SUSE-CU-2025:6371-1: Security update of suse/sl-micro/6.0/toolbox

Wed Aug 20 14:29:14 UTC 2025

SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6371-1
Container Tags        : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.26 , suse/sl-micro/6.0/toolbox:latest
Container Release     : 9.26
Severity              : important
Type                  : security
References            : 1245309 1245310 1245311 1245312 1245314 1245317 1246597 CVE-2025-4877
                        CVE-2025-4878 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372 CVE-2025-5987
                        CVE-2025-6965 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 419
Released:    Thu Aug 14 11:26:49 2025
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987
This update for libssh fixes the following issues:

- CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
- CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
- CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)

-----------------------------------------------------------------
Advisory ID: 428
Released:    Wed Aug 20 13:36:54 2025
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1246597,CVE-2025-6965
This update for sqlite3 fixes the following issues:

- Update to 3.50.2:
  * Fix the concat_ws() SQL function so that it includes empty
    strings in the concatenation.
  * Avoid writing frames with no checksums into the wal file if a
    savepoint is rolled back after dirty pages have already been
    spilled into the wal file.
  * Fix the Bitvec object to avoid stack overflow when the
    database is within 60 pages of its maximum size.
  * Fix a problem with UPDATEs on fts5 tables that contain BLOB
    values.
  * Fix an issue with transitive IS constraints on a RIGHT JOIN.
  * CVE-2025-6965: Fixed Integer Truncation in SQLite (bsc#1246597)
  * Ensure that sqlite3_setlk_timeout() holds the database mutex.

- Update to 3.50 (3.50.1):
  * Improved handling and robust output of control characters
  * sqlite3_rsync no longer requires WAL mode and needs less
    bandwidth
  * Bug fixes and optimized JSON handling
  * Performance optimizations and developer visible fixes

- Update to release 3.49.2:
  * Fix a bug in the NOT NULL optimization of version 3.40.0 that
    can lead to a memory error if abused.
  * Fix the count-of-view optimization so that it does not give an
    incorrect answer for a DISTINCT query.
  * Fix a possible incorrect answer that can result if a UNIQUE
    constraint of a table contains the PRIMARY KEY column and that
    UNIQUE constraint is used by an IN operator.
  * Fix obscure problems with the generate_series() extension
    function.
  * Incremental improvements to the configure/make.

- Add subpackage for the lemon parser generator.

The following package changes have been done:

- SL-Micro-release-6.0-25.42 updated
- libsqlite3-0-3.50.2-1.1 updated
- libssh-config-0.10.6-2.1 updated
- libssh4-0.10.6-2.1 updated
- skelcd-EULA-SL-Micro-2024.01.19-8.41 updated