SUSE-CU-2025:9657-1: Security update of bci/bci-base-fips
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Dec 24 08:14:24 UTC 2025
SUSE Container Update Advisory: bci/bci-base-fips
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:9657-1
Container Tags : bci/bci-base-fips:15.7 , bci/bci-base-fips:15.7-14.1 , bci/bci-base-fips:latest
Container Release : 14.1
Severity : important
Type : security
References : 1029961 1110700 1113013 1115640 1156913 1164562 1166510 1166510
1174593 1177858 1178727 1180603 1181443 1184358 1185562 1187654
1190052 1191987 1194818 1195391 1196093 1196647 1196647 1197024
1197794 1198165 1198176 1198752 1199467 1200800 1201519 1201680
1204844 1205161 1207778 1210004 1211078 1213240 1214140 1215377
1216862 1217000 1218475 1223596 1227186 1227187 1228770 1230145
1230959 1230972 1231748 1232234 1232234 1232326 1236136 1236599
1240366 1241219 1242060 1243226 1243459 1244509 1246221 1246428
1247144 1247148 1250232 916845 CVE-2013-4235 CVE-2013-4235 CVE-2018-17953
CVE-2021-46828 CVE-2023-22652 CVE-2023-30078 CVE-2023-30079 CVE-2023-32181
CVE-2024-10041 CVE-2024-10041 CVE-2024-12797 CVE-2024-13176 CVE-2024-22365
CVE-2024-37370 CVE-2024-37371 CVE-2025-27587 CVE-2025-27587 CVE-2025-3576
CVE-2025-6018 CVE-2025-6020 CVE-2025-9230
-----------------------------------------------------------------
The container bci/bci-base-fips was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2569-1
Released: Fri Nov 2 19:00:18 2018
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1110700
This update for pam fixes the following issues:
- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2825-1
Released: Mon Dec 3 15:35:02 2018
Summary: Security update for pam
Type: security
Severity: important
References: 1115640,CVE-2018-17953
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1164562
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1166510
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Type: recommended
Severity: moderate
References: 1156913
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Type: recommended
Severity: moderate
References: 1174593,1177858,1178727
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:220-1
Released: Tue Jan 26 14:00:51 2021
Summary: Recommended update for keyutils
Type: recommended
Severity: moderate
References: 1180603
This update for keyutils fixes the following issues:
- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:339-1
Released: Mon Feb 8 13:16:07 2021
Summary: Optional update for pam
Type: optional
Severity: low
References:
This update for pam fixes the following issues:
- Added rpm macros for this package, so that other packages can make use of it
This patch is optional to be installed - it doesn't fix any bugs.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1643-1
Released: Wed May 19 13:51:48 2021
Summary: Recommended update for pam
Type: recommended
Severity: important
References: 1181443,1184358,1185562
This update for pam fixes the following issues:
- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3494-1
Released: Wed Oct 20 16:48:46 2021
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1190052
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3510-1
Released: Tue Oct 26 11:22:15 2021
Summary: Recommended update for pam
Type: recommended
Severity: important
References: 1191987
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released: Fri Dec 3 10:21:49 2021
Summary: Recommended update for keyutils
Type: recommended
Severity: moderate
References: 1029961,1113013,1187654
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1047-1
Released: Wed Mar 30 16:20:56 2022
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1196093,1197024
This update for pam fixes the following issues:
- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.
This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1281-1
Released: Wed Apr 20 12:26:38 2022
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1196647
This update for libtirpc fixes the following issues:
- Add option to enforce connection via protocol version 2 first (bsc#1196647)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1655-1
Released: Fri May 13 15:36:10 2022
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1197794
This update for pam fixes the following issue:
- Do not include obsolete header files (bsc#1197794)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1899-1
Released: Wed Jun 1 10:43:22 2022
Summary: Recommended update for libtirpc
Type: recommended
Severity: important
References: 1198176
This update for libtirpc fixes the following issues:
- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3127-1
Released: Wed Sep 7 04:36:10 2022
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1198752,1200800
This update for libtirpc fixes the following issues:
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
- Fix memory leak in params.r_addr assignement (bsc#1198752)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3305-1
Released: Mon Sep 19 11:45:57 2022
Summary: Security update for libtirpc
Type: security
Severity: important
References: 1201680,CVE-2021-46828
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3910-1
Released: Tue Nov 8 13:05:04 2022
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issue:
- Update pam_motd to the most current version. (PED-1712)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4135-1
Released: Mon Nov 21 00:13:40 2022
Summary: Recommended update for libeconf
Type: recommended
Severity: moderate
References: 1198165
This update for libeconf fixes the following issues:
- Update to version 0.4.6+git
- econftool:
Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter.
