SUSE-IU-2025:2299-1: Security update of suse/sl-micro/6.0/base-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Aug 9 07:25:03 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:2299-1
Image Tags        : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.37 , suse/sl-micro/6.0/base-os-container:latest
Image Release     : 7.37
Severity          : important
Type              : security
References        : 1218459 1240414 1245985 1246038 1246466 1247054 1247690 CVE-2025-31115
-----------------------------------------------------------------

The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 411
Released:    Fri Aug  8 09:43:25 2025
Summary:     Recommended update for zypper, libzypp
Type:        recommended
Severity:    important
References:  1218459,1245985,1246038,1246466,1247054,1247690
This update for zypper, libzypp fixes the following issues:

libzypp was updated to 17.37.16:

  - Fix evaluation of libproxy results (bsc#1247690)
  - Replace URL variables inside mirrorlist/metalink files
    (fixes #667)
  - Append RepoInfo::path() to the mirror URLs in Preloader
    (bsc#1247054)
  - During installation indicate the backend being used (bsc#1246038)
    If some package actually needs to know, it should test for
    ZYPP_CLASSIC_RPMTRANS being set in the environment.
    Otherwise the transaction is driven by librpm.
  - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
  - Verbose log libproxy results if PX_DEBUG=1 is set.
  - BuildRequires:  cmake >= 3.17.
  - Fix evaluation of libproxy results (bsc#1247690)
  - Replace URL variables inside mirrorlist/metalink files
    (fixes #667)
  - Append RepoInfo::path() to the mirror URLs in Preloader
    (bsc#1247054)
  - During installation indicate the backend being used (bsc#1246038)
    If some package actually needs to know, it should test for
    ZYPP_CLASSIC_RPMTRANS being set in the environment.
    Otherwise the transaction is driven by librpm.
  - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
  - Verbose log libproxy results if PX_DEBUG=1 is set.
  - BuildRequires:  cmake >= 3.17.

zypper was updated to 1.14.93:

  - Fix addrepo to handle explicit --check and --no-check requests
    (bsc#1246466)
  - Accept 'show' as alias for 'info' (bsc#1245985)
  - Fix addrepo to handle explicit --check and --no-check requests
    (bsc#1246466)
  - Accept 'show' as alias for 'info' (bsc#1245985)

-----------------------------------------------------------------
Advisory ID: 412
Released:    Fri Aug  8 12:14:29 2025
Summary:     Security update for xz
Type:        security
Severity:    important
References:  1240414,CVE-2025-31115
This update for xz fixes the following issues:

- CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset  (bsc#1240414)


The following package changes have been done:

- liblzma5-5.4.3-5.1 updated
- xz-5.4.3-5.1 updated
- SL-Micro-release-6.0-25.39 updated
- libzypp-17.37.16-1.1 updated
- zypper-1.14.93-1.1 updated
- container:suse-toolbox-image-1.0.0-9.22 updated

More information about the sle-container-updates mailing list