SUSE-CU-2025:2773-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Apr 23 13:54:41 UTC 2025
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2773-1
Container Tags : rancher/seedimage-builder:1.6.8 , rancher/seedimage-builder:1.6.8-7.1 , rancher/seedimage-builder:latest
Container Release : 7.1
Severity : important
Type : security
References : 1220338 1223596 1229228 1230145 1231048 1231472 1232227 1232844
1233289 1233322 1233699 1233752 1234015 1234313 1234665 1234765
1235151 1236282 1236588 1236590 1236619 1236878 1237363 1237370
1237418 1237498 1238700 1239335 CVE-2024-12133 CVE-2024-56171
CVE-2025-0167 CVE-2025-0395 CVE-2025-0725 CVE-2025-22869 CVE-2025-22870
CVE-2025-24528 CVE-2025-24928 CVE-2025-27113
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 224
Released: Wed Mar 5 17:35:03 2025
Summary: Security update for glibc
Type: security
Severity: important
References: 1233699,1234665,1236282,CVE-2025-0395
This update for glibc fixes the following issues:
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
Other fixes:
- Fix underallocation of abort_msg_s struct
- Correctly determine livepatching support
- Remove nss-systemd from default nsswitch.conf (bsc#1233699)
-----------------------------------------------------------------
Advisory ID: 229
Released: Mon Mar 10 14:39:19 2025
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1223596,1230145
This update for e2fsprogs fixes the following issues:
- resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145)
- EA Inode handling fixes
* e2fsck: Add more checks for EA inode consistency (bsc#1223596)
* e2fsck: Fix golden output of several tests (bsc#1223596)
-----------------------------------------------------------------
Advisory ID: 230
Released: Tue Mar 11 11:01:13 2025
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1220338,1229228,1231048,1232227,1232844,1233752,1234015,1234313,1234765
This update for systemd fixes the following issues:
- Fixed agetty fails to open credentials directory (bsc#1229228)
- hwdb: comment out the entry for Logitech MX Keys for Mac
- test: answer 2nd mdadm --create question for compat with new version
- core/unit-serialize: fix serialization of markers
- locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged
- core: fix assert when AddDependencyUnitFiles is called with invalid parameter
- Fix systemd-network recommending libidn2-devel (bsc#1234765)
- tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313)
- add a allow/denylist for reading sysfs attributes (bsc#1234015)
- udev: add new builtin net_driver
- udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard()
- udev-builtin-net_id: split-out get_pci_slot_specifiers()
- udev-builtin-net_id: introduce get_port_specifier() helper function
- udev-builtin-net_id: split out get_dev_port() and make its failure critical
- udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address()
- udev-builtin-net_id: return earlier when hotplug slot is not found
- udev-builtin-net_id: skip non-directory entry earlier
- udev-builtin-net_id: make names_xen() self-contained
- udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim
- udev-builtin-net_id: make names_netdevsim() self-contained
- udev-builtin-net_id: make names_platform() self-contained
- udev-builtin-net_id: make names_vio() self-contained
- udev-builtin-net_id: make names_ccw() self-contained
- udev-builtin-net_id: make dev_devicetree_onboard() self-contained
- udev-builtin-net_id: make names_mac() self-contained
- udev-builtin-net_id: split out get_ifname_prefix()
- udev-builtin-net_id: swap arguments for streq() and friends
- udev-builtin-net_id: drop unused value from NetNameType
- drop efifar SystemdOptions (bsc#1220338)
Upstream deprecated it and plan to drop it in the future.
- pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227)
- udev: skipping empty udev rules file while collecting the stats (bsc#1232844)
- Clean up some remnants from when homed was in the experimental sub-package (bsc#1231048)
- restore some legacy symlinks
Given that SLE16 will be based on SLFO, we have no choice but to continue
supporting these compat symlinks. This compatibility code is no longer
maintained in the Git repository though, as we primarily backport upstream
commits these days. Additionally, the compat code rarely changes and often
causes conflicts when merged into recent versions of systemd.
