- libfreebl3-3.101.2-2.1 updated
- krb5-1.20.1-6.1 updated
- mozilla-nss-certs-3.101.2-2.1 updated
- mozilla-nss-3.101.2-2.1 updated
- libsoftokn3-3.101.2-2.1 updated
- elemental-register-1.6.7-1.1 updated
- elemental-support-1.6.7-1.1 updated
- elemental-toolkit-2.1.2-1.1 updated
- aardvark-dns-1.12.2-1.1 updated
- openssh-common-9.6p1-3.1 updated
- netavark-1.12.2-1.1 updated
- openssh-server-9.6p1-3.1 updated
- openssh-clients-9.6p1-3.1 updated
- openssh-9.6p1-3.1 updated
- container:SL-Micro-base-container-2.1.3-6.5 updated
More information about the sle-container-updates
mailing list