SUSE-CU-2025:2635-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Apr 17 07:14:00 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2635-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.4 , suse/manager/5.0/x86_64/server:5.0.4.7.19.1 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.19.1
Severity : important
Type : security
References : 1183663 1189788 1193173 1205042 1211547 1213291 1214290 1214713
1214808 1215212 1215484 1216049 1216091 1216146 1216147 1216150
1216151 1216228 1216229 1216230 1216231 1216232 1216233 1216241
1216388 1216522 1216827 1217287 1218201 1218282 1218324 1218812
1218814 1219241 1219639 1220893 1220895 1220896 1220905 1221505
1222021 1222650 1222834 1222896 1225287 1225936 1225939 1225941
1225942 1226273 1227118 1227127 1227316 1227637 1227859 1228265
1228434 1229163 1229164 1229685 1229822 1230078 1230371 1230642
1230944 1231298 1231396 1231423 1231589 1231605 1231838 1231983
1233307 1233500 1233606 1233608 1233609 1233610 1233612 1233613
1233614 1233615 1233616 1233617 1233726 1233880 1234015 1234022
1234033 1234128 1234202 1234226 1234442 1234452 1234713 1234798
1234881 1234958 1235079 1235481 1235516 1235527 1235695 1235696
1235751 1235825 1235853 1235970 1236011 1236033 1236118 1236136
1236151 1236165 1236166 1236234 1236268 1236282 1236316 1236317
1236323 1236384 1236481 1236601 1236625 1236643 1236664 1236678
1236707 1236771 1236803 1236820 1236826 1236842 1236858 1236886
1236939 1236974 1236983 1237002 1237006 1237008 1237009 1237010
1237011 1237012 1237013 1237014 1237037 1237038 1237040 1237041
1237044 1237060 1237093 1237093 1237137 1237363 1237370 1237374
1237374 1237403 1237418 1237431 1237535 1237606 1237685 1237694
1237844 1237865 1238591 1238610 1238879 1238924 1239302 1239465
1239618 1239625 1239637 1239676 1239826 1239883 1240009 1240343
1240343 1240414 1240416 1240960 37681 CVE-2020-25657 CVE-2023-4016
CVE-2023-40403 CVE-2024-11168 CVE-2024-12243 CVE-2024-13176 CVE-2024-43790
CVE-2024-43802 CVE-2024-45306 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776
CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781
CVE-2024-45782 CVE-2024-45783 CVE-2024-47554 CVE-2024-49504 CVE-2024-55549
CVE-2024-56171 CVE-2024-56337 CVE-2024-56737 CVE-2024-8176 CVE-2025-0395
CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684
CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1094
CVE-2025-1094 CVE-2025-1118 CVE-2025-1125 CVE-2025-1215 CVE-2025-1632
CVE-2025-22134 CVE-2025-23392 CVE-2025-24014 CVE-2025-24813 CVE-2025-24855
CVE-2025-24928 CVE-2025-24970 CVE-2025-25193 CVE-2025-25724 CVE-2025-26465
CVE-2025-26466 CVE-2025-26597 CVE-2025-27113 CVE-2025-27363 CVE-2025-27516
CVE-2025-31115 CVE-2025-31344
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:582-1
Released: Tue Feb 18 15:55:29 2025
Summary: Security update for glibc
Type: security
Severity: low
References: 1236282,CVE-2025-0395
This update for glibc fixes the following issues:
- CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:585-1
Released: Tue Feb 18 17:42:14 2025
Summary: Security update for openssh
Type: security
Severity: moderate
References: 1237040,1237041,CVE-2025-26465,CVE-2025-26466
This update for openssh fixes the following issues:
- CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040).
- CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:586-1
Released: Wed Feb 19 08:28:47 2025
Summary: Security update for grub2
Type: security
Severity: important
References: 1229163,1229164,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125
This update for grub2 fixes the following issues:
- CVE-2024-45781: Fixed strcpy overflow in ufs. (bsc#1233617)
- CVE-2024-56737: Fixed a heap-based buffer overflow in hfs. (bsc#1234958)
- CVE-2024-45782: Fixed strcpy overflow in hfs. (bsc#1233615)
- CVE-2024-45780: Fixed an overflow in tar/cpio. (bsc#1233614)
- CVE-2024-45783: Fixed a refcount overflow in hfsplus. (bsc#1233616)
- CVE-2024-45774: Fixed a heap overflow in JPEG parser. (bsc#1233609)
- CVE-2024-45775: Fixed a missing NULL check in extcmd parser. (bsc#1233610)
- CVE-2024-45776: Fixed an overflow in .MO file handling. (bsc#1233612)
- CVE-2024-45777: Fixed an integer overflow in gettext. (bsc#1233613)
- CVE-2024-45778: Fixed bfs filesystem by removing it from lockdown capable modules. (bsc#1233606)
- CVE-2024-45779: Fixed a heap overflow in bfs. (bsc#1233608)
- CVE-2024-49504: Fixed an issue that can bypass TPM-bound disk encryption on SL(E)M encrypted Images. (bsc#1229164)
- CVE-2025-0624: Fixed an out-of-bounds write during the network boot process. (bsc#1236316)
- CVE-2025-0622: Fixed a use-after-free when handling hooks during module unload in command/gpg . (bsc#1236317)
- CVE-2025-0690: Fixed an integer overflow that may lead to an out-of-bounds write through the read command.
(bsc#1237012)
- CVE-2025-1118: Fixed an issue where the dump command was not being blocked when grub was in lockdown mode.
(bsc#1237013)
- CVE-2025-0677: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in ufs.
(bsc#1237002)
- CVE-2025-0684: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in reiserfs.
(bsc#1237008)
- CVE-2025-0685: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in jfs.
(bsc#1237009)
- CVE-2025-0686: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in romfs.
(bsc#1237010)
- CVE-2025-0689: Fixed a heap-based buffer overflow in udf that may lead to arbitrary code execution. (bsc#1237011)
- CVE-2025-1125: Fixed an integer overflow that may lead to an out-of-bounds write in hfs. (bsc#1237014)
- CVE-2025-0678: Fixed an integer overflow that may lead to an out-of-bounds write in squash4. (bsc#1237006)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:590-1
Released: Wed Feb 19 11:33:58 2025
Summary: Security update for netty, netty-tcnative
Type: security
Severity: important
References: 1237037,1237038,CVE-2025-24970,CVE-2025-25193
This update for netty, netty-tcnative fixes the following issues:
- CVE-2025-24970: incorrect validation of packets by SslHandler can lead to a native crash. (bsc#1237037)
- CVE-2025-25193: unsafe reading of environment files can lead to an application crash. (bsc#1237038)
Update to netty version 4.1.118 and netty-tcnative version 2.0.70 Final.
Other fixes:
- Fix recycling in CodecOutputList.
- StreamBufferingEncoder: do not send header frame with priority by default.
- Notify event loop termination future of unexpected exceptions.
- Fix AccessControlException in GlobalEventExecutor.
- AdaptivePoolingAllocator: round chunk sizes up and reduce chunk release frequency.
- Support BouncyCastle FIPS for reading PEM files.
- Dns: correctly encode DnsPtrRecord.
- Provide Brotli settings without com.aayushatharva.brotli4j dependency.
- Make DefaultResourceLeak more resilient against OOM.
- OpenSslSession: add support to defensively check for peer certs.
- SslHandler: ensure buffers are never leaked when wrap(...) produces SSLException.
- Correcly handle comments appended to nameserver declarations.
- PcapWriteHandler: apply fixes so that the handler can append to an existing PCAP file when writing the global header.