-----------------------------------------------------------------
Advisory ID: 239
Released: Wed Mar 12 11:47:54 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1235151,1236588,1236590,CVE-2025-0167,CVE-2025-0725
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590)
- CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588)
Other issues fixed:
- Make sure the TLS handshake after a successful STARTTLS command
is fully done before further sending/receiving on the connection. (bsc#1235151)
-----------------------------------------------------------------
Advisory ID: 244
Released: Fri Mar 14 12:51:07 2025
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1231472
This update for findutils fixes the following issues:
- do not crash when file system loop was encountered (bsc#1231472)
- added patches
- modified patches
-----------------------------------------------------------------
Advisory ID: 245
Released: Fri Mar 14 12:55:02 2025
Summary: Recommended update for elemental-toolkit
Type: recommended
Severity: moderate
References: 1233289,1233322
This update for elemental-toolkit fixes the following issues:
- Bump yip to v1.9.6 (bsc#1233322)
- Make lint happy
- Fixes squashfs images creation (bsc#1233289)
-----------------------------------------------------------------
Advisory ID: 251
Released: Wed Mar 19 11:42:10 2025
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1236619,CVE-2025-24528
This update for krb5 fixes the following issues:
- CVE-2025-24528: Prevent overflow when calculating ulog block size.
An authenticated attacker can cause kadmind to write beyond the end
of the mapped region for the iprop log file, likely causing a process
crash (bsc#1236619).
-----------------------------------------------------------------
Advisory ID: 262
Released: Mon Mar 31 08:37:17 2025
Summary: Recommended update for elemental-operator
Type: recommended
Severity: moderate
References: 1237498
This update for elemental-operator fixes the following issues:
- Update to version 1.6.7:
* Bump default operator channel to Micro 6.1 images
* [v1.6.x][BACKPORT] seedimage: clean-up service on image download deadline (bsc#1237498)
* No need to install yq neither to create a GH release
-----------------------------------------------------------------
Advisory ID: 266
Released: Tue Apr 1 12:11:15 2025
Summary: Security update for libtasn1
Type: security
Severity: important
References: 1236878,CVE-2024-12133
This update for libtasn1 fixes the following issues:
- CVE-2024-12133: Fixed potential DoS in handling of numerous SEQUENCE OF or SET OF elements (bsc#1236878).
-----------------------------------------------------------------
Advisory ID: 272
Released: Fri Apr 4 15:07:10 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113
This update for libxml2 fixes the following issues:
- CVE-2024-56171: Fixed use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363).
- CVE-2025-24928: Fixed stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370).
- CVE-2025-27113: Fixed NULL Pointer Dereference in xmlPatMatch (bsc#1237418).
-----------------------------------------------------------------
Advisory ID: 284
Released: Fri Apr 11 12:57:37 2025
Summary: Security update for elemental-operator
Type: security
Severity: important
References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870
This update for elemental-operator fixes the following issues:
- Updated to version 1.6.8:
* Deactivated e2e workflow
* Updated header year
* CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700)
* CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange (bsc#1239335)
The following package changes have been done:
- elemental-httpfy-1.6.8-2.1 updated
- elemental-seedimage-hooks-1.6.8-2.1 updated
- glibc-2.38-8.1 updated
- libtasn1-6-4.19.0-4.1 updated
- libcom_err2-1.47.0-3.1 updated
- libxml2-2-2.11.6-7.1 updated
- libext2fs2-1.47.0-3.1 updated
- libudev1-254.23-1.1 updated
- findutils-4.9.0-4.1 updated
- libsystemd0-254.23-1.1 updated
- glibc-locale-base-2.38-8.1 updated
- e2fsprogs-1.47.0-3.1 updated
- krb5-1.20.1-6.1 updated
- libcurl4-8.6.0-6.1 updated
- curl-8.6.0-6.1 updated
- systemd-254.23-1.1 updated
- udev-254.23-1.1 updated
- elemental-toolkit-2.1.2-1.1 updated
- container:suse-toolbox-image-1.0.0-7.11 updated
More information about the sle-container-updates
mailing list