SUSE-IU-2025:934-1: Security update of sles-15-sp6-chost-byos-v20250408-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 10 07:02:40 UTC 2025
SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20250408-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:934-1
Image Tags : sles-15-sp6-chost-byos-v20250408-arm64:20250408
Image Release :
Severity : important
Type : security
References : 1027519 1219354 1223330 1227316 1233307 1233796 1234015 1234452
1234563 1234798 1235751 1236643 1236779 1236826 1236886 1236982
1237294 1237367 1237692 1237695 1238043 1239185 1239197 1239197
1239322 1239465 1239663 1239763 1239866 1240009 1240343 1240414
CVE-2024-11168 CVE-2024-23650 CVE-2024-29018 CVE-2024-41110 CVE-2024-45337
CVE-2025-1713 CVE-2025-22868 CVE-2025-22868 CVE-2025-22868 CVE-2025-22869
CVE-2025-27363 CVE-2025-31115
-----------------------------------------------------------------
The container sles-15-sp6-chost-byos-v20250408-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:997-1
Released: Mon Mar 24 18:52:00 2025
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1236826
This update for openssh fixes the following issue:
- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
due to gssapi proposal not being correctly initialized (bsc#1236826).
The problem was introduced in the rebase of the patch for 9.6p1
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:998-1
Released: Tue Mar 25 03:07:02 2025
Summary: Security update for freetype2
Type: security
Severity: important
References: 1239465,CVE-2025-27363
This update for freetype2 fixes the following issues:
- CVE-2025-27363: Fixed out-of-bounds write when attempting to parse font
subglyph structures related to TrueType GX and variable font files (bsc#1239465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1005-1
Released: Tue Mar 25 09:43:18 2025
Summary: Security update for google-guest-agent
Type: security
Severity: important
References: 1239197,CVE-2025-22868
This update for google-guest-agent fixes the following issues:
- CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239197)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1006-1
Released: Tue Mar 25 09:43:55 2025
Summary: Security update for google-osconfig-agent
Type: security
Severity: important
References: 1239197,CVE-2025-22868
This update for google-osconfig-agent fixes the following issues:
- CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239197)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released: Tue Mar 25 15:59:05 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1234015,1236643,1236886
This update for systemd fixes the following issues:
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
It is likely an oversight from when systemd-userdb was migrated from the
experimental package to the main one.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1035-1
Released: Thu Mar 27 10:34:01 2025
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1236779,1237294
This update for suse-build-key fixes the following issues:
- Changed and extented the SUSE Linux Enterprise 15 and 16 signing keys to use
SHA256 GPG UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321)
- gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc
- gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc
- suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1046-1
Released: Thu Mar 27 18:51:27 2025
Summary: Recommended update for gettext-runtime
Type: recommended
Severity: moderate
References: 1227316
This update for gettext-runtime fixes the following issue:
- Fix crash while handling po files with malformed header and
process them properly (bsc#1227316).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1048-1
Released: Fri Mar 28 14:04:16 2025
Summary: Recommended update for cpupower
Type: recommended
Severity: moderate
References:
This update for cpupower fixes the following issues:
- For latest changelog entries, please look up the changelog of
a kernel-FLAVOR or kernel-source with the exact same version and
release build number.
* rpm -q --changelog kernel-source |grep 'turbostat\|intel-speed-select|cpupower'
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1056-1
Released: Fri Mar 28 18:06:22 2025
Summary: Security update for python3
Type: security
Severity: moderate
References: 1233307,CVE-2024-11168
This update for python3 fixes the following issues:
- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1062-1
Released: Mon Mar 31 10:45:08 2025
Summary: Security update for docker, docker-stable
Type: security
Severity: important
References: 1237367,1239185,1239322,CVE-2024-23650,CVE-2024-29018,CVE-2024-41110,CVE-2025-22868,CVE-2025-22869
This update for docker, docker-stable fixes the following issues:
- CVE-2025-22868: Fixed unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239185).
- CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322).
Other fixes:
- Make container-selinux requirement conditional on selinux-policy (bsc#1237367)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1071-1
Released: Mon Mar 31 16:42:30 2025
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1236982,1237695
This update for dracut fixes the following issue:
- Version update 059+suse.557.gccd6ab94
* fix(iscsi) make sure services are shut down when switching root (bsc#1237695).
* fix(iscsi) don't require network setup for qedi.
* fix(network-legacy) do not require pgrep when using wicked (bsc#1236982).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1130-1
Released: Thu Apr 3 15:08:55 2025
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1234798,1240009,1240343
This update for ca-certificates-mozilla fixes the following issues:
Update to 2.74 state of Mozilla SSL root CAs:
- Removed:
* SwissSign Silver CA - G2
- Added:
* D-TRUST BR Root CA 2 2023
* D-TRUST EV Root CA 2 2023
Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798):
- Removed:
* SecureSign RootCA11
* Security Communication RootCA3
- Added:
* TWCA CYBER Root CA
* TWCA Global Root CA G2
* SecureSign Root CA12
* SecureSign Root CA14
* SecureSign Root CA15
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1134-1
Released: Thu Apr 3 16:17:44 2025
Summary: Security update for apparmor
Type: security
Severity: moderate
References: 1234452
This update for apparmor fixes the following issue:
- Allow dovecot-auth to execute unix check password from /sbin, not only from /usr/bin (bsc#1234452).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1137-1
Released: Thu Apr 3 17:11:02 2025
Summary: Security update for xz
Type: security
Severity: important
References: 1240414,CVE-2025-31115
This update for xz fixes the following issues:
- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1143-1
Released: Fri Apr 4 15:31:17 2025
Summary: Security update for google-guest-agent
Type: security
Severity: important
References: 1234563,1239763,1239866,CVE-2024-45337
This update for google-guest-agent fixes the following issues:
- CVE-2024-45337: golang.org/x/crypto/ssh: Fixed misuse of ServerConfig.PublicKeyCallback leading to authorization bypass (bsc#1234563).
