SUSE-CU-2025:9182-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Dec 19 08:27:59 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:9182-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.6 , suse/manager/5.0/x86_64/server:5.0.6.7.36.2 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.36.2
Severity : critical
Type : security
References : 1040589 1211373 1213308 1217755 1222128 1224386 1225740 1227577
1227579 1229750 1229825 1229977 1230876 1231055 1232526 1233496
1233529 1233655 1235567 1235847 1236632 1236744 1236976 1236977
1236978 1236999 1237000 1237001 1237003 1237005 1237018 1237019
1237020 1237021 1237042 1237236 1237240 1237241 1237242 1237536
1238481 1238491 1239158 1239566 1239636 1239938 1240225 1240565
1240788 1240870 1241013 1241132 1241307 1241916 1243087 1243183
1243381 1243679 1243756 1243760 1243768 1243794 1243808 1243876
1243991 1243994 1244027 1244050 1244065 1244125 1244219 1244290
1244298 1244329 1244338 1244400 1244427 1244430 1244519 1244542
1244552 1244641 1244648 1244724 1244822 1245027 1245190 1245199
1245240 1245241 1245307 1245398 1245405 1245528 1245953 1245987
1246035 1246421 1246422 1246436 1246452 1246481 1246486 1246586
1246638 1246659 1246663 1246806 1246883 1246957 1246981 1247084
1247105 1247111 1247114 1247117 1247214 1247269 1247305 1247322
1247407 1247481 1247498 1247544 1247822 1247951 1247983 1247985
1247990 1248247 1248292 1248403 1248409 1248411 1248448 1248467
1248501 1248661 1248741 1248799 1248804 1249055 1249089 1249148
1249359 1249384 1249502 1250239 1250318 1250342 1250399 1250423
1250427 1250451 1250553 1250593 1250632 1250754 1251117 1251198
1251199 1251275 1251276 1251277 1251305 1251794 1251795 1251796
1251827 1251864 1251979 1252023 1252097 1252148 1252160 1252250
1252269 1252378 1252379 1252380 1252414 1252417 1252425 1252680
1252723 1252753 1252756 1252905 1252930 1252931 1252932 1252933
1252934 1252935 1252974 1253043 1253332 1253332 1253333 1253333
1253460 1253741 1253757 1254132 510058 CVE-2025-0840 CVE-2025-10911
CVE-2025-11083 CVE-2025-11412 CVE-2025-11413 CVE-2025-11414 CVE-2025-1147
CVE-2025-1148 CVE-2025-1149 CVE-2025-11494 CVE-2025-11495 CVE-2025-1150
CVE-2025-1151 CVE-2025-1152 CVE-2025-1153 CVE-2025-11561 CVE-2025-11563
CVE-2025-11731 CVE-2025-1176 CVE-2025-1178 CVE-2025-1179 CVE-2025-1180
CVE-2025-1181 CVE-2025-1182 CVE-2025-12817 CVE-2025-12817 CVE-2025-12818
CVE-2025-12818 CVE-2025-1352 CVE-2025-1372 CVE-2025-1376 CVE-2025-1377
CVE-2025-3198 CVE-2025-40778 CVE-2025-40780 CVE-2025-5244 CVE-2025-5245
CVE-2025-53057 CVE-2025-53066 CVE-2025-54770 CVE-2025-54771 CVE-2025-55752
CVE-2025-55754 CVE-2025-59419 CVE-2025-59432 CVE-2025-6075 CVE-2025-61661
CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 CVE-2025-61795 CVE-2025-61984
CVE-2025-61985 CVE-2025-7039 CVE-2025-7545 CVE-2025-7546 CVE-2025-8224
CVE-2025-8225 CVE-2025-8291 CVE-2025-8677 CVE-2025-9820
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1938-1
Released: Fri Jun 13 06:01:27 2025
Summary: Recommended update for apache-commons-text
Type: recommended
Severity: moderate
References:
This update for apache-commons-text fixes the following issues:
- Deliver apache-commons-text to openSUSE Leap 15.6 from SLES (no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3836-1
Released: Tue Oct 28 11:38:00 2025
Summary: Recommended update for bash
Type: recommended
Severity: important
References: 1245199
This update for bash fixes the following issues:
- Fix histfile missing timestamp for the oldest record (bsc#1245199)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3847-1
Released: Wed Oct 29 06:06:00 2025
Summary: Recommended update for python-kiwi
Type: recommended
Severity: critical
References: 1243381,1245190,1250754
This update for python-kiwi, appx-util, python-docopt, python-xmltodict, libsolv fixes the following issues:
python-kiwi:
- Switch to Python 3.11 based python-kiwi (jsc#PED-13168)
- Fixed system booting to Emergency Mode on first reboot using qcow2 (bsc#1250754)
- Fixed get_partition_node_name (bsc#1245190)
- Added new eficsm type attribute (bsc#1243381)
- Included support for older schemas
- New binary packages:
* kiwi-bash-completion
* kiwi-systemdeps-containers-wsl
appx-util:
- Implementation as dependency required by kiwi-systemdeps-containers-wsl
python-docopt, python-xmltodict, libsolv:
- Implementation of Python 3.11 flavours required by python311-kiwi (no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3851-1
Released: Wed Oct 29 15:04:32 2025
Summary: Recommended update for vim
Type: recommended
Severity: moderate
References: 1229750,1250593
This update for vim fixes the following issues:
- Fix regression in vim: xxd -a shows no output (bsc#1250593).