- libeconf:
Parse files correctly on space characters (1198165)
- Update to version 0.4.5+git
- econftool:
New call 'syntax' for checking the configuration files only. Returns an error string with line number if error.
New options '--comment' and '--delimeters'
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:48-1
Released: Mon Jan 9 10:37:54 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1199467
This update for libtirpc fixes the following issues:
- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released: Mon Jul 17 08:40:42 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1210004
This update for audit fixes the following issues:
- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released: Thu Aug 24 06:56:32 2023
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1201519,1204844
This update for audit fixes the following issues:
- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released: Fri Sep 15 09:28:36 2023
Summary: Recommended update for sysuser-tools
Type: recommended
Severity: moderate
References: 1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:
- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391)
- Remove all systemd requires not supported on SLE15 (bsc#1214140)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3954-1
Released: Tue Oct 3 20:09:47 2023
Summary: Security update for libeconf
Type: security
Severity: important
References: 1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181
This update for libeconf fixes the following issues:
Update to version 0.5.2.
- CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
- CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released: Tue Oct 31 14:10:47 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports
- replaces: binddynport-honor-ip_local_reserved_ports.patch
* gss-api: expose gss major/minor error in authgss_refresh()
* rpcb_clnt.c: Eliminate double frees in delete_cache()
* rpcb_clnt.c: memory leak in destroy_addr
* portmapper: allow TCP-only portmapper
* getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
* clnt_raw.c: fix a possible null pointer dereference
* bindresvport.c: fix a potential resource leakage
Update to 1.3.3:
* Fix DoS vulnerability in libtirpc
- replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
- replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
- preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
Update to 1.3.2:
* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
Update to 1.3.1:
* Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released: Wed Dec 6 14:33:41 2023
Summary: Recommended update for man
Type: recommended
Severity: moderate
References:
This update of man fixes the following problem:
- The 'man' commands is delivered to SUSE Linux Enterprise Micro
to allow browsing man pages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released: Tue Dec 12 09:57:51 2023
Summary: Recommended update for libtirpc
Type: recommended
Severity: moderate
References: 1216862
This update for libtirpc fixes the following issue:
- fix sed parsing in specfile (bsc#1216862)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released: Thu Jan 18 09:53:47 2024
Summary: Security update for pam
Type: security
Severity: moderate
References: 1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:
- CVE-2024-22365: Fixed a local denial of service during PAM login
due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:907-1
Released: Fri Mar 15 08:57:38 2024
Summary: Recommended update for audit
Type: recommended
Severity: moderate
References: 1215377
This update for audit fixes the following issue:
- Fix plugin termination when using systemd service units (bsc#1215377)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1997-1
Released: Tue Jun 11 17:24:32 2024
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1223596
This update for e2fsprogs fixes the following issues:
- EA Inode handling fixes:
- e2fsck: add more checks for ea inode consistency (bsc#1223596)
- e2fsck: fix golden output of several tests (bsc#1223596)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2307-1
Released: Fri Jul 5 12:04:34 2024
Summary: Security update for krb5
Type: security
Severity: important
References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371
This update for krb5 fixes the following issues:
- CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
- CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2630-1
Released: Tue Jul 30 09:12:44 2024
Summary: Security update for shadow
Type: security
Severity: important
References: 916845,CVE-2013-4235
This update for shadow fixes the following issues:
- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2808-1
Released: Wed Aug 7 09:49:32 2024
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1228770,CVE-2013-4235
This update for shadow fixes the following issues:
- Fixed not copying of skel files (bsc#1228770)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2967-1
Released: Mon Aug 19 15:41:29 2024
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1194818
This update for pam fixes the following issue:
- Prevent cursor escape from the login prompt (bsc#1194818).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3528-1
Released: Fri Oct 4 15:31:43 2024
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: moderate
References: 1230145
This update for e2fsprogs fixes the following issue:
- resize2fs: Check number of group descriptors only if meta_bg is disabled
(bsc#1230145).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3896-1
Released: Mon Nov 4 12:08:29 2024
Summary: Recommended update for shadow
Type: recommended
Severity: moderate
References: 1230972
This update for shadow fixes the following issues:
- Add useradd warnings when requested UID is outside the default range (bsc#1230972)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1334-1
Released: Thu Apr 17 09:03:05 2025
Summary: Security update for pam
Type: security
Severity: moderate
References: 1232234,CVE-2024-10041
This update for pam fixes the following issues:
- CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1733-1
Released: Wed May 28 17:59:52 2025
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1242060
This update for krb5 fixes the following issue:
- Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2013-1
Released: Wed Jun 18 20:05:07 2025
Summary: Security update for pam
Type: security
Severity: important
References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020
This update for pam fixes the following issues:
- CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226).
