SUSE-CU-2025:2397-1: Security update of bci/spack
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Apr 4 08:45:06 UTC 2025
SUSE Container Update Advisory: bci/spack
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2397-1
Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-7.1
Container Release : 7.1
Severity : important
Type : security
References : 1195391 1207053 1207784 1208751 1214222 1216941 1219480 1221471
1221503 1227637 1233307 1234015 1235144 1236165 1236643 1236886
1237606 1238610 1240414 CVE-2024-11168 CVE-2025-1632 CVE-2025-25724
CVE-2025-31115
-----------------------------------------------------------------
The container bci/spack was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:1706-1
Released: Fri Mar 31 05:31:07 2023
Summary: Feature update for spack
Type: feature
Severity: important
References: 1195391,1207053,1207784,1208751
This update for spack fixes the following issues:
Version update from 0.17.1 to 0.19.1 (jsc#PED-2803, jsc#PED-3000):
- For the full list of features and upstream fixes implemented by this update please consult the release notes at:
* https://github.com/spack/spack/releases/tag/v0.19.1
* https://github.com/spack/spack/releases/tag/v0.19.0
* https://github.com/spack/spack/releases/tag/v0.18.1
* https://github.com/spack/spack/releases/tag/v0.18.0
- Bug fixes and improvements:
* Make sure the spack environment is set up correctly in spack-generated Dockerfiles (bsc#1207784)
* Fix MPI packages not being recognized any more (bsc#1208751)
* Fix syntax in post scripts (bsc#1195391)
* Fix var_path which that is set incorrectly in version 0.19.0 (bsc#1207053)
* Move repositories to `/usr/share/spack`: `/var` is strictly for local data
* Improve error message for requirements
* Fix libtool filter for Fujitsu compilers
* Fix `spack mirror create` to not change paths to urls
- Improve `run-find-external.sh` script:
* Extend to run `spack compiler find`
* Separate triggers for packages and compilers
* Better handle when search patterns match multiple directories
- Removals and Deprecations:
* Support for Python 3.5 is dropped. Only Python 3.6+ are officially supported.
* `LD_LIBRARY_PATH` is no longer set by default by spack load or module loads. Setting `LD_LIBRARY_PATH` in Spack
environments/modules can cause binaries from outside of Spack to crash, and Spack's own builds use `RPATH` and do
not need `LD_LIBRARY_PATH` set in order to run. If you still want the old behavior, you can run these commands to
configure Spack to set LD_LIBRARY_PATH:
`spack config add modules:prefix_inspections:lib64:[LD_LIBRARY_PATH]`
`spack config add modules:prefix_inspections:lib:[LD_LIBRARY_PATH]`
* The `spack:concretization:[together|separately]` has been deprecatred. Now use `concretizer:unify:[true|false]`
* `config:module_roots` is no longer supported. Use configuration in module sets instead
* `spack activate` and `spack deactivate` are no longer supported, having been deprecated in v0.18. Use an environment
with a view instead of activating/deactivating (docs)
* The old YAML format for buildcaches is now deprecated. If you are using an old buildcache with YAML metadata you
will need to regenerate it with JSON metadata.
* `spack bootstrap trust` and `spack bootstrap untrust` are deprecated in favor of `spack bootstrap enable` and
`spack bootstrap disable`
* The `graviton2` architecture has been renamed to `neoverse_n1`, and `graviton3`
is now `neoverse_v1`. Buildcaches using the old architecture names will need to be rebuilt
* The terms 'blacklist' and 'whitelist' have been replaced with 'include' and 'exclude' in all configuration files.
You can use `spack config update` to automatically fix your configuration files
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3990-1
Released: Fri Oct 6 06:51:17 2023
Summary: Recommended update for spack
Type: recommended
Severity: moderate
References: 1214222
This update for spack fixes the following issues:
- Update to version 0.20.1 with the following changes:
* Package level fixes:
+ Fix SPACK_ROOT setting in /etc/profile.d/spack.[c]sh (bsc#1214222).
+ Add hwloc-devel and sqlite3 to the packages that trigger a
`spack external find`.
+ Make sure, libhwloc and hwloc are installed together when
spack is installed.
* Bug fixes:
+ Fix spec removed from an environment where not actually
removed if `--force` was not given.
+ Hotfix for a few recipes that treat CMake as a link
dependency.
+ Fix re-running stand-alone test a second time, which was
getting a trailing spurious failure.