Backported from 9.1.1683 (xxd: Avoid null dereference in autoskip colorless).
- Fix vim compatible mode is not switched off earlier (bsc#1229750).
Nocompatible must be set before the syntax highlighting is turned on.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3875-1
Released: Thu Oct 30 16:26:57 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1250553,1251979,CVE-2025-10911,CVE-2025-11731
This update for libxslt fixes the following issues:
- CVE-2025-11731: fixed a type confusion in exsltFuncResultComp function leading to denial of service (bsc#1251979)
- CVE-2025-10911: last fix caused a regression, patch was temporary disabled (bsc#1250553)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3877-1
Released: Fri Oct 31 05:29:41 2025
Summary: Recommended update for libselinux
Type: recommended
Severity: important
References: 1252160
This update for libselinux fixes the following issues:
- Ship license file (bsc#1252160)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3930-1
Released: Tue Nov 4 09:26:22 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1232526,1238491,1239566,1239938,1240788,1243794,1243991,1244050
This update for gcc15 fixes the following issues:
This update ships the GNU Compiler Collection GCC 15.2. (jsc#PED-12029)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 14 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP6 and SP7, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc15 compilers use:
- install 'gcc15' or 'gcc15-c++' or one of the other 'gcc15-COMPILER' frontend packages.
- override your Makefile to use CC=gcc15, CXX=g++15 and similar overrides for the other languages.
For a full changelog with all new GCC15 features, check out
https://gcc.gnu.org/gcc-15/changes.html
Update to GCC 15.2 release:
* the GCC 15.2 release contains regression fixes accumulated since
the GCC 15.1 release
- Prune the use of update-alternatives from openSUSE Factory and
SLFO.
- Adjust crosses to conflict consistently where they did not
already and make them use unsuffixed binaries.
- Tune for power10 for SLES 16. [jsc#PED-12029]
- Tune for z15 for SLES 16. [jsc#PED-253]
- Fix PR120827, ICE due to splitter emitting constant loads directly
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc15-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
- Enable C++ for offload compilers. [bsc#1243794]
- Add libgcobol and libquadmath-devel dependence to the cobol frontend
package.
Update to GCC 15 branch head, 15.1.1+git9595
* includes GCC 15.1 release
- Enable gfx9-generic, gfx10-3-generic and gfx11-generic multilibs
for the AMD GCN offload compiler when llvm is new enough.
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Fix newlib libm miscompilation for GCN offloading.
Update to GCC trunk head, 15.0.1+git9001
* includes -msplit-patch-nops required for user-space livepatching
on powerpc
* includes fix for Ada build with --enable-host-pie
- Build GCC executables PIE on SLE. [bsc#1239938]
- Includes change to also record -D_FORTIFY_SOURCE=2 in the DWARF
debug info DW_AT_producer string. [bsc#1239566]
- Package GCC COBOL compiler for openSUSE Factory for supported
targets which are x86_64, aarch64 and ppc64le.