- PcapWriteHandler: allow output of PCAP files larger than 2GB.
- Fix bugs in BoundedInputStream.
- Fix HTTP header validation bug.
- AdaptivePoolingAllocator: fix possible race condition in method offerToQueue(...).
- AdaptivePoolingAllocator: make sure the sentinel object Magazine.MAGAZINE_FREED not be replaced.
- Only try to use Zstd and Brotli if the native libs can be loaded.
- Bump BlockHound version to 1.0.10.RELEASE.
- Add details to TooLongFrameException message.
- AdaptivePoolingAllocator: correctly reuse chunks.
- AdaptivePoolingAllocator: don't fail when we run on a host with 1 core.
- AdaptivePoolingAllocator: correctly re-use central queue chunks and avoid OOM issue.
- Fix several memory management (leaks and missing checks) issues.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:613-1
Released: Fri Feb 21 11:37:54 2025
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1236136,1236771,CVE-2024-13176
This update for openssl-1_1 fixes the following issues:
- CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136).
Other bugfixes:
- Non approved PBKDF parameters wrongly resulting as approved (bsc#1236771).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:616-1
Released: Fri Feb 21 11:42:35 2025
Summary: Security update for postgresql17
Type: security
Severity: important
References: 1237093,CVE-2025-1094
This update for postgresql17 fixes the following issues:
Upgrade to 17.4:
- CVE-2025-1094: Harden PQescapeString and allied functions against invalidly-encoded input strings (bsc#1237093).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:626-1
Released: Fri Feb 21 12:18:09 2025
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1236858
This update for crypto-policies fixes the following issue:
- Remove dangling symlink for the libreswan config (bsc#1236858).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:635-1
Released: Fri Feb 21 15:13:08 2025
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1237093,CVE-2025-1094
This update for postgresql16 fixes the following issues:
Upgrade to 16.8:
- CVE-2025-1094: Harden PQescapeString and allied functions against invalidly-encoded input strings (bsc#1237093).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:680-1
Released: Mon Feb 24 12:01:16 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: important
References: 1228434,1236384,1236820,1236939,1236983
This update for libzypp, zypper fixes the following issues:
- Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983)
- Drop zypp-CheckAccessDeleted in favor of 'zypper ps'
- Fix Repoverification plugin not being executed
- Refresh: Fetch the master index file before key and signature (bsc#1236820)
- Deprecate RepoReports we do not trigger
- Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939)
- New system-architecture command (bsc#1236384)
- Change versioncmp command to return exit code according to the comparison result
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:723-1
Released: Wed Feb 26 14:29:39 2025
Summary: Security update for vim
Type: security
Severity: moderate
References: 1229685,1229822,1230078,1235695,1236151,1237137,CVE-2024-43790,CVE-2024-43802,CVE-2024-45306,CVE-2025-1215,CVE-2025-22134,CVE-2025-24014
This update for vim fixes the following issues:
Update to version 9.1.1101:
- CVE-2024-43790: possible out-of-bounds read when performing a search command (bsc#1229685).
- CVE-2024-43802: heap buffer overflow due to incorrect flushing of the typeahead buffer (bsc#1229822).
- CVE-2024-45306: heap buffer overflow when cursor position is invalid (bsc#1230078).
- CVE-2025-22134: heap buffer overflow when switching to other buffers using the :all command with active visual mode
(bsc#1235695).
- CVE-2025-24014: NULL pointer dereference may lead to segmentation fault when in silent Ex mode (bsc#1236151).
- CVE-2025-1215: memory corruption when manipulating the --log argument (bsc#1237137).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:739-1
Released: Fri Feb 28 11:09:44 2025
Summary: Security update for libX11
Type: security
Severity: moderate
References: 1237431,CVE-2025-26597
This update for libX11 fixes the following issues:
- CVE-2025-26597: improper resizing of key actions when nGroups is 0 can lead to buffer overflows in
XkbChangeTypesOfKey() (bsc#1237431).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:741-1
Released: Fri Feb 28 11:15:50 2025
Summary: Security update for procps
Type: security
Severity: important
References: 1214290,1236842,CVE-2023-4016
This update for procps fixes the following issues:
- Integer overflow due to incomplete fix for CVE-2023-4016 can lead to segmentation fault in ps command when pid
argument has a leading space (bsc#1236842, bsc#1214290).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:745-1
Released: Fri Feb 28 15:54:49 2025
Summary: Recommended update for apache-commons-cli
Type: recommended
Severity: moderate
References:
This update for apache-commons-cli fixes the following issues:
- Update to 1.9.0:
* New features:
+ Add OptionGroup.isSelected().
+ You can now extend HelpFormatter.Builder.
+ Add 'since' attribute to Option to track when an Option was
introduced
* Fixed bugs:
+ Fix Javadoc pathing
+ Updated properties documentation #285.
+ Deprecation not always reported #284.
+ Replace internal StringBuffer with StringBuilder.
* Updates:
+ Bump org.apache.commons:commons-parent from 70 to 72
- Update to 1.8.0:
* Fix Javadoc pathing
- Updated apache-commons-cli-build.xml to new version.
- Update to 1.7:
* New features:
- Add and use a Converter interface and implementations without
using BeanUtils
- Add Maven property project.build.outputTimestamp for build
reproducibility.
- Add '-' as an option char and implemented extensive tests
- Make adding OptionGroups and Options to existing Options
easier
- Added Supplier; defaults for getParsedOptionValue
- Make Option.getKey() public
- Add builder factory CommandLine#builder().
* Fixes:
- Inconsistent behavior in key/value pairs (Java property
style). Util.stripLeadingAndTrailingQuotes(String).
- Awkward behavior of Option.builder() for multiple optional args.
- Properties from multiple arguments with value separator.
- Fix for expected textual date values.
- Option.Builder.option('') should throw IllegalArgumentException instead of
ArrayIndexOutOfBoundsException.
- Avoid NullPointerException in CommandLine.getOptionValues(Option|String).
* Updates:
- Bump commons-parent from 64 to 69
- Update the tests to JUnit 5
- Bump tests commons-io:commons-io from 2.16.0 to 2.16.1
- Includes changes from version 1.6:
* Fixes:
- [StepSecurity] ci: Harden GitHub Actions
- Inconsistent date format in changes report.
- Fix NPE in CommandLine.resolveOption(String).
- CommandLine.addOption(Option) should not allow a null Option.
- CommandLine.addArgs(String) should not allow a null String.
- Site docs: 'Usage Scenarios' refers to deprecated methods.
- NullPointerException thrown by CommandLineParser.parse().
- StringIndexOutOfBoundsException thrown by CommandLineParser.parse().
* Updates:
- Fix SpotBugs Error: Medium: Method intentionally throws
RuntimeException. [org.apache.commons.cli.Option] At
Option.java:[lines 417-423]
THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
- Fix SpotBugs Error: Medium: Method intentionally throws
RuntimeException. [org.apache.commons.cli.Option] At
Option.java:[lines 446-450] THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
- Fix SpotBugs Error: Medium: Method intentionally throws
RuntimeException. [org.apache.commons.cli.Option] At
Option.java:[lines 474-478] THROWS_METHOD_THROWS_RUNTIMEEXCEPTION
- Use EMPTY_STRING_ARRAY constant.
- Fix site links that are broken
- Add github/codeql-action.
- Use %patch -P N instead of deprecated %patchN.
- Build with java source/target levels 8
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:746-1
Released: Fri Feb 28 17:10:22 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113
This update for libxml2 fixes the following issues:
- CVE-2024-56171: use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c
(bsc#1237363).
