SUSE-CU-2025:2631-1: Security update of suse/manager/5.0/x86_64/proxy-ssh

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Apr 17 07:13:40 UTC 2025 

SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-ssh
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2631-1
Container Tags        : suse/manager/5.0/x86_64/proxy-ssh:5.0.4 , suse/manager/5.0/x86_64/proxy-ssh:5.0.4.7.14.1 , suse/manager/5.0/x86_64/proxy-ssh:latest
Container Release     : 7.14.1
Severity              : important
Type                  : security
References            : 1233307 1234015 1236136 1236643 1236771 1236826 1236886 1237040
                        1237041 1239618 CVE-2024-11168 CVE-2024-13176 CVE-2024-8176 CVE-2025-26465
                        CVE-2025-26466 
-----------------------------------------------------------------

The container suse/manager/5.0/x86_64/proxy-ssh was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:585-1
Released:    Tue Feb 18 17:42:14 2025
Summary:     Security update for openssh
Type:        security
Severity:    moderate
References:  1237040,1237041,CVE-2025-26465,CVE-2025-26466
This update for openssh fixes the following issues:

- CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040).
- CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:613-1
Released:    Fri Feb 21 11:37:54 2025
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1236136,1236771,CVE-2024-13176
This update for openssl-1_1 fixes the following issues:

- CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136).

Other bugfixes:

- Non approved PBKDF parameters wrongly resulting as approved (bsc#1236771).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:997-1
Released:    Mon Mar 24 18:52:00 2025
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1236826
This update for openssh fixes the following issue:

- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
  due to gssapi proposal not being correctly initialized (bsc#1236826).
  The problem was introduced in the rebase of the patch for 9.6p1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released:    Tue Mar 25 15:59:05 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1234015,1236643,1236886
This update for systemd fixes the following issues:

- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
  It is likely an oversight from when systemd-userdb was migrated from the
  experimental package to the main one.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1056-1
Released:    Fri Mar 28 18:06:22 2025
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1233307,CVE-2024-11168
This update for python3 fixes the following issues:

- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1201-1
Released:    Fri Apr 11 12:15:58 2025
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1239618,CVE-2024-8176
This update for expat fixes the following issues:

- CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused 
  by stack overflow by resolving use of recursion (bsc#1239618)

Other fixes:
- version update to 2.7.1 (jsc#PED-12500)
     Bug fixes:
       #980 #989  Restore event pointer behavior from Expat 2.6.4
                    (that the fix to CVE-2024-8176 changed in 2.7.0);
                    affected API functions are:
                    - XML_GetCurrentByteCount
                    - XML_GetCurrentByteIndex
                    - XML_GetCurrentColumnNumber
                    - XML_GetCurrentLineNumber
                    - XML_GetInputContext
     Other changes:
       #976 #977  Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}'
                    with Automake that were missing from 2.7.0 release tarballs
       #983 #984  Fix printf format specifiers for 32bit Emscripten
            #992  docs: Promote OpenSSF Best Practices self-certification
            #978  tests/benchmark: Resolve mistaken double close
            #986  Address compiler warnings
       #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
                    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
                    for what these numbers do
        Infrastructure:
            #982  CI: Start running Perl XML::Parser integration tests
            #987  CI: Enforce Clang Static Analyzer clean code
            #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized
                    for clang-tidy
            #981  CI: Cover compilation with musl
       #983 #984  CI: Cover compilation with 32bit Emscripten
       #976 #977  CI: Protect against fuzzer files missing from future
                    release archives

- version update to 2.7.0
       #935 #937  Autotools: Make generated CMake files look for
                    libexpat. at SO_MAJOR@.dylib on macOS
            #925  Autotools: Sync CMake templates with CMake 3.29
  #945 #962 #966  CMake: Drop support for CMake <3.13
            #942  CMake: Small fuzzing related improvements
            #921  docs: Add missing documentation of error code
                    XML_ERROR_NOT_STARTED that was introduced with 2.6.4
            #941  docs: Document need for C++11 compiler for use from C++
            #959  tests/benchmark: Fix a (harmless) TOCTTOU
            #944  Windows: Fix installer target location of file xmlwf.xml
                    for CMake
            #953  Windows: Address warning -Wunknown-warning-option
                    about -Wno-pedantic-ms-format from LLVM MinGW
            #971  Address Cppcheck warnings
       #969 #970  Mass-migrate links from http:// to https://
    #947 #958 ..
       #974 #975  Document changes since the previous release
       #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
                    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
                    for what these numbers do


The following package changes have been done:

- libexpat1-2.7.1-150400.3.28.1 updated
- libopenssl1_1-1.1.1w-150600.5.12.2 updated
- openssh-common-9.6p1-150600.6.18.4 updated
- libsystemd0-254.24-150600.4.28.1 updated
- libpython3_6m1_0-3.6.15-150300.10.84.1 updated
- python3-base-3.6.15-150300.10.84.1 updated
- python3-3.6.15-150300.10.84.1 updated
- openssh-fips-9.6p1-150600.6.18.4 updated
- openssh-clients-9.6p1-150600.6.18.4 updated
- openssh-server-9.6p1-150600.6.18.4 updated
- openssh-9.6p1-150600.6.18.4 updated

More information about the sle-container-updates mailing list