SUSE-IU-2025:3963-1: Security update of suse/sl-micro/6.2/kvm-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Dec 19 08:07:56 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.2/kvm-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:3963-1
Image Tags        : suse/sl-micro/6.2/kvm-os-container:2.3.0 , suse/sl-micro/6.2/kvm-os-container:2.3.0-6.17 , suse/sl-micro/6.2/kvm-os-container:latest
Image Release     : 6.17
Severity          : important
Type              : security
References        : 1230042 1250984 1253002 1254286 1254494 CVE-2025-11234 CVE-2025-12464
-----------------------------------------------------------------

The container suse/sl-micro/6.2/kvm-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 112
Released:    Thu Dec 18 13:42:03 2025
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1230042,1250984,1253002,1254286,1254494,CVE-2025-11234,CVE-2025-12464
This update for qemu fixes the following issues:

Update to version 10.0.7.

Security issues fixed:

- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
  guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
  access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).

Other updates and bugfixes:

- Version 10.0.7:
  * kvm: Fix kvm_vm_ioctl() and kvm_device_ioctl() return value
  * docs/devel: Update URL for make-pullreq script
  * target/arm: Fix assert on BRA.
  * hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN
  * hw/core/machine: Provide a description for aux-ram-share property
  * hw/pci: Make msix_init take a uint32_t for nentries
  * block/io_uring: avoid potentially getting stuck after resubmit at the end of ioq_submit()
  * block-backend: Fix race when resuming queued requests
  * ui/vnc: Fix qemu abort when query vnc info
  * chardev/char-pty: Do not ignore chr_write() failures
  * hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section()
  * hw/arm/armv7m: Disable reentrancy guard for v7m_sysreg_ns_ops MRs
  * hw/arm/aspeed: Fix missing SPI IRQ connection causing DMA interrupt failure
  * migration: Fix transition to COLO state from precopy
  * Full backport list: https://lore.kernel.org/qemu-devel/1765037524.347582.2700543.nullmailer@tls.msk.ru/

- Version 10.0.6:
  * linux-user/microblaze: Fix little-endianness binary
  * target/hppa: correct size bit parity for fmpyadd
  * target/i386: user: do not set up a valid LDT on reset
  * async: access bottom half flags with qatomic_read
  * target/i386: fix x86_64 pushw op
  * i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
  * i386/cpu: Prevent delivering SIPI during SMM in TCG mode
  * i386/kvm: Expose ARCH_CAP_FB_CLEAR when invulnerable to MDS
  * target/i386: Fix CR2 handling for non-canonical addresses
  * block/curl.c: Use explicit long constants in curl_easy_setopt calls
  * pcie_sriov: Fix broken MMIO accesses from SR-IOV VFs
  * target/riscv: rvv: Fix vslide1[up|down].vx unexpected result when XLEN2 and SEWd
  * target/riscv: Fix ssamoswap error handling
  * Full backport list: https://lore.kernel.org/qemu-devel/1761022287.744330.6357.nullmailer@tls.msk.ru/

- Version 10.0.5:
  * tests/functional/test_aarch64_sbsaref_freebsd: Fix the URL of the ISO image
  * tests/functional/test_ppc_bamboo: Replace broken link with working assets
  * physmem: Destroy all CPU AddressSpaces on unrealize
  * memory: New AS helper to serialize destroy+free
  * include/system/memory.h: Clarify address_space_destroy() behaviour
  * migration: Fix state transition in postcopy_start() error handling
  * target/riscv: rvv: Modify minimum VLEN according to enabled vector extensions
  * target/riscv: rvv: Replace checking V by checking Zve32x
  * target/riscv: Fix endianness swap on compressed instructions
  * hw/riscv/riscv-iommu: Fixup PDT Nested Walk
  * Full backport list: https://lore.kernel.org/qemu-devel/1759986125.676506.643525.nullmailer@tls.msk.ru/

- [openSUSE][RPM]: really fix *-virtio-gpu-pci dependency on ARM (bsc#1254286).
- [openSUSE][RPM] spec: make glusterfs support conditional (bsc#1254494).


The following package changes have been done:

- qemu-guest-agent-10.0.7-160000.1.1 updated

More information about the sle-container-updates mailing list