- Disable profiling during build when %want_reproducible_builds is set
[bsc#1238491]
- Includes fix for emacs JIT use
- Bumps libgo SONAME to libgo24 which should fix go1.9 build
- Adjust cross compiler requirements to use %requires_ge
- For cross compilers require the same or newer binutils, newlib
or cross-glibc that was used at build time. [bsc#1232526]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3934-1
Released: Tue Nov 4 12:23:11 2025
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1247498
This update for cyrus-sasl fixes the following issue:
- Replace insecure MD5 with ephemeral HMAC-SHA256 (bsc#1247498).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3969-1
Released: Thu Nov 6 12:08:20 2025
Summary: Recommended update for SLES-release
Type: recommended
Severity: low
References:
This update for SLES-release provides the following fix:
- Adjust the EOL date for the product.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3982-1
Released: Thu Nov 6 19:21:10 2025
Summary: Recommended update for lcms2
Type: recommended
Severity: moderate
References: 1247985
This update for lcms2 fixes the following issue:
- Enable threads support and avoid linker errors (bsc#1247985).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3997-1
Released: Fri Nov 7 16:50:17 2025
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1246806,1252414,1252417,CVE-2025-53057,CVE-2025-53066
This update for java-17-openjdk fixes the following issues:
Upgrade to upstream tag jdk-17.0.17+10 (October 2025 CPU):
- CVE-2025-53057: Fixed unauthenticated attacker can achieve unauthorized creation, deletion or modification access to critical data (bsc#1252414).
- CVE-2025-53066: Fixed unauthenticated attacker can achive unauthorized access to critical data or complete access (bsc#1252417).
Other bug fixes:
- Do not embed rebuild counter (bsc#1246806)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4054-1
Released: Tue Nov 11 15:04:28 2025
Summary: Security update for ongres-scram
Type: security
Severity: moderate
References: 1250399,CVE-2025-59432
This update for ongres-scram fixes the following issues:
- CVE-2025-59432: Fixed timing attack vulnerability in SCRAM Authentication (bsc#1250399)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4067-1
Released: Wed Nov 12 09:03:26 2025
Summary: Security update for openssh
Type: security
Severity: moderate
References: 1251198,1251199,CVE-2025-61984,CVE-2025-61985
This update for openssh fixes the following issues:
- CVE-2025-61984: Fixed code execution via control characters in usernames when a ProxyCommand is used (bsc#1251198)
- CVE-2025-61985: Fixed code execution via '\0' character in ssh:// URI when a ProxyCommand is used (bsc#1251199)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4087-1
Released: Wed Nov 12 20:35:10 2025
Summary: Security update for netty, netty-tcnative
Type: security
Severity: moderate
References: 1252097,CVE-2025-59419
This update for netty, netty-tcnative fixes the following issues:
- CVE-2025-59419: fixed SMTP command injection vulnerability that allowed email forgery (bsc#1252097)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4096-1
Released: Fri Nov 14 09:07:37 2025
Summary: Security update for binutils
Type: security
Severity: important
References: 1040589,1236632,1236976,1236977,1236978,1236999,1237000,1237001,1237003,1237005,1237018,1237019,1237020,1237021,1237042,1240870,1241916,1243756,1243760,1246481,1246486,1247105,1247114,1247117,1250632,1251275,1251276,1251277,1251794,1251795,CVE-2025-0840,CVE-2025-11083,CVE-2025-11412,CVE-2025-11413,CVE-2025-11414,CVE-2025-1147,CVE-2025-1148,CVE-2025-1149,CVE-2025-11494,CVE-2025-11495,CVE-2025-1150,CVE-2025-1151,CVE-2025-1152,CVE-2025-1153,CVE-2025-1176,CVE-2025-1178,CVE-2025-1179,CVE-2025-1180,CVE-2025-1181,CVE-2025-1182,CVE-2025-3198,CVE-2025-5244,CVE-2025-5245,CVE-2025-7545,CVE-2025-7546,CVE-2025-8224,CVE-2025-8225
This update for binutils fixes the following issues:
- Do not enable '-z gcs=implicit' on aarch64 for old codestreams.
Update to version 2.45:
* New versioned release of libsframe.so.2
* s390: tools now support SFrame format 2; recognize 'z17' as CPU
name [bsc#1247105, jsc#IBM-1485]
* sframe sections are now of ELF section type SHT_GNU_SFRAME.