- CVE-2025-24928: stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370).
- CVE-2025-27113: NULL pointer dereference in xmlPatMatch in pattern.c (bsc#1237418).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:749-1
Released: Fri Feb 28 17:23:17 2025
Summary: Recommended update for samba
Type: recommended
Severity: moderate
References: 1215212,1233880,1236803
This update for samba fixes the following issues:
- Fix crossing automounter mount points (bsc#1215212, bsc#1236803).
- Update shipped /etc/samba/smb.conf to point to smb.conf man page
(bsc#1233880).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:764-1
Released: Mon Mar 3 09:43:37 2025
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1236974,CVE-2024-12243
This update for gnutls fixes the following issues:
- CVE-2024-12243: quadratic complexity of DER input decoding in libtasn1 can lead to a DoS (bsc#1236974).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:777-1
Released: Tue Mar 4 15:58:09 2025
Summary: Recommended update for apache-commons-daemon
Type: recommended
Severity: moderate
References:
This update for apache-commons-daemon fixes the following issues:
- Upgrade to 1.4.0
* Fixes:
+ [StepSecurity] ci: Harden GitHub Actions
+ Procrun: Enable Control Flow Guard for Windows binaries.
+ Procrun: Better label for command used to start service shown
in Prunmgr.exe.
+ jsvc: Fix warnings when running support/buildconf.sh
+ jsvc: Fix compilation issue with newer compilers. Fixes
+ Procrun: Refactor UAC support so that elevation is only
requested for actions that require administrator privileges.
* New Features:
+ Procrun: Add support for hybrid CRT builds.
+ jsvc: Add support for LoongArch64 support.
* Update dependencies:
+ The minimum support Java version has been upgraded from Java
7 to Java 8.
- Use %patch -P N instead of deprecated %patchN.
- Disable LTO to avoid undefined symbols on some platforms
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:778-1
Released: Wed Mar 5 07:14:12 2025
Summary: Recommended update for net-snmp
Type: recommended
Severity: important
References:
This update for net-snmp fixes the following issues:
- Implementation of net-snmp on SUSE Linux Enterprise Micro 5.5 (no source changes) (jsc#SMO-541,jsc#SMO-542)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:782-1
Released: Wed Mar 5 11:11:58 2025
Summary: Recommended update for zypp-plugin
Type: recommended
Severity: moderate
References:
This update for zypp-plugin fixes the following issues:
- Build package for multiple Python flavors on the SLE15 family
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:794-1
Released: Thu Mar 6 07:59:29 2025
Summary: Recommended update for pkg-config
Type: recommended
Severity: important
References: 1237374
This update for pkg-config fixes the following issues:
- Build with system GLib instead of bundled GLib (bsc#1237374).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:796-1
Released: Thu Mar 6 13:28:09 2025
Summary: Recommended update for python3-M2Crypto
Type: recommended
Severity: moderate
References: 1205042,1231589,1236664,CVE-2020-25657
This update for python3-M2Crypto fixes the following issues:
- Fix spelling of BSD-2-Clause license.
- Update to 0.44.0:
- The real license is BSD 2-Clause, not MIT.
- Remove python-M2Crypto.keyring, because PyPI broke GPG support
- Build for modern python stack on SLE/Leap
- require setuptools
- Make tests running again.
- Remove unnecessary fdupes call
- Add python-typing as a dependency
- SLE12 requires swig3 for a successful build, too
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2025:815-1
Released: Mon Mar 10 11:12:25 2025
Summary: Optional update for python-cheroot, python-tempora
Type: optional
Severity: low
References: 37681
This update for python-cheroot, python-tempora fixes the following issue:
- Use update-alternatives for cheroot and tempora binaries (bsc#1223694)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:820-1
Released: Mon Mar 10 15:17:28 2025
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1222834
This update for mozilla-nss fixes the following issues:
- FIPS: Do not pass in bad targetKeyLength parameters when checking for
FIPS approval after keygen. This was causing false rejections.
- FIPS: Approve RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:832-1
Released: Tue Mar 11 09:56:30 2025
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References:
This update for timezone fixes the following issues:
- Update to 2025a:
* Paraguay adopts permanent -03 starting spring 2024
* Improve pre-1991 data for the Philippines
* Etc/Unknown is now reserved
* Improve historical data for Mexico, Mongolia, and Portugal
* System V names are now obsolescent
* The main data form now uses %z
* The code now conforms to RFC 8536 for early timestamps
* Support POSIX.1-2024, which removes asctime_r and ctime_r
* Assume POSIX.2-1992 or later for shell scripts
* SUPPORT_C89 now defaults to 1
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:837-1
Released: Tue Mar 11 13:10:41 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: important
References: 1189788,1216091,1236481,1237044
This update for libzypp, zypper fixes the following issues:
- Disable zypp.conf:download.use_deltarpm by default
Measurements show that you don't benefit from using deltarpms
unless your network connection is very slow. That's why most
distributions even stop offering deltarpms. The default remains
unchanged on SUSE-15.6 and older.
- Make sure repo variables are evaluated in the right context
(bsc#1237044)
- Introducing MediaCurl2 a alternative HTTP backend.
This patch adds MediaCurl2 as a testbed for experimenting with a
more simple way to download files. Set ZYPP_CURL2=1 in the
environment to use it.
- Filesystem usrmerge must not be done in singletrans mode
(bsc#1236481, bsc#1189788)
- Commit will amend the backend in case the transaction would
perform a filesystem usrmerge.
- Workaround bsc#1216091 on Code16.
- Annonunce --root in commands not launching a Target
(bsc#1237044)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:848-1
Released: Wed Mar 12 14:23:16 2025
Summary: Recommended update for apache-commons-logging
Type: recommended
Severity: moderate
References:
This update for apache-commons-logging fixes the following issues:
- Upgrade to 1.3.4
* Bug fix:
+ Fix factory loading from context class loader
- Upgrade to 1.3.3
* Bug Fixes:
+ Update Log4j 2 OSGi imports
+ Fix PMD UnnecessaryFullyQualifiedName in SimpleLog.
+ Fix NullPointerException in SimpleLog#write(Object) on null
input.
+ Fix NullPointerException in SimpleLog#write(StringBuffer) on
null input.
- Includes changes from 1.3.2
* Fixed Bugs:
+ Add OSGi metadata to enable Service Loader Mediator
+ Apache commons logging shows 1.4 as latest
release instead of 1.3.1.
+ Deprecate org.apache.commons.logging.LogSource.jdk14IsAvailable.
- Includes changes from 1.3.1
* New features:
+ Add Maven property project.build.outputTimestamp for build
reproducibility.
* Fixed Bugs:
+ Remove references to very old JDK and Commons Logging
versions
+ Update from Logj 1 to the Log4j 2 API compatibility layer
+ Allow Servlet 4 in OSGi environment
+ Fix generics warnings
+ Fix Import-Package entry for org.slf4j
- Includes changes from 1.3.0
* New Features:
+ Add support for Log4j API and SLF4J
+ Deprecate org.apache.commons.logging.impl.WeakHashtable
without replacement.
+ Deprecate and disable `Jdk13LumberjackLogger` and `Log4JLogger`
+ Deprecate and disable `AvalonLogger` and `LogKitLogger`
+ Add Automatic-Module-Name Manifest Header for
Java 9 compatibility
* Fixed Bugs:
+ BufferedReader is not closed properly
+ Remove redundant initializer
+ Use a weak reference for the cached class loader
+ Add more entries to .gitignore file
+ Minor Improvements
+ [StepSecurity] ci: Harden GitHub Actions
+ Replace custom code with `ServiceLoader` call
+ Fix possible NPEs in LogFactoryImpl
+ Fix failing tests
+ Deprecate LogConfigurationException.cause in favor of
getCause()
+ Fix SpotBugs [ERROR] High: Found reliance on default encoding
in org.apache.commons.logging.LogFactory.initDiagnostics():
new java.io.PrintStream(OutputStream)
[org.apache.commons.logging.LogFactory] At
LogFactory.java:[line 1205] DM_DEFAULT_ENCODING.