+ Fix reading JSON manifest on Cray, reporting non-concrete
specs.
+ Fix a few bugs when generating Dockerfiles from Spack.
+ Fix a few long-standing bugs when generating module files.
+ Fix issues with building Python extensions when using an
external Python.
+ Fix `spack compiler remove`: remove from command line even
if they appear in different scopes.
* Features:
+ Speed-up module file generation.
+ Show external status as `[e]`.
+ Backport `archspec` fixes.
+ Improve a few error messages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4569-1
Released: Mon Nov 27 06:40:01 2023
Summary: Recommended update for spack
Type: recommended
Severity: moderate
References: 1216941
This update for spack fixes the following issues:
- Updated to version 0.20.3 with the following changes (bsc#1216941):
* Bug fixes:
+ Fix a bug where `spack mirror set-url` would drop configured
connection info.
+ Fix a minor issue with package hash computation for Python 3.12.
+ Improve escaping in Tcl module files.
+ Make repo cache work on repositouries with zero mtime.
+ Ignore errors for newer, incompatible buildcache version.
+ Print an error when git is required, but missing.
+ Ensure missing build dependencies get installed when using
`spack install --overwrite`.
+ Fix an issue where Spack freezes when the build process
unexpectedly exits.
+ Fix a bug where installation failures cause an unrelated
`NameError` to be thrown.
+ Fix an issue where Spack package versions would be incorrectly
derived from git tags.
+ Fix a bug triggered when file locking fails internally.
+ Prevent `spack external find` to error out when a directory
cannot be accessed.
+ Fix multiple performance regressions in environments.
+ Add more ignored modules to `pyproject.toml` for `mypy`.
* Features:
+ Spack now supports Python 3.12.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:453-1
Released: Tue Feb 13 02:39:42 2024
Summary: Recommended update for spack
Type: recommended
Severity: moderate
References: 1219480
This update for spack fixes the following issues:
spack was updated to version 0.21.1 (bsc#1219480):
- Version 0.21.1:
* Add support for reading buildcaches created by Spack v0.22
* Bugfixes:
+ `spack graph`: fix coloring with environments
+ `spack info`: sort variants in --variants-by-name
+ `Spec.format`: error on old style format strings
+ ASP-based solver:
- fix infinite recursion when computing concretization
errors
- don't error for type mismatch on preferences
- don't emit spurious debug output.
+ Improve the error message for deprecated preferences
+ Fix multi-word aliases
+ Add a warning for unconfigured compiler
+ environment: fix an issue with deconcretization/reconcretization of specs
+ buildcache: don't error if a patch is missing, when installing from binaries
- Version 0.21.0:
* New features:
+ Better error messages with condition chaining:
In v0.18, we added better error messages that could tell you
what problem happened, but they couldn't tell you why it
happened. 0.21 adds condition chaining to the solver, and
Spack can now trace back through the conditions that led to
an error and build a tree of causes potential causes and
where they came from.
+ OCI build caches:
You can now use an arbitrary OCI registry as a build cache:
- For Dockerhub:
`$ spack mirror add my_registry oci://user/image`
- For another registry (GHCR):
`$ spack mirror add my_registry oci://ghcr.io/haampie/spack-test`
Then set the login credentials:
`$ spack mirror set --push --oci-username ... --oci-password ... my_registry`
and push to it:
`$ spack buildcache push my_registry [specs...]`
You can optionally add a base image to get runnable images:
```
$ spack buildcache push --base-image leap:15.5 my_registry python`
Pushed ... as [image]:python-3.11.2-65txfcpqbmpawclvtasuog4yzmxwaoia.spack
$ docker run --rm -it [image]:python-3.11.2-65txfcpqbmpawclvtasuog4yzmxwaoia.spack
```
This creates a container image from the Spack installations
on the host system, without the need to run `spack install`
from a `Dockerfile` or `sif` file. It also addresses the
inconvenience of losing binaries of dependencies when
`RUN spack install` fails inside `docker build`. Further, the
container image layers and build cache tarballs are the same
files. This means that `spack install` and `docker pull` use the
exact same underlying binaries. If you previously used `spack
install` inside of docker build, this feature helps you save
storage by a factor two.