* sframe secions generated by the assembler have
SFRAME_F_FDE_FUNC_START_PCREL set.
* riscv: Support more extensions: standard: Zicfiss v1.0, Zicfilp v1.0,
Zcmp v1.0, Zcmt v1.0, Smrnmi v1.0, S[sm]dbltrp v1.0, S[sm]ctr v1.0,
ssqosid v1.0, ssnpm v1.0, smnpm v1.0, smmpm v1.0, sspm v1.0, supm v1.0,
sha v1.0, zce v1.0, smcdeleg v1.0, ssccfg v1.0, svvptc v1.0, zilsd v1.0,
zclsd v1.0, smrnmi v1.0;
vendor: CORE-V, xcvbitmanip v1.0 and xcvsimd v1.0;
SiFive, xsfvqmaccdod v1.0, xsfvqmaccqoqv1.0 and xsfvfnrclipxfqf v1.0;
T-Head: xtheadvdot v1.0;
MIPS: xmipscbop v1.0, xmipscmov v1.0, xmipsexectl v1.0, xmipslsp v1.0.
* Support RISC-V privileged version 1.13, profiles 20/22/23, and
.bfloat16 directive.
* x86: Add support for these ISAs: Intel Diamond Rapids AMX, MOVRS,
AVX10.2 (including SM4), MSR_IMM; Zhaoxin PadLock PHE2, RNG2, GMI, XMODX.
Drop support for AVX10.2 256 bit rounding.
* arm: Add support for most of Armv9.6, enabled by -march=armv9.6-a and
extensions '+cmpbr', '+f8f16mm', '+f8f32mm', '+fprcvt', '+lsfe', '+lsui',
'+occmo', '+pops', '+sme2p2', '+ssve-aes', '+sve-aes', '+sve-aes2',
'+sve-bfscale', '+sve-f16f32mm' and '+sve2p2'.
* Predefined symbols 'GAS(version)' and, on non-release builds, 'GAS(date)'
are now being made available.
* Add .errif and .warnif directives.
* linker:
- Add --image-base=<ADDR> option to the ELF linker to behave the same
as -Ttext-segment for compatibility with LLD.
- Add support for mixed LTO and non-LTO codes in relocatable output.
- s390: linker generates .eh_frame and/or .sframe for linker
generated .plt sections by default (can be disabled
by --no-ld-generated-unwind-info).
- riscv: add new PLT formats, and GNU property merge rules for zicfiss
and zicfilp extensions.
- gold is no longer included
- Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md):
* bsc#1236632 aka CVE-2025-0840 aka PR32650
* bsc#1236977 aka CVE-2025-1149 aka PR32576
* bsc#1236978 aka CVE-2025-1148 aka PR32576
* bsc#1236999 aka CVE-2025-1176 aka PR32636
* bsc#1237000 aka CVE-2025-1153 aka PR32603
* bsc#1237001 aka CVE-2025-1152 aka PR32576
* bsc#1237003 aka CVE-2025-1151 aka PR32576
* bsc#1237005 aka CVE-2025-1150 aka PR32576
* bsc#1237018 aka CVE-2025-1178 aka PR32638
* bsc#1237019 aka CVE-2025-1181 aka PR32643
* bsc#1237020 aka CVE-2025-1180 aka PR32642
* bsc#1237021 aka CVE-2025-1179 aka PR32640
* bsc#1237042 aka CVE-2025-1182 aka PR32644
* bsc#1240870 aka CVE-2025-3198 aka PR32716
* bsc#1243756 aka CVE-2025-5244 aka PR32858
* bsc#1243760 aka CVE-2025-5245 aka PR32829
* bsc#1246481 aka CVE-2025-7545 aka PR33049
* bsc#1246486 aka CVE-2025-7546 aka PR33050
* bsc#1247114 aka CVE-2025-8224 aka PR32109
* bsc#1247117 aka CVE-2025-8225 no PR
- Add these backport patches:
* bsc#1236976 aka CVE-2025-1147 aka PR32556
* bsc#1250632 aka CVE-2025-11083 aka PR33457
* bsc#1251275 aka CVE-2025-11412 aka PR33452
* bsc#1251276 aka CVE-2025-11413 aka PR33456
* bsc#1251277 aka CVE-2025-11414 aka PR33450
* bsc#1251794 aka CVE-2025-11494 aka PR33499
* bsc#1251795 aka CVE-2025-11495 aka PR33502
- Skip PGO with %want_reproducible_builds (bsc#1040589)
- Fix crash in assembler with -gdwarf-5
- aarch64-common-pagesize.patch, aarch64 no longer uses 64K page size
- Add -std=gnu17 to move gcc15 forward, as temporary measure until
the binutils version can be updated [bsc#1241916].