+ Fix SpotBugs [ERROR] Medium: Class
org.apache.commons.logging.impl.WeakHashtable defines
non-transient non-serializable instance field queue
[org.apache.commons.logging.impl.WeakHashtable] In
WeakHashtable.java SE_BAD_FIELD.
+ Set java.logging as optional module
+ Fix SpotBugs [ERROR] Medium: Switch statement found in
org.apache.commons.logging.impl.SimpleLog.log(int, Object,
Throwable) where default case is missing
[org.apache.commons.logging.impl.SimpleLog] At
SimpleLog.java:[lines 505-522] SF_SWITCH_NO_DEFAULT.
+ Deprecate
org.apache.commons.logging.impl.Jdk13LumberjackLogger.dummyLevel
without replacement.
- Reinstate ant build (removed upstream)
* add build.xml
* add build.properties
- Add upstream dev's public key to apache-commons-logging.keyring
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:878-1
Released: Mon Mar 17 10:22:57 2025
Summary: Recommended update for python3-dmidecode
Type: recommended
Severity: moderate
References: 1237685
This update for python3-dmidecode fixes the following issue:
- Fix invalid log level error. (bsc#1237685)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:880-1
Released: Mon Mar 17 10:55:06 2025
Summary: Recommended update for python-apache-libcloud
Type: recommended
Severity: important
References: 1214808
This update for python-apache-libcloud fixes the following issues:
- Fix issue building python311-apache-libcloud
- Build package for multiple Python flavors on the SLE15 family
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:915-1
Released: Wed Mar 19 08:04:05 2025
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942
This update for libgcrypt fixes the following issues:
- FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939]
- FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939]
- FIPS: Disable setting the library in non-FIPS mode [bsc#1220893]
- FIPS: Disallow rsa < 2048 [bsc#1225941]
* Mark RSA operations with keysize < 2048 as non-approved in the SLI
- FIPS: Service level indicator for libgcrypt [bsc#1225939]
- FIPS: Consider deprecate sha1 [bsc#1225942]
* In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will
transition at the end of 2030. Mark SHA1 as non-approved in SLI.
- FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936]
* cipher: Do not run RSA encryption selftest by default
- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG
for the whole length entropy buffer in FIPS mode. [bsc#1220893]
- FIPS: Set the FSM into error state if Jitter RNG is returning an
error code to the caller when an health test error occurs when
random bytes are requested through the jent_read_entropy_safe()
function. [bsc#1220895]
- FIPS: Replace the built-in jitter rng with standalone version
* Remove the internal jitterentropy copy [bsc#1220896]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:933-1
Released: Wed Mar 19 11:07:35 2025
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1237844,1237865
This update for grub2 fixes the following issues:
- Fix 'zfs.mo not found' message when booting on legacy BIOS (bsc#1237865)
- Upstream XFS fixes
- Fix 'attempt to read of write outside of partition' error message (bsc#1237844)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:969-1
Released: Thu Mar 20 14:28:47 2025
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References: 1227637,1236165
This update for crypto-policies fixes the following issues:
- Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637).
- tolerate fips dracut module presence w/o FIPS
* Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode
(bsc#1236165).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:985-1
Released: Fri Mar 21 18:45:14 2025
Summary: Security update for libarchive
Type: security
Severity: moderate
References: 1237606,1238610,CVE-2025-1632,CVE-2025-25724
This update for libarchive fixes the following issues:
- CVE-2025-1632: Fixed null pointer dereference in bsdunzip.c (bsc#1237606)
- CVE-2025-25724: Fixed buffer overflow vulnerability in function list_item_verbose() in tar/util.c (bsc#1238610)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:997-1
Released: Mon Mar 24 18:52:00 2025
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1236826
This update for openssh fixes the following issue:
- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
due to gssapi proposal not being correctly initialized (bsc#1236826).
The problem was introduced in the rebase of the patch for 9.6p1
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:998-1
Released: Tue Mar 25 03:07:02 2025
Summary: Security update for freetype2
Type: security
Severity: important
References: 1239465,CVE-2025-27363
This update for freetype2 fixes the following issues:
- CVE-2025-27363: Fixed out-of-bounds write when attempting to parse font
subglyph structures related to TrueType GX and variable font files (bsc#1239465).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1004-1
Released: Tue Mar 25 09:42:38 2025
Summary: Security update for python-Jinja2
Type: security
Severity: moderate
References: 1238879,CVE-2025-27516
This update for python-Jinja2 fixes the following issues:
- CVE-2025-27516: Fixed sandbox breakout through attr filter selecting format method (bsc#1238879)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released: Tue Mar 25 15:59:05 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1234015,1236643,1236886
This update for systemd fixes the following issues:
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
It is likely an oversight from when systemd-userdb was migrated from the
experimental package to the main one.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1046-1
Released: Thu Mar 27 18:51:27 2025
Summary: Recommended update for gettext-runtime
Type: recommended
Severity: moderate
References: 1227316
This update for gettext-runtime fixes the following issue:
- Fix crash while handling po files with malformed header and
process them properly (bsc#1227316).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1056-1
Released: Fri Mar 28 18:06:22 2025
Summary: Security update for python3
Type: security
Severity: moderate
References: 1233307,CVE-2024-11168
This update for python3 fixes the following issues:
- CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1098-1
Released: Wed Apr 2 10:06:16 2025
Summary: Recommended update for libvirt
Type: recommended
Severity: moderate
References: 1235079
This update for libvirt fixes the following issues:
- security: apparmor: Fix probing of apparmor availability on the
VM host when using modular daemons (bsc#1235079)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1125-1
Released: Thu Apr 3 13:49:28 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1238591,1239625,1239637,CVE-2023-40403,CVE-2024-55549,CVE-2025-24855
This update for libxslt fixes the following issues:
- CVE-2023-40403: Fixed sensitive information disclosure during processing web content (bsc#1238591)
- CVE-2024-55549: Fixed use-after-free in xsltGetInheritedNsList (bsc#1239637)
- CVE-2025-24855: Fixed use-after-free in numbers.c (bsc#1239625)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1126-1
Released: Thu Apr 3 13:51:03 2025
Summary: Security update for tomcat
Type: security
Severity: important
References: 1239302,1239676,CVE-2024-56337,CVE-2025-24813
This update for tomcat fixes the following issues:
- CVE-2025-24813: Fixed potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302)
- Update to Tomcat 9.0.102
* Fixes:
+ launch with java 17 (bsc#1239676)
* Catalina
+ Fix: Weak etags in the If-Range header should not match as strong etags
are required. (remm)
+ Fix: When looking up class loader resources by resource name, the resource
name should not start with '/'. If the resource name does start with '/',
Tomcat is lenient and looks it up as if the '/' was not present. When the
web application class loader was configured with external repositories and
names starting with '/' were used for lookups, it was possible that cached
'not found' results could effectively hide lookup results using the
correct resource name. (markt)
+ Fix: Enable the JNDIRealm to validate credentials provided to
HttpServletRequest.login(String username, String password) when the realm
is configured to use GSSAPI authentication. (markt)
+ Fix: Fix a bug in the JRE compatibility detection that incorrectly
identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+ Fix: Improve the checks for exposure to and protection against
CVE-2024-56337 so that reflection is not used unless required. The checks
for whether the file system is case sensitive or not have been removed.
