SUSE-CU-2025:6177-1: Security update of bci/bci-base-fips

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Aug 18 08:59:01 UTC 2025 

SUSE Container Update Advisory: bci/bci-base-fips
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6177-1
Container Tags        : bci/bci-base-fips:15.6 , bci/bci-base-fips:15.6.32.11
Container Release     : 32.11
Severity              : important
Type                  : security
References            : 1233012 1243273 1244032 1244056 1244059 1244060 1244061 1244401
                        1244705 1247249 831629 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330
                        CVE-2025-4435 CVE-2025-4516 CVE-2025-4517 CVE-2025-6069 CVE-2025-8194
-----------------------------------------------------------------

The container bci/bci-base-fips was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2720-1
Released:    Thu Aug  7 05:38:44 2025
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    moderate
References:  
This update for crypto-policies fixes the following issues:

- Update the BSI policy (jsc#PED-12880)
    * BSI: switch to 3072 minimum RSA key size
    * BSI: Update BSI policy for new 2024 minimum

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2778-1
Released:    Wed Aug 13 08:45:57 2025
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1233012,1243273,1244032,1244056,1244059,1244060,1244061,1244401,1244705,1247249,831629,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,CVE-2025-6069,CVE-2025-8194
This update for python3 fixes the following issues:

- CVE-2025-4516: use-after-free in the unicode-escape decoder when using the error handler (bsc#1243273).
- CVE-2024-12718: Fixed extraction filter bypass that allowed file metadata modification outside extraction directory (bsc#1244056)
- CVE-2025-4138: Fixed issue that might allow symlink targets to point outside the destination directory, and the modification of some file metadata (bsc#1244059)
- CVE-2025-4330: Fixed extraction filter bypass that allowed linking outside extraction directory (bsc#1244060)
- CVE-2025-4435: Fixed Tarfile extracts filtered members when errorlevel=0 (bsc#1244061)
- CVE-2025-4517: Fixed arbitrary filesystem writes outside the extraction directory during extraction with filter='data' (bsc#1244032)
- CVE-2025-6069: Fixed worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705)
- CVE-2025-8194: Fixed denial of service caused by tar archives with negative offsets (bsc#1247249)
    
Other fixes:
- Limit buffer size for IPv6 address parsing (bsc#1244401).


The following package changes have been done:

- crypto-policies-scripts-20230920.570ea89-150600.3.12.1 updated
- crypto-policies-20230920.570ea89-150600.3.12.1 updated
- python3-base-3.6.15-150300.10.97.1 updated
- libpython3_6m1_0-3.6.15-150300.10.97.1 updated
- container:registry.suse.com-bci-bci-base-15.6-005770759dcf00d155a6a603323da3e031fdf5f080aa25f945a31477a5127659-0 updated

More information about the sle-container-updates mailing list