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4110-1
Released: Fri Nov 14 16:56:18 2025
Summary: Security update for bind
Type: security
Severity: important
References: 1252378,1252379,1252380,CVE-2025-40778,CVE-2025-40780,CVE-2025-8677
This update for bind fixes the following issues:
- CVE-2025-8677: DNSSEC validation fails if matching but invalid DNSKEY is found (bsc#1252378).
- CVE-2025-40778: Address various spoofing attacks (bsc#1252379).
- CVE-2025-40780: Cache-poisoning due to weak pseudo-random number generator (bsc#1252380).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4118-1
Released: Mon Nov 17 09:06:55 2025
Summary: Recommended update for freetype2
Type: recommended
Severity: important
References: 1252148
This update for freetype2 fixes the following issues:
- Fix the %licence tag (bsc#1252148)
* package FTL.TXT and GPLv2.TXT as %license
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4120-1
Released: Mon Nov 17 10:45:27 2025
Summary: Recommended update for SLES-release, sle-module-python3-release
Type: recommended
Severity: moderate
References:
This update for SLES-release, sle-module-python3-release fixes the following issue:
- SLES-release: Clear codestream EOL info for better readability.
- sle-module-python3-release: Clear EOL as this follow the product EOL.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4138-1
Released: Wed Nov 19 11:15:12 2025
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1224386,1248501
This update for systemd fixes the following issues:
- systemd.spec: use %sysusers_generate_pre so that some systemd users are
already available in %pre. This is important because D-Bus automatically
reloads its configuration whenever new configuration files are installed,
i.e. between %pre and %post. (bsc#1248501)
No needs for systemd and udev packages as they are always installed during
the initial installation.
- Split systemd-network into two new sub-packages: systemd-networkd and
systemd-resolved (bsc#1224386 jsc#PED-12669)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4155-1
Released: Fri Nov 21 15:09:44 2025
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1233529
This update for cyrus-sasl fixes the following issues:
- Python3 error log upon importing pycurl (bsc#1233529)
* Remove senceless log message.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4159-1
Released: Fri Nov 21 15:31:48 2025
Summary: Security update for tomcat
Type: security
Severity: important
References: 1252753,1252756,1252905,CVE-2025-55752,CVE-2025-55754,CVE-2025-61795
This update for tomcat fixes the following issues:
Update to Tomcat 9.0.111:
- CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT
is enabled (bsc#1252753)
- CVE-2025-55754: Fixed improper neutralization of escape, meta, or control
sequences vulnerability (bsc#1252905)
- CVE-2025-61795: Fixed denial of service due to temporary copies during
the processing of multipart upload (bsc#1252756)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4179-1
Released: Mon Nov 24 08:27:54 2025
Summary: Recommended update for mozilla-nspr
Type: recommended
Severity: moderate
References:
This update for mozilla-nspr fixes the following issues:
- update to NSPR 4.36.2
* Fixed a syntax error in test file parsetm.c, which was introduced in 4.36.1
- update to NSPR 4.36.1
* Incorrect time value produced by PR_ParseTimeString and
PR_ParseTimeStringToExplodedTime if input string doesn't specify seconds.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4092-1
Released: Mon Nov 24 10:08:22 2025
Summary: Security update for elfutils
Type: security
Severity: moderate
References: 1237236,1237240,1237241,1237242,CVE-2025-1352,CVE-2025-1372,CVE-2025-1376,CVE-2025-1377
This update for elfutils fixes the following issues:
- Fixing build/testsuite for more recent glibc and kernels.