(markt)
+ Fix: Avoid scenarios where temporary files used for partial PUT would not
be deleted. (remm)
+ Fix: 69602: Fix regression in releases from 12-2024 that were too strict
and rejected weak etags in the If-Range header. (remm)
+ Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
exception introduced for the check for CVE-2024-56337. (remm)
* Cluster
+ Add: 69598: Add detection of service account token changes to the
KubernetesMembershipProvider implementation and reload the token if it
changes. Based on a patch by Miroslav Jezbera. (markt)
* Coyote
+ Fix: 69575: Avoid using compression if a response is already compressed
using compress, deflate or zstd. (remm)
+ Update: Use Transfer-Encoding for compression rather than Content-Encoding
if the client submits a TE header containing gzip. (remm)
+ Fix: Fix a race condition in the handling of HTTP/2 stream reset that
could cause unexpected 500 responses. (markt)
* Other
+ Add: Add makensis as an option for building the Installer for Windows on
non-Windows platforms. (rjung/markt)
+ Update: Update Byte Buddy to 1.17.1. (markt)
+ Update: Update Checkstyle to 10.21.3. (markt)
+ Update: Update SpotBugs to 4.9.1. (markt)
+ Update: Update JSign to 7.1. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
documents. (remm)
- Update to Tomcat 9.0.99
* Catalina
+ Update: Add tableName configuration on the DataSourcePropertyStore that
may be used by the WebDAV Servlet. (remm)
+ Update: Improve HTTP If headers processing according to RFC 9110. Based on
pull request #796 by Chenjp. (remm/markt)
+ Update: Allow readOnly attribute configuration on the Resources element
and allow configure the readOnly attribute value of the main resources.
The attribute value will also be used by the default and WebDAV Servlets.
(remm)
+ Fix: 69285: Optimise the creation of the parameter map for included
requests. Based on sample code and test cases provided by John
Engebretson. (markt)
+ Fix: 69527: Avoid rare cases where a cached resource could be set with 0
content length, or could be evicted immediately. (remm)
+ Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
requests without body for WebDAV LOCK and PROPFIND. (remm)
+ Fix: 69528: Add multi-release JAR support for the bloom
archiveIndexStrategy of the Resources. (remm)
+ Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
on a patch submitted by Chenjp. (remm)
+ Add: Add a check to ensure that, if one or more web applications are
potentially vulnerable to CVE-2024-56337, the JVM has been configured to
protect against the vulnerability and to configure the JVM correctly if
not. Where one or more web applications are potentially vulnerable to
CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
confirmed that the JVM has been correctly configured, prevent the impacted
web applications from starting. (markt)
+ Fix: Remove unused session to client map from CrawlerSessionManagerValve.
Submitted by Brian Matzon. (remm)
+ Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
ensure that the destination for any requested WebDAV operation is also
restricted to the sub-path. (markt)
+ Fix: Generate an appropriate Allow HTTP header when the Default servlet
returns a 405 (method not allowed) response in response to a DELETE
request because the target resource cannot be deleted. Pull request #802
provided by Chenjp. (markt)
+ Code: Refactor creation of RequestDispatcher instances so that the
processing of the provided path is consistent with normal request
processing. (markt)
+ Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
attributes to Context to provide control over the handling of the path
used to created a RequestDispatcher. (markt)
+ Fix: Handle a potential NullPointerException after an IOException occurs
on a non-container thread during asynchronous processing. (markt)
+ Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
* Coyote
+ Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
not support. These settings are now silently ignored. (markt)
+ Fix: Avoid a rare NullPointerException when recycling the
Http11InputBuffer. (markt)
+ Fix: Lower the log level to debug for logging an invalid socket channel
when processing poller events for the NIO Connector as this may occur in
normal usage. (markt)
+ Code: Clean-up references to the HTTP/2 stream once request processing has
completed to aid GC and reduce the size of the HTTP/2 recycled request and
response cache. (markt)
+ Add: Add a new Connector configuration attribute,
encodedReverseSolidusHandling, to control how %5c sequences in URLs are
handled. The default behaviour is unchanged (decode) keeping in mind that
the allowBackslash attribute determines how the decoded URI is processed.
(markt)
+ Fix: 69545: Improve CRLF skipping for the available method of the
ChunkedInputFilter. (remm)
+ Fix: Improve the performance of repeated calls to getHeader(). Pull
request #813 provided by Adwait Kumar Singh. (markt)
+ Fix: 69559: Ensure that the Java 24 warning regarding the use of
sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
will be used. (markt)
* Jasper
+ Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
include actions if both the page attribute and the body contained
parameters. Pull request #803 provided by Chenjp. (markt)
+ Fix: 69521: Update the EL Parser to allow the full range of valid
characters in an EL identifier as defined by the Java Language
Specification. (markt)
+ Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
provided by John Engebretson. (markt)
* Web applications
+ Add: Documentation. Expand the description of the security implications of
setting mapperContextRootRedirectEnabled and/or
mapperDirectoryRedirectEnabled to true. (markt)
+ Fix: Documentation. Better document the default for the truststoreProvider
attribute of a SSLHostConfig element. (markt)
* Other
+ Update: Update to Commons Daemon 1.4.1. (markt)
+ Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
+ Update: Update Byte Buddy to 1.16.1. (markt)
+ Update: Update UnboundID to 7.0.2. (markt)
+ Update: Update Checkstyle to 10.21.2. (markt)
+ Update: Update SpotBugs to 4.9.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Chinese translations by leeyazhou. (markt)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1130-1
Released: Thu Apr 3 15:08:55 2025
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1234798,1240009,1240343
This update for ca-certificates-mozilla fixes the following issues:
Update to 2.74 state of Mozilla SSL root CAs:
- Removed:
* SwissSign Silver CA - G2
- Added:
* D-TRUST BR Root CA 2 2023
* D-TRUST EV Root CA 2 2023
Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798):
- Removed:
* SecureSign RootCA11
* Security Communication RootCA3
- Added:
* TWCA CYBER Root CA
* TWCA Global Root CA G2
* SecureSign Root CA12
* SecureSign Root CA14
* SecureSign Root CA15
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1134-1
Released: Thu Apr 3 16:17:44 2025
Summary: Security update for apparmor
Type: security
Severity: moderate
References: 1234452
This update for apparmor fixes the following issue:
- Allow dovecot-auth to execute unix check password from /sbin, not only from /usr/bin (bsc#1234452).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1137-1
Released: Thu Apr 3 17:11:02 2025
Summary: Security update for xz
Type: security
Severity: important
References: 1240414,CVE-2025-31115
This update for xz fixes the following issues:
- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1150-1
Released: Mon Apr 7 09:47:05 2025
Summary: Recommended update for apache-commons-io
Type: recommended
Severity: moderate
References: 1231298,CVE-2024-47554
This update for apache-commons-io fixes the following issues:
apache-commons-io was updated from version 2.15.1 to 2.18.0:
- Key changes across versions:
* Cleaner code and updated dependencies
* Improved security when handling serialized data with the new safe deserialization feature
* New features for advanced file and stream operations
* Various bugs were fixed to improve reliability with fewer crashes and unexpected errors
* For the full list of changes please consult the packaged RELEASE-NOTES.txt
- Already fixed in previous version:
* CVE-2024-47554: Untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1161-1
Released: Mon Apr 7 17:29:45 2025
Summary: Recommended update for vim
Type: recommended
Severity: moderate
References: 1235751
This update for vim fixes the following issues:
- Regression patch to fix (bsc#1235751).