+ Multiple versions of build dependencies:
Increasingly, complex package builds require multiple
versions of some build dependencies. For example, Python
packages frequently require very specific versions of
`setuptools`, `cython`, while different physics packages
require different versions of Python to build. The concretizer
enforced that every solve was unified, i.e., so that there was
only one version of every package. The concretizer now supports
'duplicate' nodes for build dependencies, but enforces unification
through transitive link and run dependencies. This will allow it
to better resolve complex dependency graphs in ecosystems like
Python.
+ Cherry-picking virtual dependencies:
You can now select only a subset of virtual dependencies
from a spec that may provide more. For example, to make mpich
your mpi provider, you can be explicit by writing:
`hdf5 ^[virtuals=mpi] mpich`
Or, to use, e.g., `intel-parallel-studio` for blas along with
an external `lapack` like `openblas`, you could write:
```
strumpack ^[virtuals=mpi] intel-parallel-studio+mkl ^[virtuals=lapack] openblas`
```
The `virtuals=mpi` is an edge attribute, and dependency edges
in Spack graphs now track which virtuals they satisfied.
+ The `spack deconcretize` command gives you control over what
you want to update in an already concrete environment.
As an example, with an environment built with meson, and you
want to update your meson version, you can run:
`$spack deconcretize meson`
and have everything that depends on meson rebuilt the next
time you run spack concretize. In the future, we'll handle
this in a single command, but for now you can use this to
drop bits of your lockfile and resolve your dependencies
again.
+ UI Improvements:
The `spack info` received a rework to make the output more
appealing. It is now on par with the rest of Spack's UI.
`spack info` now makes much better use of terminal space and
shows variants, their values, and their descriptions more
clearly. Conditional variants are grouped separately so you
can more easily understand how packages are structured.
`spack checksum` now allows you to filter versions from your
editor, or by version range. It also notifies you about
potential download URL changes.
+ Environments can include definitions:
Spack did not previously support using `include:` with The
definitions section of an environment, but now it does. You
can use this to curate lists of specs and more easily reuse
them across environments.
+ Aliases:
You can now add aliases to Spack commands in `config.yaml`,
e.g. this might enshrine your favorite args to `spack find`
as `spack f`:
```
config:
aliases:
f: find -lv
```
+ Improved autoloading of modules:
In this release, you can start using `hide_implicits: true`
instead, which exposes only explicitly installed packages to
the user, while still autoloading dependencies. On top of
that, you can safely use `hash_length: 0`, as this config now
only applies to the modules exposed to the user -- you don't
have to worry about file name clashes for hidden
dependencies.
Note: for Tcl this feature requires Modules 4.7 or higher
* Other new commands and directives:
+ `spack env activate` without arguments now loads a default
environment that you do not have to create.
+ `spack find -H` / `--hashes`: a new shortcut for piping spack
find output to other commands.
+ Add `spack checksum --verify`, fix `--add`.
+ New `default_args` context manager factors out common args for
directives.
+ `spack compiler find --[no]-mixed-toolchain` lets you easily
mix clang and gfortran on Linux
* Performance improvements:
+ `spack external find execution` is now much faster.
+ `spack location -i` is now much faster on success.
+ Drop redundant rpaths post install.
+ ASP-based solver: avoid cycles in clingo using hidden
directive.
+ Fix multiple quadratic complexity issues in environments
* Other new features of note:
+ archspec: update to v0.2.2, support for Sapphire Rapids,
Power10, Neoverse V2.
+ Propagate variants across nodes that don't have that variant
+ Implement fish shell completion.
+ Can now distinguish between source/binary mirror; don't ping
mirror.spack.io as much.
+ Improve status reporting on `spack install`
(add [n/total] display...).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:950-1
Released: Thu Mar 21 08:54:02 2024
Summary: Recommended update for spack
Type: recommended
Severity: important
References: 1221471,1221503
This update for spack fixes the following issues:
- Spack was updated to version 0.21.2:
* Bugs fixed:
+ Containerize: accommodate nested or pre-existing `spack-env`
paths.
+ Fix `setup-env` script, when going back and forth between
instances.
+ Fix using fully-qualified namespaces from root specs.
+ Fix a bug when a required provider is requested for multiple
virtuals.
+ OCI buildcaches:
* only push in parallel when forking.
* use pickleable errors (#42160)
+ Fix using sticky variants in externals.
+ Fix a rare issue with conditional requirements and
multi-valued variants.
* Recipy updates:
+ `rust`: add v1.75, rework a few variants.
+ `py-transformers`: add v4.35.2.