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2042-1
Released: Fri Jun 20 12:38:43 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587
This update for openssl-3 fixes the following issues:
- CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459).
- CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599)
- CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2236-1
Released: Mon Jul 7 14:58:53 2025
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1240366,CVE-2025-27587
This update for openssl-3 fixes the following issues:
- CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366).
- Backport mdless cms signing support [jsc#PED-12895]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2599-1
Released: Fri Aug 1 17:35:01 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: important
References: 1230959,1231748,1232326,1246428
This update for openssl-3 fixes the following issues:
- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS (bsc#1230959, bsc#1232326, bsc#1231748, bsc#1246428)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2874-1
Released: Tue Aug 19 06:07:47 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: important
References: 1247144,1247148
This update for openssl-3 fixes the following issues:
- Increase limit for CRL download (bsc#1247148, bsc#1247144)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2970-1
Released: Mon Aug 25 10:27:57 2025
Summary: Security update for pam
Type: security
Severity: moderate
References: 1232234,1246221,CVE-2024-10041
This update for pam fixes the following issues:
- Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3546-1
Released: Sat Oct 11 03:21:33 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1250232,CVE-2025-9230
This update for openssl-3 fixes the following issues:
- CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released: Tue Oct 21 12:07:47 2025
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1241219,CVE-2025-3576
This update for krb5 fixes the following issues:
- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
RC4-HMAC-MD5 (bsc#1241219).
Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.
To avoid problems with those, SUSE has by default now disabled
those alorithms.
The following algorithms have been removed from valid krb5 enctypes:
- des3-cbc-sha1
- arcfour-hmac-md5
To reenable those algorithms, you can use allow options in krb5.conf:
[libdefaults]
allow_des3 = true
allow_rc4 = true
to reenable them.
The following package changes have been done:
- cracklib-dict-small-2.9.11-150600.1.90 added
- libsemanage-conf-3.5-150600.1.48 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 added
- libcom_err2-1.47.0-150600.4.6.2 added
- libcap-ng0-0.7.9-4.37 added
- libverto1-0.2.6-3.20 added
- fillup-1.42-2.18 added
- libzio1-1.06-2.20 added
- libkeyutils1-1.6.3-5.6.1 added
- libuuid1-2.40.4-150700.2.4 added
- libsmartcols1-2.40.4-150700.2.4 added
- libeconf0-0.5.2-150400.3.6.1 added
- libaudit1-3.0.6-150400.4.16.1 added
- libsepol2-3.5-150600.1.49 added
- cracklib-2.9.11-150600.1.90 added
- libcrack2-2.9.11-150600.1.90 added
- libopenssl3-3.2.3-150700.5.21.1 added
- libopenssl-3-fips-provider-3.2.3-150700.5.21.1 added
- libblkid1-2.40.4-150700.2.4 added
- libfdisk1-2.40.4-150700.2.4 added
- login_defs-4.8.1-150600.17.9.1 added
- krb5-1.20.1-150600.11.14.1 added
- info-6.5-4.17 added
- libsemanage2-3.5-150600.1.48 added
- libmount1-2.40.4-150700.2.4 added
- grep-3.11-150700.1.8 added
- libtirpc3-1.3.4-150300.3.23.1 added
- diffutils-3.6-4.3.1 added
- libnsl2-1.2.0-2.44 added
- permissions-20240826-150700.14.4 added
- pam-1.3.0-150000.6.86.1 added
- shadow-4.8.1-150600.17.9.1 added
- sysuser-shadow-3.2-150400.3.5.3 added
- system-group-hardware-20170617-150400.24.2.1 added
- libutempter0-1.1.6-3.42 added
- util-linux-2.40.4-150700.2.4 added
- crypto-policies-scripts-20230920.570ea89-150600.3.12.1 removed
- libopenssl1_1-1.1.1w-150700.11.6.1 removed
- libpython3_6m1_0-3.6.15-150300.10.100.1 removed
- python3-base-3.6.15-150300.10.100.1 removed
More information about the sle-container-updates
mailing list