- Version update 9.1.1176
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1164-1
Released: Tue Apr 8 09:02:56 2025
Summary: Security update for giflib
Type: security
Severity: important
References: 1240416,CVE-2025-31344
This update for giflib fixes the following issues:
- CVE-2025-31344: Fixed a buffer overflow in function DumpScreen2RGB (bsc#1240416)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1189-1
Released: Thu Apr 10 05:38:46 2025
Summary: Recommended update for fence-agents
Type: recommended
Severity: moderate
References:
This update for fence-agents fixes the following issues:
- Improved fence_sbd support (jsc#PED-12243)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1190-1
Released: Thu Apr 10 06:56:57 2025
Summary: Recommended update for supportutils
Type: recommended
Severity: moderate
References: 1183663,1193173,1211547,1213291,1214713,1216049,1216146,1216147,1216150,1216151,1216228,1216229,1216230,1216231,1216232,1216233,1216241,1216388,1216522,1216827,1217287,1218201,1218282,1218324,1218812,1218814,1219241,1219639,1222021,1222650,1222896,1227127,1228265,1230371,1231396,1231423,1231838,1233726
This update for supportutils fixes the following issues:
- Version update 3.2.10, bugfixing.
+ Collect firewalld configuration
+ Ignore tasks/threads to prevent collecting duplicate data (bsc#1230371).
+ openldap2_5 support for SLES (bsc#1231838).
+ Added dbus_info for dbus.txt (bsc#1222650).
+ Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221).
+ Corrected display issues (bsc#1231396, bsc#1217287).
+ NFS takes too long, showmount times out (bsc#1231423).
+ Merged sle15 and master branches (bsc#1233726, PED-11669).
+ Extended scaling for performance (bsc#1214713).
+ Corrected SLE Micro version (bsc#1219241).
+ Check nvidida-persistenced state (bsc#1219639).
+ Corrected podman .ID error (bsc#1218812).
+ Remove duplicate non-root podman users (bsc#1218814).
+ Fixed smart disk error (bsc#1218282).
+ Fixed ipvsadm logic error (bsc#1218324).
+ Correctly detects Xen Dom0 (bsc#1218201).
+ Inhibit the conversion of port numbers to port names for network files.
+ powerpc: collect rtas_errd.log and lp_diag.log log files.
+ Get list of pam.d files.
+ Provides long listing for /etc/sssd/sssd.conf (bsc#1211547).
+ Optimize lsof usage (bsc#1183663).
+ Added mokutil commands for secureboot.
+ ipset - List entries for all sets.
+ Added nvme-stas configuration to nvme.txt (bsc#1216049).
+ Collects zypp history file (bsc#1216522).
+ Collect HA related rpm package versions in ha.txt
+ Change -x OPTION to really be exclude only
+ Fixed kernel and added user live patching (PED-4524).
+ Fixed plugins creating empty files (bsc#1216388).
+ Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173).
+ Added supportutils to current (PED-4456).
+ Changed config directory to /etc/supportutuils for all conf and header.txt (bsc#1216232).
+ Fixed supportconfig using external test command (bsc#1216150) and kdump,
analyzevmcore errors (bsc#1216146).
+ Support has been removed for scplugin.rc, use supportconfig.rc (bsc#1216241).
+ Remove check_service function from supportconfig.rc (bsc#1216231).
+ Removed older versions of SLES_VER (bsc#1216147).
+ Added timed command to fs-files.txt (bsc#1216827).
+ Cron and At are replaced with systemd.timer (bsc#1216229).
+ Offers apparmor or selinux based on configuration (bsc#1216233).
+ Filted proc access errors (bsc#1216151).
+ Remove all SuSE-release references (bsc#1216228).
+ Remove references to /etc/init.d (bsc#1216230).
+ Add capability in supportconfig to insert configs in summary.xml from command line option (bsc#1222021).
+ file sanitizing improvement request for boot (bsc#1227127).
+ Add 'read_values -s' output to supportconfig on s390x (bsc#1228265).
+ Usability enhancement for supportconfig (PED-8211).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1198-1
Released: Fri Apr 11 09:46:09 2025
Summary: Recommended update for glibc
Type: recommended
Severity: important
References: 1234128,1234713,1239883
This update for glibc fixes the following issues:
- Fix the lost wakeup from a bug in signal stealing (bsc#1234128)
- Mark functions in libc_nonshared.a as hidden (bsc#1239883)
- Bump minimal kernel version to 4.3 to enable use of direct socketcalls
on x86-32 and s390x (bsc#1234713)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1201-1
Released: Fri Apr 11 12:15:58 2025
Summary: Security update for expat
Type: security
Severity: important
References: 1239618,CVE-2024-8176
This update for expat fixes the following issues:
- CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused
by stack overflow by resolving use of recursion (bsc#1239618)
Other fixes:
- version update to 2.7.1 (jsc#PED-12500)
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}'
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
- version update to 2.7.0
#935 #937 Autotools: Make generated CMake files look for
libexpat. at SO_MAJOR@.dylib on macOS
#925 Autotools: Sync CMake templates with CMake 3.29
#945 #962 #966 CMake: Drop support for CMake <3.13
#942 CMake: Small fuzzing related improvements
#921 docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
#941 docs: Document need for C++11 compiler for use from C++
#959 tests/benchmark: Fix a (harmless) TOCTTOU
#944 Windows: Fix installer target location of file xmlwf.xml
for CMake
#953 Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
#971 Address Cppcheck warnings
#969 #970 Mass-migrate links from http:// to https://
#947 #958 ..
#974 #975 Document changes since the previous release
#974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1217-1
Released: Sun Apr 13 12:16:40 2025
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1240343
This update for ca-certificates-mozilla fixes the following issues:
- Reenable the distrusted certs for now. as these only
distrust 'new issued' certs starting after a certain date,
while old certs should still work. (bsc#1240343)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1242-1
Released: Mon Apr 14 12:43:18 2025
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1235481,1236033
This update for aaa_base fixes the following issues:
- SP6 logrotate and rcsyslog binary (bsc#1236033)
- Update detection for systemd in rc.status
- Mountpoint for cgroup changed with cgroup2
- If a user switches the login shell respect the already set PATH
environment (bsc#1235481)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1245-1
Released: Mon Apr 14 13:31:49 2025
Summary: Recommended update for pkg-config
Type: recommended
Severity: moderate
References: 1237374
This update for rsync fixes the following issues:
- Security scan found old glib in pkg-config (bsc#1237374).