- Fix path to setup-env.sh in the Apptainer template (bsc#1221471).
- Add libgfortran, libfl2 and libzip5 to the Spack runtime
container as the Spack build container has the corresponding
devel packages but these libraries are not installed in a
BCI-style base container by default (bsc#1221503).
- Make python version used configurable.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3969-1
Released: Mon Nov 11 10:06:18 2024
Summary: Recommended update for spack
Type: recommended
Severity: moderate
References:
This update for spack fixes the following issues:
- spack was updated from version 0.21.2 to 0.21.3:
* Bugs fixed:
- Forward compatibility with Spack 0.23 packages with language
dependencies.
- Forward compatibility with `urllib` from Python 3.12.6+.
- Bump archspec to 0.2.5-dev for better aarch64 support.
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2025:323-1
Released: Mon Feb 3 09:12:14 2025
Summary: Feature update for spack
Type: feature
Severity: moderate
References: 1235144
This update for spack fixes the following issues:
spack was updated from version 0.21.3 to 0.23.0:
- Improved documentation generation (bsc#1235144)
- Version v0.23.0:
* New features:
+ Spec splicing
+ Broader variant propagation
+ Ability to query specs by namespace
+ `spack spec` now respects environment settings and `unify:true`
+ Improved and polished `spack spec` and `spack find -c` output
+ The command `spack -C <env>` allows to use an environment's configuration without activation
* New commands, options, and directives:
+ The new `spack env track` command takes a non-managed Spack environment and adds a symlink to Spack's
`$environments_root` directory.
+ Added `-t` short option for `spack --backtrace` to output backtrace errors
+ `gc` now allows to garbage-collect specific packages through the command line
+ `oci buildcaches` now supports the option `--only=package`
* Highlighted bugfixes:
+ Externals no longer override the preferred provider
+ Composable `cflags`
+ Fixed concretizer Unification for included environments
* Deprecations, removals, and syntax changes:
+ The old concretizer has been removed from Spack, along with the `config:concretizer` config option
+ Best-effort expansion of spec matrices has been removed
+ The old Cray `platform` (based on Cray PE modules) has been removed, and `platform=cray` is no longer supported
+ The `config:install_missing_compilers` config option has beendeprecated
+ Config options that deprecated in `v0.21` have been removed
+ Spack's old test interface has been removed
+ The `spack versions --safe-only` option, deprecated since `v0.21.0`, has been removed
+ The `--dependencies` and `--optimize` arguments to `spack ci` have been deprecated
- Version 0.22.2:
* Bugs fixed:
+ Bumped vendored `archspec` for better aarch64 support
+ Fixed regression in `{variants.X}` and `{variants.X.value}` format strings
+ Ensure shell escaping of environment variable values in load and activate commands
+ Fixed an issue where `spec[pkg]` considers specs outside the current DAG
+ Do not halt concretization on unknown variants in externals
+ Improved validation of `develop` config section/
+ Explicitly disable `ccache` if turned off in config, to avoid cache pollution
+ Improved backwards compatibility in `include_concrete`
+ Fixed issue where package tags were sometimes repeated
+ Make `setup-env.sh` 'sourced only' by dropping execution bits
+ Make certain source/binary fetch errors recoverable instead of a hard error
+ Do not initialize previous store state in `use_store`
- Update to 0.22.1.
* Bugs fixed:
+ Fix reuse of externals on Linux
+ Ensure parent gcc-runtime version >= child
+ Ensure the latest gcc-runtime is rpath'ed when multiple exist
among link deps
+ Improve version detection of glibc
+ Improve heuristics for solver
+ Make strong preferences override reuse
+ Reduce verbosity when C compiler is missing
+ Make missing ccache executable an error when required
+ Make every environment view containing `python` a `venv`
+ Fix external detection for compilers with os but no target.
+ Fix version optimization for roots.
+ Handle common implementations of pagination of tags in OCI
build caches.