- Fixing denial of service and general buffer overflow errors
(bsc#1237236, bsc#1237240, bsc#1237241, bsc#1237242):
- CVE-2025-1376: Fixed denial of service in function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip
- CVE-2025-1377: Fixed denial of service in function gelf_getsymshndx of the file strip.c of the component eu-strip
- CVE-2025-1372: Fixed buffer overflow in function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf
- CVE-2025-1352: Fixed SEGV (illegal read access) in function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf
- Fixing testsuite race conditions in run-debuginfod-find.sh.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4196-1
Released: Mon Nov 24 11:54:23 2025
Summary: Security update for grub2
Type: security
Severity: moderate
References: 1236744,1241132,1245953,1252269,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664
This update for grub2 fixes the following issues:
- CVE-2025-54770: Fixed missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930)
- CVE-2025-54771: Fixed rub_file_close() does not properly controls the fs refcount (bsc#1252931)
- CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932)
- CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933)
- CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934)
- CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935)
Other fixes:
- Bump upstream SBAT generation to 6
- Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953)
- Fix PPC CAS reboot failure work when initiated via submenu (bsc#1241132)
- Fix out of memory issue on PowerPC by increasing RMA size (bsc#1236744, bsc#1252269)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4236-1
Released: Tue Nov 25 17:02:19 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1253757,CVE-2025-11563
This update for curl fixes the following issues:
- CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4247-1
Released: Wed Nov 26 09:56:54 2025
Summary: Security update for sssd
Type: security
Severity: important
References: 1251827,CVE-2025-11561
This update for sssd fixes the following issues:
- CVE-2025-11561: Fixed privilege escalation on AD-joined Linux systems due
to default Kerberos configuration disabling localauth an2ln plugin (bsc#1251827)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4293-1
Released: Fri Nov 28 10:10:49 2025
Summary: Recommended update for gpgme
Type: recommended
Severity: important
References: 1231055,1252425
This update for gpgme fixes the following issues:
- Treat empty DISPLAY variable as unset (bsc#1252425, bsc#1231055)
* To avoid gpgme constructing an invalid gpg command line when
the DISPLAY variable is empty it can be treated as unset.
* Reported upstream: dev.gnupg.org/T7919
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4303-1
Released: Fri Nov 28 14:11:38 2025
Summary: Recommended update for kmod
Type: recommended
Severity: important
References: 1253741
This update for kmod fixes the following issues:
- Fix modprobe.d confusion on man page (bsc#1253741):
* document the config file order handling
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4304-1
Released: Fri Nov 28 14:14:06 2025
Summary: Recommended update for tomcat
Type: recommended
Severity: important
References: 1253460
This update for tomcat fixes the following issues:
- make catalina.sh %config(noreplace) (bsc#1253460)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4308-1
Released: Fri Nov 28 16:38:46 2025
Summary: Security update for glib2
Type: security
Severity: moderate
References: 1249055,CVE-2025-7039
This update for glib2 fixes the following issues:
- CVE-2025-7039: Fixed buffer under-read on glib through glib/gfileutils.c via get_tmp_file() (bsc#1249055)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4323-1
Released: Mon Dec 8 19:14:15 2025
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1254132,CVE-2025-9820
This update for gnutls fixes the following issues:
- CVE-2025-9820: Fixed buffer overflow in gnutls_pkcs11_token_init. (bsc#1254132)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4350-1
Released: Wed Dec 10 14:52:26 2025
Summary: Recommended update for libX11
Type: recommended
Severity: important
References: 1252250
This update for libX11 fixes the following issues:
- Fix: Barcode scanner input gets jumbled when ibus is running and
an application written in certain frameworks has focus (bsc#1252250)
* imDefLkup: commit first info in XimCommitInfo
* ximcp: Unmark to fabricate key events with XKeyEvent serial
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4359-1
Released: Thu Dec 11 04:06:53 2025
Summary: Recommended update for apache2
Type: recommended
Severity: moderate
References: 1249359
This update for apache2 fixes the following issues:
- Fixed binary path for Apache's MPM that was partially duplicated when it
can't be invoked/found (bsc#1249359)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4362-1
Released: Thu Dec 11 11:08:27 2025
Summary: Recommended update for gcc15
Type: recommended
Severity: moderate
References: 1253043
This update for gcc15 fixes the following issues:
- Enable the use of _dl_find_object even when not available at build time. [bsc#1253043]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4363-1
Released: Thu Dec 11 11:10:57 2025
Summary: Security update for postgresql17, postgresql18
Type: security
Severity: important
References: 1253332,1253333,CVE-2025-12817,CVE-2025-12818
This update for postgresql17, postgresql18 fixes the following issues:
Changes in postgresql18:
- Fix build with uring for post SLE15 code streams.
