SUSE-IU-2025:2354-1: Security update of suse/sl-micro/6.0/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Aug 22 07:29:04 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:2354-1
Image Tags        : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.73 , suse/sl-micro/6.0/baremetal-os-container:latest
Image Release     : 6.73
Severity          : important
Type              : security
References        : 1243581 1244554 1244555 1244557 1244580 1244700 1245309 1245310
                        1245311 1245312 1245314 1245317 1246296 1246360 1246472 1246597
                        1246608 CVE-2025-46836 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794
                        CVE-2025-49795 CVE-2025-49796 CVE-2025-5318 CVE-2025-5351 CVE-2025-5372
                        CVE-2025-5987 CVE-2025-6021 CVE-2025-6170 CVE-2025-6965 CVE-2025-7424
                        CVE-2025-7425 CVE-2025-7519 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 418
Released:    Thu Aug 14 11:20:44 2025
Summary:     Security update for libxslt
Type:        security
Severity:    important
References:  1246360,CVE-2025-7424
This update for libxslt fixes the following issues:

- CVE-2025-7424: Fixed type confusion in xmlNode.psvi between 
  stylesheet and source nodes (bsc#1246360)

-----------------------------------------------------------------
Advisory ID: 419
Released:    Thu Aug 14 11:26:49 2025
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1245309,1245310,1245311,1245312,1245314,1245317,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987
This update for libssh fixes the following issues:

- CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
- CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
- CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
- CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
- CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
- CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)


-----------------------------------------------------------------
Advisory ID: 425
Released:    Wed Aug 20 13:34:24 2025
Summary:     Security update for polkit
Type:        security
Severity:    important
References:  1246472,CVE-2025-7519
This update for polkit fixes the following issues:

- CVE-2025-7519: Fixed that a XML policy file with a large number of
  nested elements may lead to out-of-bounds write (bsc#1246472)

-----------------------------------------------------------------
Advisory ID: 428
Released:    Wed Aug 20 13:36:54 2025
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1246597,CVE-2025-6965
This update for sqlite3 fixes the following issues:

- Update to 3.50.2:
  * Fix the concat_ws() SQL function so that it includes empty
    strings in the concatenation.
  * Avoid writing frames with no checksums into the wal file if a
    savepoint is rolled back after dirty pages have already been
    spilled into the wal file.
  * Fix the Bitvec object to avoid stack overflow when the
    database is within 60 pages of its maximum size.
  * Fix a problem with UPDATEs on fts5 tables that contain BLOB
    values.
  * Fix an issue with transitive IS constraints on a RIGHT JOIN.
  * CVE-2025-6965: Fixed Integer Truncation in SQLite (bsc#1246597)
  * Ensure that sqlite3_setlk_timeout() holds the database mutex.

- Update to 3.50 (3.50.1):
  * Improved handling and robust output of control characters
  * sqlite3_rsync no longer requires WAL mode and needs less
    bandwidth
  * Bug fixes and optimized JSON handling
  * Performance optimizations and developer visible fixes

- Update to release 3.49.2:
  * Fix a bug in the NOT NULL optimization of version 3.40.0 that
    can lead to a memory error if abused.
  * Fix the count-of-view optimization so that it does not give an
    incorrect answer for a DISTINCT query.
  * Fix a possible incorrect answer that can result if a UNIQUE
    constraint of a table contains the PRIMARY KEY column and that
    UNIQUE constraint is used by an IN operator.
  * Fix obscure problems with the generate_series() extension
    function.
  * Incremental improvements to the configure/make.

- Add subpackage for the lemon parser generator.

-----------------------------------------------------------------
Advisory ID: 429
Released:    Thu Aug 21 10:01:26 2025
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1244554,1244555,1244557,1244580,1244700,1246296,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425
This update for libxml2 fixes the following issues:

- CVE-2025-6021: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 [bsc#1244580]
- CVE-2025-6170: stack buffer overflow may lead to a crash [bsc#1244700]
- CVE-2025-7425: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr [bsc#1246296]
- CVE-2025-49794: heap use after free (UAF) can lead to Denial of service (DoS) [bsc#1244554]
- CVE-2025-49795: null pointer dereference may lead to Denial of service (DoS) [bsc#1244555]
- CVE-2025-49796: type confusion may lead to Denial of service (DoS) [bsc#1244557]

-----------------------------------------------------------------
Advisory ID: 431
Released:    Thu Aug 21 10:01:27 2025
Summary:     Security update for net-tools
Type:        security
Severity:    moderate
References:  1243581,1246608,CVE-2025-46836
This update for net-tools fixes the following issues:

- Provide more readable error for interface name size checking (bsc#1243581)

- Perform bound checks when parsing interface labels in
  /proc/net/dev (bsc#1243581, bsc#1246608. CVE-2025-46836)


The following package changes have been done:

- libxml2-2-2.11.6-10.1 updated
- SL-Micro-release-6.0-25.43 updated
- libsqlite3-0-3.50.2-1.1 updated
- libssh-config-0.10.6-2.1 updated
- libssh4-0.10.6-2.1 updated
- libxslt1-1.1.38-6.1 updated
- libpolkit-gobject-1-0-121-3.1 updated
- libpolkit-agent-1-0-121-3.1 updated
- polkit-121-3.1 updated
- net-tools-2.10-3.1 updated
- container:SL-Micro-base-container-2.1.3-7.42 updated

More information about the sle-container-updates mailing list