+ Apply fetched patches to develop specs
+ Avoid Windows wrappers for filesystem utilities on non-Windows
+ Fix formatting issue in `spack audit`
* Other changes:
+ Give 'site' scope a lower precedence than 'system' scope
- Version 0.22.0:
* New features:
+ Compiler dependencies are moving from `compilers.yaml` to `packages.yaml`
+ Improved spack find UI for Environments
+ Improved command-line string quoting
+ Revert default spack install behavior to `--reuse`
+ The `install` command now offers three options
+ More control over reused specs
+ New `conflict:` and `prefer:` syntax for package preferences
+ `include_concrete` in environments
+ `python-venv` isolation
+ Packages can now specify whether they may be distributed in source or binary form
* Removals, deprecations, and syntax changes:
+ Removed `dpcpp` compiler and package
+ `spack load`: removed `--only` argument
* Bugs fixed:
+ repo.py: drop deleted packages from provider cache
+ Allow `+` in module file names
+ `cmd/python`: use runpy to allow multiprocessing in scripts
+ Show extension commands with `spack -h`
+ Support environment variable expansion inside module projections
+ Alert user to failed concretizations
+ `shell`: fix `zsh` color formatting for PS1 in environments
+ `spack mirror create --all`: include patches
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:717-1
Released: Wed Feb 26 06:38:58 2025
Summary: Recommended update for spack
Type: recommended
Severity: moderate
References:
This update for spack fixes the following issues:
- spack was updated from version 0.23.0 to version 0.23.1:
* Fixed a correctness issue of `ArchSpec.intersects`.
* Make extra_attributes order independent in Spec hashing.
* Fixed issue where system proxy settings were not respected in OCI
build caches.
* Fixed an issue where the `--test` concretizer flag was not
forwarded correctly.
* Ensure proper UTF-8 encoding/decoding in logging.
* Fixed issues related `to filter_file`.
* Fixed an issue related to creating bootstrap source mirrors.
* Fixed an issue where command line config arguments were not
always top level.
* Fixed an incorrect typehint of `concretized()`.
* Improved mention of next Spack version in warning.
Tests: fixed forward compatibility with Python 3.13.
* Docs: encourage use of `--oci-username-variable` and
`--oci-password-variable`.
* Docs: ensure Getting Started has bootstrap list output in
correct place.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:969-1
Released: Thu Mar 20 14:28:47 2025
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1227637,1236165
This update for crypto-policies fixes the following issues:
- Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637).
- tolerate fips dracut module presence w/o FIPS
* Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode
(bsc#1236165).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:985-1
Released: Fri Mar 21 18:45:14 2025
Summary: Security update for libarchive
Type: security
Severity: moderate
References: 1237606,1238610,CVE-2025-1632,CVE-2025-25724
This update for libarchive fixes the following issues:
- CVE-2025-1632: Fixed null pointer dereference in bsdunzip.c (bsc#1237606)
- CVE-2025-25724: Fixed buffer overflow vulnerability in function list_item_verbose() in tar/util.c (bsc#1238610)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released: Tue Mar 25 15:59:05 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1234015,1236643,1236886
This update for systemd fixes the following issues:
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
It is likely an oversight from when systemd-userdb was migrated from the
experimental package to the main one.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1056-1
Released: Fri Mar 28 18:06:22 2025
Summary: Security update for python3
Type: security
Severity: moderate
References: 1233307,CVE-2024-11168
This update for python3 fixes the following issues:
- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1137-1
Released: Thu Apr 3 17:11:02 2025
Summary: Security update for xz
Type: security
Severity: important
References: 1240414,CVE-2025-31115
This update for xz fixes the following issues:
- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414)
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.9.2 updated
- liblzma5-5.4.1-150600.3.3.1 updated
- libopenssl3-3.2.3-150700.3.12 updated
- libgcrypt20-1.11.0-150700.2.17 updated
- libopenssl-3-fips-provider-3.2.3-150700.3.12 updated
- libudev1-254.24-150600.4.28.1 updated
- openssl-3-3.2.3-150700.3.12 updated
- libnettle8-3.10.1-150700.2.11 updated
- libopenssl1_1-1.1.1w-150700.9.25 updated
- xz-5.4.1-150600.3.3.1 updated
- libsystemd0-254.24-150600.4.28.1 updated
- libarchive13-3.7.2-150600.3.12.1 updated
- libhogweed6-3.10.1-150700.2.11 updated
- libpython3_6m1_0-3.6.15-150300.10.84.1 updated
- python3-base-3.6.15-150300.10.84.1 updated
- xz-devel-5.4.1-150600.3.3.1 updated
- libopenssl-3-devel-3.2.3-150700.3.12 updated
- spack-recipes-0.23.1-150400.24.1 updated
- spack-0.23.1-150400.24.1 updated
- container:sles15-image-15.7.0-4.2.50 updated
More information about the sle-container-updates
mailing list