- This update for pkg-config changes attribute to the author who actually
makes the change
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1291-1
Released: Wed Apr 16 09:41:51 2025
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References:
This update for timezone fixes the following issues:
- Version update 2025b
* New zone for Aysen Region in Chile (America/Coyhaique) which
moves from -04/-03 to -03
- Refresh patches for philippines historical data and china tzdata
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-1297
Released: Wed Apr 16 09:57:14 2025
Summary: Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Server
Type: security
Severity: moderate
References: 1221505,1225287,1226273,1227118,1227859,1231983,1233500,1234033,1234202,1234226,1234442,1235527,1235696,1235825,1235853,1235970,1236011,1236118,1236166,1236234,1236268,1236323,1236601,1236625,1236678,1236707,1237060,1237403,1237535,1237694,1238924,1239826,1240960,CVE-2025-23392
Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server:
This is a codestream only update
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1318-1
Released: Wed Apr 16 10:10:17 2025
Summary: Recommended update for salt
Type: recommended
Severity: moderate
References: 1215484,1220905,1230642,1230944,1231605,1234022,1234881
This update for salt fixes the following issues:
- Adapted to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642)
- Added DEB822 apt repository format support
- Detect openEuler as RedHat family OS
- Enhanced batch async and fixed some detected issues
- Enhanced smart JSON parsing when garbage is present (bsc#1231605)
- Ensure the correct crypt module is loaded
- Fixed aptpkg 'NoneType object has no attribute split' error
- Fixed crash due wrong client reference on `SaltMakoTemplateLookup`
- Fixed error to stat '/root/.gitconfig' on gitfs (bsc#1230944, bsc#1234881, bsc#1220905)
- Fixed issue of using update-alternatives with alts
- Fixed issues running on Python 3.12 and 3.13
- Fixed tests failures after 'repo.saltproject.io' deprecation
- Fixed virt_query outputter and added support for block devices
- Fixed virtual grains for VMs running on Nutanix AHV (bsc#1234022)
- Implemented multiple inventory for ansible.targets
- Made _auth calls visible with master stats
- Made Salt-SSH work with all SSH passwords (bsc#1215484)
- Made x509 module compatible with M2Crypto 0.44.0
- Moved logrotate config to /usr/etc/logrotate.d where possible
- Removed deprecated code from x509.certificate_managed test mode
- Repaired mount.fstab_present always returning pending changes
- Set virtual grain in Podman systemd container
- Enhancements of Salt packaging:
* Use update-alternatives for all salt scripts
* Use flexible dependencies for the subpackages
* Made salt-minion to require flavored zypp-plugin
* Made zyppnotify to use update-alternatives
* Dropped unused yumnotify plugin
* Added dependency to python3-dnf-plugins-core for RHEL based
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1319-1
Released: Wed Apr 16 10:13:10 2025
Summary: Recommended update for golang-github-prometheus-node_exporter, system-user-prometheus
Type: recommended
Severity: moderate
References: 1235516
This update for golang-github-prometheus-node_exporter and system-user-prometheus fixes the following issues:
golang-github-prometheus-node_exporter was updated from version 1.7.0 to version 1.9.0 (jsc#PED-12485):
- Packaging improvements:
* Use `systemd-sysusers` to configure the user in a dedicated
'system-user-prometheus' subpackage (bsc#1235516)
* Remove `systemd` and `shadow` hard requirements
- Version 1.9.0:
* [CHANGE] meminfo: Convert linux implementation to use procfs lib
* [CHANGE] Update logging to use Go log/slog
* [FEATURE] filesystem: Add node_filesystem_mount_info metric
* [FEATURE] btrfs: Add metrics for commit statistics
* [FEATURE] interrupts: Add collector include/exclude filtering
* [FEATURE] interrupts: Add 'exclude zeros' filtering
* [FEATURE] slabinfo: Add filters for slab name.
* [FEATURE] pressure: add IRQ PSI metrics
* [FEATURE] hwmon: Add include and exclude filter for sensors
* [FEATURE] filesystem: Add NetBSD support
* [FEATURE] netdev: Add ifAlias label
* [FEATURE] hwmon: Add Support for GPU Clock Frequencies
* [FEATURE] Add exclude[] URL parameter
* [FEATURE] Add AIX support
* [FEATURE] filesystem: Add fs-types/mount-points include flags
* [FEATURE] netstat: Add collector for tcp packet counters for FreeBSD.
* [ENHANCEMENT] ethtool: Add logging for filtering flags
* [ENHANCEMENT] netstat: Add TCPRcvQDrop to default metrics
* [ENHANCEMENT] diskstats: Add block device rotational
* [ENHANCEMENT] cpu: Support CPU online status
* [ENHANCEMENT] arp: optimize interface name resolution
* [ENHANCEMENT] textfile: Allow specifiying multiple directoryglobs
* [ENHANCEMENT] filesystem: Add reporting of purgeable space on MacOS
* [ENHANCEMENT] ethtool: Skip full scan of NetClass directories
* [BUGFIX] zfs: Prevent procfs integer underflow
* [BUGFIX] pressure: Fix collection on systems that do not expose a full CPU stat
* [BUGFIX] cpu: Fix FreeBSD 32-bit host support and plug memory leak
* [BUGFIX] hwmon: Add safety check to hwmon read
* [BUGFIX] zfs: Allow space in dataset name
- Version 1.8.2:
* [BUGFIX] Fix CPU pressure metric collection
- Version 1.8.1:
* [BUGFIX] Fix CPU seconds on Solaris
* [BUGFIX] Sign Darwin/MacOS binaries
* [BUGFIX] Fix pressure collector nil reference
- Version 1.8.0:
* [CHANGE] exec_bsd: Fix labels for vm.stats.sys.v_syscall sysctl
* [CHANGE] diskstats: Ignore zram devices on linux systems
* [CHANGE] textfile: Avoid inconsistent help-texts
* [CHANGE] os: Removed caching of modtime/filename of os-release file
* [FEATURE] xfrm: Add new collector
* [FEATURE] watchdog: Add new collector
* [ENHANCEMENT] cpu_vulnerabilities: Add mitigation information label
* [ENHANCEMENT] nfsd: Handle new wdeleg_getattr attribute
* [ENHANCEMENT] netstat: Add TCPOFOQueue to default netstat metrics
* [ENHANCEMENT] filesystem: surface device errors
* [ENHANCEMENT] os: Add support end parsing
* [ENHANCEMENT] zfs: Log mib when sysctl read fails on FreeBSD
* [ENHANCEMENT] fibre_channel: update procfs to take into account optional attributes
* [BUGFIX] cpu: Fix debug log in cpu collector
* [BUGFIX] hwmon: Fix hwmon nil ptr
* [BUGFIX] hwmon: Fix hwmon error capture
* [BUGFIX] zfs: Revert 'Add ZFS freebsd per dataset stats
* [BUGFIX] ethtool: Sanitize ethtool metric name keys
* [BUGFIX] fix: data race of NetClassCollector metrics initialization
system-user-prometheus:
- Implemented `system-user-prometheus` as new requirement for `golang-github-prometheus-node_exporter`
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.9.2 updated
- ca-certificates-mozilla-2.74-150200.41.1 updated
- libexpat1-2.7.1-150400.3.28.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated
- liblzma5-5.4.1-150600.3.3.1 updated
- libxml2-2-2.10.3-150500.5.23.1 updated
- libudev1-254.24-150600.4.28.1 updated
- libgcrypt20-1.10.3-150600.3.3.1 updated
- libzypp-17.36.3-150600.3.50.1 updated
- zypper-1.14.85-150600.10.28.1 updated
- glibc-locale-base-2.38-150600.14.26.1 updated
- pkg-config-0.29.2-150600.15.6.3 updated
- libapparmor1-3.1.7-150600.5.3.2 updated
- libsystemd0-254.24-150600.4.28.1 updated
- systemd-254.24-150600.4.28.1 updated
- glibc-2.38-150600.14.26.1 updated
- timezone-2025b-150600.91.6.2 updated
- libX11-data-1.8.7-150600.3.3.1 updated
- libarchive13-3.7.2-150600.3.12.1 updated
- libfreebl3-3.101.2-150400.3.54.1 updated
- libgif7-5.2.2-150000.4.16.1 updated
- libopenssl1_1-1.1.1w-150600.5.12.2 updated
- libpq5-17.4-150600.13.10.1 updated
- libprocps8-3.3.17-150000.7.42.1 updated
- libtextstyle0-0.21.1-150600.3.3.2 updated
- libxml2-tools-2.10.3-150500.5.23.1 updated
- libxslt1-1.1.34-150400.3.6.1 updated
- openssh-common-9.6p1-150600.6.18.4 updated
- release-notes-susemanager-5.0.4-150600.11.29.1 updated
- susemanager-schema-utility-5.0.14-150600.3.12.11 updated
- system-user-prometheus-1.0.0-150000.14.2 updated
- uyuni-config-modules-5.0.13-150600.3.12.5 updated
- vim-data-common-9.1.1176-150500.20.24.2 updated
- xz-5.4.1-150600.3.3.1 updated
- glibc-locale-2.38-150600.14.26.1 updated
- libpython3_6m1_0-3.6.15-150300.10.84.1 updated
- python3-base-3.6.15-150300.10.84.1 updated
- python3-3.6.15-150300.10.84.1 updated
- python3-curses-3.6.15-150300.10.84.1 updated
- libfreetype6-2.10.4-150000.4.18.1 updated
- postgresql16-16.8-150600.16.15.1 updated
- procps-3.3.17-150000.7.42.1 updated
- gettext-runtime-0.21.1-150600.3.3.2 updated
- libxslt-tools-1.1.34-150400.3.6.1 updated
- glibc-devel-2.38-150600.14.26.1 updated
- mozilla-nss-certs-3.101.2-150400.3.54.1 updated
- openssh-fips-9.6p1-150600.6.18.4 updated
- susemanager-docs_en-5.0.4-150600.11.12.5 updated
- spacewalk-java-lib-5.0.24-150600.3.25.1 updated
- golang-github-prometheus-node_exporter-1.9.0-150100.3.32.3 updated
- libX11-6-1.8.7-150600.3.3.1 updated
- vim-9.1.1176-150500.20.24.2 updated
- perl-Term-ReadKey-2.37-150000.3.2.1 updated
- openssh-server-9.6p1-150600.6.18.4 updated
- openssh-clients-9.6p1-150600.6.18.4 updated
- libgnutls30-3.8.3-150600.4.6.2 updated
- python3-zypp-plugin-0.6.5-150600.18.5.1 updated
- python3-uyuni-common-libs-5.0.6-150600.2.6.5 updated
- python3-M2Crypto-0.44.0-150600.19.3.1 updated
- postgresql16-server-16.8-150600.16.15.1 updated
- gettext-tools-0.21.1-150600.3.3.2 updated
- supportutils-3.2.10-150600.3.6.5 updated
- mozilla-nss-3.101.2-150400.3.54.1 updated
- libsoftokn3-3.101.2-150400.3.54.1 updated
- susemanager-docs_en-pdf-5.0.4-150600.11.12.5 updated
- susemanager-schema-5.0.14-150600.3.12.11 updated
- susemanager-sync-data-5.0.11-150600.3.16.3 updated
- openssh-9.6p1-150600.6.18.4 updated
- grub2-2.12-150600.8.21.2 updated
- grub2-i386-pc-2.12-150600.8.21.2 updated
- libvirt-libs-10.0.0-150600.8.9.1 updated
- python3-tempora-1.8-150200.3.6.1 updated
- python3-libxml2-2.10.3-150500.5.23.1 updated
- postgresql16-contrib-16.8-150600.16.15.1 updated
- samba-client-libs-4.19.8+git.404.38b26805d4-150600.3.12.2 updated
- grub2-x86_64-efi-2.12-150600.8.21.2 updated
- grub2-powerpc-ieee1275-2.12-150600.8.21.2 updated
- grub2-arm64-efi-2.12-150600.8.21.2 updated
- spacecmd-5.0.12-150600.4.12.5 updated
- python3-Jinja2-2.10.1-150000.3.21.1 updated
- python3-dmidecode-3.12.3-150400.24.1 updated
- spacewalk-backend-sql-postgresql-5.0.12-150600.4.12.10 updated
- tomcat-servlet-4_0-api-9.0.102-150200.78.1 updated
- tomcat-el-3_0-api-9.0.102-150200.78.1 updated
- apache-commons-io-2.18.0-150200.3.15.1 updated
- apache-commons-daemon-1.4.0-150200.11.17.1 updated
- apache-commons-cli-1.9.0-150200.3.9.1 updated
- spacewalk-base-minimal-5.0.18-150600.3.18.1 updated
- spacewalk-config-5.0.6-150600.3.9.5 updated
- tomcat-jsp-2_3-api-9.0.102-150200.78.1 updated
- netty-4.1.118-150200.4.29.2 updated
- apache-commons-logging-1.3.4-150200.11.9.1 updated
- spacewalk-base-minimal-config-5.0.18-150600.3.18.1 updated
- tomcat-lib-9.0.102-150200.78.1 updated
- spacewalk-backend-5.0.12-150600.4.12.10 updated
- python3-spacewalk-client-tools-5.0.9-150600.4.9.11 updated
- spacewalk-client-tools-5.0.9-150600.4.9.11 updated
- spacewalk-base-5.0.18-150600.3.18.1 updated
- subscription-matcher-0.39-150600.3.3.5 updated
- salt-3006.0-150500.4.50.3 updated
- python3-salt-3006.0-150500.4.50.3 updated
- python3-apache-libcloud-3.3.1-150300.3.6.1 updated
- fence-agents-4.13.1+git.1704296072.32469f29-150600.3.17.3 updated
- spacewalk-backend-sql-5.0.12-150600.4.12.10 updated
- python3-spacewalk-certs-tools-5.0.9-150600.3.9.5 updated
- spacewalk-certs-tools-5.0.9-150600.3.9.5 updated
- spacewalk-admin-5.0.10-150600.3.8.5 updated
- tomcat-9.0.102-150200.78.1 updated
- salt-master-3006.0-150500.4.50.3 updated
- spacewalk-backend-server-5.0.12-150600.4.12.10 updated
- susemanager-sls-5.0.13-150600.3.12.5 updated
- spacewalk-java-postgresql-5.0.24-150600.3.25.1 updated
- spacewalk-java-config-5.0.24-150600.3.25.1 updated
- salt-api-3006.0-150500.4.50.3 updated
- spacewalk-backend-xmlrpc-5.0.12-150600.4.12.10 updated
- spacewalk-backend-xml-export-libs-5.0.12-150600.4.12.10 updated
- spacewalk-backend-package-push-server-5.0.12-150600.4.12.10 updated
- spacewalk-backend-iss-5.0.12-150600.4.12.10 updated
- spacewalk-backend-app-5.0.12-150600.4.12.10 updated
- spacewalk-html-5.0.18-150600.3.18.1 updated
- spacewalk-taskomatic-5.0.24-150600.3.25.1 updated
- spacewalk-java-5.0.24-150600.3.25.1 updated
- spacewalk-backend-iss-export-5.0.12-150600.4.12.10 updated
- patterns-suma_retail-5.0-150600.6.6.5 updated
- susemanager-tools-5.0.12-150600.3.12.5 updated
- spacewalk-backend-tools-5.0.12-150600.4.12.10 updated
- susemanager-5.0.12-150600.3.12.5 updated
- patterns-suma_server-5.0-150600.6.6.5 updated
- container:suse-manager-5.0-init-5.0.4-5.0.4-7.12.15 added
- container:suse-manager-5.0-init-5.0.3-5.0.3-7.9.5 removed
- java-11-openjdk-11.0.26.0-150000.3.122.1 removed
- java-11-openjdk-headless-11.0.26.0-150000.3.122.1 removed
- libgraphite2-3-1.3.14-150600.1.5 removed
- libharfbuzz0-8.3.0-150600.1.3 removed
More information about the sle-container-updates
mailing list