SUSE-CU-2025:2772-1: Security update of rancher/elemental-operator

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Apr 23 13:54:28 UTC 2025 

SUSE Container Update Advisory: rancher/elemental-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2772-1
Container Tags        : rancher/elemental-operator:1.6.8 , rancher/elemental-operator:1.6.8-7.1 , rancher/elemental-operator:latest
Container Release     : 7.1
Severity              : important
Type                  : security
References            : 1233699 1234665 1236282 1236878 1237498 1238700 1239335 CVE-2024-12133
                        CVE-2025-0395 CVE-2025-22869 CVE-2025-22870 
-----------------------------------------------------------------

The container rancher/elemental-operator was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 224
Released:    Wed Mar  5 17:35:03 2025
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1233699,1234665,1236282,CVE-2025-0395
This update for glibc fixes the following issues:
  
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).

Other fixes:
- Fix underallocation of abort_msg_s struct
- Correctly determine livepatching support
- Remove nss-systemd from default nsswitch.conf (bsc#1233699)


-----------------------------------------------------------------
Advisory ID: 262
Released:    Mon Mar 31 08:37:17 2025
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    moderate
References:  1237498
This update for elemental-operator fixes the following issues:

- Update to version 1.6.7:
  * Bump default operator channel to Micro 6.1 images
  * [v1.6.x][BACKPORT] seedimage: clean-up service on image download deadline (bsc#1237498)
  * No need to install yq neither to create a GH release

-----------------------------------------------------------------
Advisory ID: 266
Released:    Tue Apr  1 12:11:15 2025
Summary:     Security update for libtasn1
Type:        security
Severity:    important
References:  1236878,CVE-2024-12133
This update for libtasn1 fixes the following issues:

- CVE-2024-12133: Fixed potential DoS in handling of numerous SEQUENCE OF or SET OF  elements (bsc#1236878).

-----------------------------------------------------------------
Advisory ID: 284
Released:    Fri Apr 11 12:57:37 2025
Summary:     Security update for elemental-operator
Type:        security
Severity:    important
References:  1238700,1239335,CVE-2025-22869,CVE-2025-22870
This update for elemental-operator fixes the following issues:

- Updated to version 1.6.8:
  * Deactivated e2e workflow
  * Updated header year
  * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700)
  * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange (bsc#1239335)


The following package changes have been done:

- elemental-operator-1.6.8-2.1 updated
- glibc-2.38-8.1 updated
- libtasn1-6-4.19.0-4.1 updated
- container:suse-toolbox-image-1.0.0-7.11 updated

More information about the sle-container-updates mailing list