Other fixes:
- Updated to version 20250327.01 (bsc#1239763, bsc#1239866)
* Remove error messages from gce_workload_cert_refresh and
metadata script runner (#527)
- from version 20250327.00
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert 'oslogin: Correctly handle newlines at the end of
modified files (#520)' (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert 'Revert bundling new binaries in the package (#509)' (#511)
- from version 20250326.00
* Re-enable disabled services if the core plugin was enabled (#521)
- from version 20250324.00
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert 'Revert bundling new binaries in the package (#509)' (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- from version 20250317.00
* Revert 'Revert bundling new binaries in the package (#509)' (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- from version 20250312.00
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Update crypto library to fix CVE-2024-45337 (#499)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- from version 20250305.00
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- from version 20250304.01
* Fix typo in windows build script (#501)
- from version 20250214.01
* Include core plugin binary for all packages (#500)
- from version 20250214.00
* Update crypto library to fix CVE-2024-45337 (#499)
- from version 20250212.00
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
- from version 20250211.00
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- from version 20250207.00
* vlan: toggle vlan configuration in debian packaging (#495)
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the
`invalid` tag. (#493)
* Include interfaces in lists even if it has an invalid MAC. (#489)
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
- from version 20250204.02
* force concourse to move version forward.
- from version 20250204.01
* vlan: toggle vlan configuration in debian packaging (#495)
- from version 20250204.00
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the
`invalid` tag. (#493)
- from version 20250203.01
* Include interfaces in lists even if it has an invalid MAC. (#489)
- from version 20250203.00
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
- from version 20250122.00
* networkd(vlan): remove the interface in addition to config (#468)
* Implement support for vlan dynamic removal, update dhclient to
remove only if configured (#465)
* Update logging library (#479)
* Remove Pat from owners file. (#478)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1145-1
Released: Mon Apr 7 06:41:42 2025
Summary: Recommended update for hwinfo
Type: recommended
Severity: moderate
References: 1223330,1239663
This update for hwinfo fixes the following issues:
- Avoid reporting of spurious usb storage devices (bsc#1223330)
- Do not overdo usb device de-duplication (bsc#1239663)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1161-1
Released: Mon Apr 7 17:29:45 2025
Summary: Recommended update for vim
Type: recommended
Severity: moderate
References: 1235751
This update for vim fixes the following issues:
- Regression patch to fix (bsc#1235751).
- Version update 9.1.1176
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1162-1
Released: Mon Apr 7 18:08:47 2025
Summary: Security update for xen
Type: security
Severity: moderate
References: 1027519,1219354,1233796,1237692,1238043,CVE-2025-1713
This update for xen fixes the following issues:
- CVE-2025-1713: Fixed potential deadlock with VT-d and legacy PCI device pass-through (bsc#1238043)
Other fixes:
- Xen channels and domU console (bsc#1219354)
- Fixed attempting to start guest vm's libxl fills disk with errors (bsc#1237692)
- Xen call trace and APIC Error found after reboot operation on AMD machines
(bsc#1233796).
- Upstream bug fixes (bsc#1027519).
The following package changes have been done:
- apparmor-abstractions-3.1.7-150600.5.3.2 updated
- apparmor-parser-3.1.7-150600.5.3.2 updated
- ca-certificates-mozilla-2.74-150200.38.1 updated
- cpupower-6.4.0-150600.4.3.1 updated
- docker-27.5.1_ce-150000.218.1 updated
- dracut-059+suse.557.gccd6ab94-150600.3.20.2 updated
- gettext-runtime-0.21.1-150600.3.3.2 updated
- google-guest-agent-20250327.01-150000.1.60.1 updated
- google-osconfig-agent-20250115.01-150000.1.47.1 updated
- hwinfo-21.87-150500.3.6.1 updated
- libapparmor1-3.1.7-150600.5.3.2 updated
- libcpupower1-6.4.0-150600.4.3.1 updated
- libfreetype6-2.10.4-150000.4.18.1 updated
- liblzma5-5.4.1-150600.3.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.84.1 updated
- libsystemd0-254.24-150600.4.28.1 updated
- libtextstyle0-0.21.1-150600.3.3.2 updated
- libudev1-254.24-150600.4.28.1 updated
- openssh-clients-9.6p1-150600.6.18.4 updated
- openssh-common-9.6p1-150600.6.18.4 updated
- openssh-server-9.6p1-150600.6.18.4 updated
- openssh-9.6p1-150600.6.18.4 updated
- python3-base-3.6.15-150300.10.84.1 updated
- suse-build-key-12.0-150000.8.58.1 updated
- systemd-254.24-150600.4.28.1 updated
- udev-254.24-150600.4.28.1 updated
- vim-data-common-9.1.1176-150500.20.24.2 updated
- vim-9.1.1176-150500.20.24.2 updated
- xen-libs-4.18.4_06-150600.3.20.1 updated
- xz-5.4.1-150600.3.3.1 updated
More information about the sle-container-updates
mailing list