Update to 18.1:
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/18.1/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
- pg_config --libs returns -lnuma so we need to require it.
Update to 18.0:
* https://www.postgresql.org/about/news/p-3142/
* https://www.postgresql.org/docs/18/release-18.html
Changes in postgresql17:
Update to 17.7:
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/17.7/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
- switch library to pg 18
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4368-1
Released: Thu Dec 11 16:12:16 2025
Summary: Security update for python3
Type: security
Severity: low
References: 1251305,1252974,CVE-2025-6075,CVE-2025-8291
This update for python3 fixes the following issues:
- CVE-2025-6075: quadratic complexity in `os.path.expandvars()` can lead to performance degradation when values passed
to it are user-controlled (bsc#1252974).
- CVE-2025-8291: lack of validity checks on the ZIP64 End of Central Directory (EOCD) record allows for the creation of
ZIP archives that are processed inconsistently by the `zipfile` module (bsc#1251305).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4378-1
Released: Fri Dec 12 10:37:36 2025
Summary: Recommended update for lvm2
Type: recommended
Severity: moderate
References: 1233655,510058
This update for lvm2 fixes the following issues:
- Maintenance update attempt seems to be stuck at mkinitrd (bsc#510058).
- Fix for 'systemctl start lvmlockd.service' time out (bsc#1233655).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4388-1
Released: Fri Dec 12 14:36:27 2025
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1253332,1253333,CVE-2025-12817,CVE-2025-12818
This update for postgresql16 fixes the following issues:
Upgraded to 16.11:
- CVE-2025-12817: Fixed missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332)
- CVE-2025-12818: Fixed integer overflow in allocation-size calculations within libpq (bsc#1253333)
Other fixes:
- Use %product_libs_llvm_ver to determine the LLVM version.
- Remove conditionals for obsolete PostgreSQL releases.
- Sync spec file from version 18.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:4401-1
Released: Mon Dec 15 14:35:37 2025
Summary: Recommended update for sles-release
Type: recommended
Severity: moderate
References:
This update for sles-release fixes the following issue:
- Add corrected EOL value for the codestream reflecting whats on
https://www.suse.com/lifecycle/ - this also fixes issues reported
by some parsing tools, related to ISO_8601 data format.
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-4456
Released: Thu Dec 18 12:55:55 2025
Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
Type: recommended
Severity: moderate
References: 1211373,1213308,1217755,1222128,1225740,1227577,1227579,1229825,1229977,1230876,1233496,1235567,1235847,1237536,1238481,1239158,1239636,1240225,1240565,1241013,1241307,1243087,1243183,1243679,1243768,1243808,1243876,1243994,1244027,1244065,1244125,1244219,1244290,1244298,1244329,1244338,1244400,1244427,1244430,1244519,1244542,1244552,1244641,1244648,1244724,1244822,1245027,1245240,1245241,1245307,1245398,1245405,1245528,1245987,1246035,1246421,1246422,1246436,1246452,1246586,1246638,1246659,1246663,1246883,1246957,1246981,1247084,1247111,1247214,1247269,1247305,1247322,1247407,1247481,1247544,1247822,1247951,1247983,1247990,1248247,1248292,1248403,1248409,1248411,1248448,1248467,1248661,1248741,1248799,1248804,1249089,1249148,1249384,1249502,1250239,1250318,1250342,1250423,1250427,1250451,1251117,1251796,1251864,1252023,1252680,1252723
Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- branch-network-formula-1.0.0-150600.3.6.1 updated
- libelf1-0.185-150400.5.8.3 updated
- libdw1-0.185-150400.5.8.3 updated
- libsasl2-3-2.1.28-150600.7.14.1 updated
- bind-formula-1.0.0-150600.3.3.1 updated
- libselinux1-3.5-150600.3.3.1 updated
- libudev1-254.27-150600.4.46.2 updated
- libX11-data-1.8.7-150600.3.6.1 updated
- libreadline7-7.0-150400.27.6.1 updated
- bash-4.4-150400.27.6.1 updated
- bash-sh-4.4-150400.27.6.1 updated
- libgcc_s1-15.2.0+git10201-150000.1.6.1 updated
- libglib-2_0-0-2.78.6-150600.4.22.1 updated
- libgpgme11-1.23.0-150600.3.5.1 updated
- dhcpd-formula-1.0.0-150600.3.3.1 updated
- libcurl4-8.14.1-150600.4.31.1 updated
- libkmod2-29-150600.13.3.1 updated
- libsolv-tools-base-0.7.34-150600.8.19.2 updated
- libdevmapper1_03-2.03.22_1.02.196-150600.3.9.3 updated
- liberate-formula-0.1.1-150600.3.3.1 updated
- libstdc++6-15.2.0+git10201-150000.1.6.1 updated
- libsystemd0-254.27-150600.4.46.2 updated
- systemd-254.27-150600.4.46.2 updated
- libatomic1-15.2.0+git10201-150000.1.6.1 updated
- sles-release-15.6-150600.64.12.1 updated
- curl-8.14.1-150600.4.31.1 updated
- libctf-nobfd0-2.45-150100.7.57.1 updated
- libgmodule-2_0-0-2.78.6-150600.4.22.1 updated
- libgobject-2_0-0-2.78.6-150600.4.22.1 updated
- libgomp1-15.2.0+git10201-150000.1.6.1 updated
- libipa_hbac0-2.9.3-150600.3.28.1 updated
- libitm1-15.2.0+git10201-150000.1.6.1 updated
- liblcms2-2-2.15-150600.3.3.2 updated
- liblsan0-15.2.0+git10201-150000.1.6.1 updated
- libpq5-18.1-150600.13.3.1 updated
- libquadmath0-15.2.0+git10201-150000.1.6.1 updated
- libsolv-tools-0.7.34-150600.8.19.2 updated
- libsss_idmap0-2.9.3-150600.3.28.1 updated
- libsss_nss_idmap0-2.9.3-150600.3.28.1 updated
- libxslt1-1.1.34-150400.3.13.1 updated
- mozilla-nspr-4.36.2-150000.3.36.1 updated
- openssh-common-9.6p1-150600.6.34.1 updated
- prometheus-formula-0.9.0-150600.3.3.1 updated
- release-notes-susemanager-5.0.6-150600.11.45.1 updated
- selinux-tools-3.5-150600.3.3.1 updated
- susemanager-schema-utility-5.0.17-150600.3.20.2 updated
- uyuni-config-modules-5.0.20-150600.3.27.1 updated
- vim-data-common-9.1.1629-150500.20.38.1 updated
- libctf0-2.45-150100.7.57.1 updated
- binutils-2.45-150100.7.57.1 updated
- cyrus-sasl-2.1.28-150600.7.14.1 updated
- libpython3_6m1_0-3.6.15-150300.10.100.1 updated
- python3-base-3.6.15-150300.10.100.1 updated
- python3-3.6.15-150300.10.100.1 updated
- python3-curses-3.6.15-150300.10.100.1 updated
- libfreetype6-2.10.4-150000.4.25.1 updated
- postgresql-18-150600.17.9.1 updated
- postgresql16-16.11-150600.16.25.1 updated
- libsss_certmap0-2.9.3-150600.3.28.1 updated
- bind-utils-9.18.33-150600.3.18.1 updated
- libxslt-tools-1.1.34-150400.3.13.1 updated
- openssh-fips-9.6p1-150600.6.34.1 updated
- susemanager-docs_en-5.0.6-150600.11.18.1 updated
- libgio-2_0-0-2.78.6-150600.4.22.1 updated
- glib2-tools-2.78.6-150600.4.22.1 updated
- spacewalk-java-lib-5.0.30-150600.3.41.4 updated
- uyuni-base-common-5.0.3-150600.2.3.1 updated
- libX11-6-1.8.7-150600.3.6.1 updated
- vim-9.1.1629-150500.20.38.1 updated
- apache2-prefork-2.4.58-150600.5.38.1 updated
- cyrus-sasl-gssapi-2.1.28-150600.7.14.1 updated
- cyrus-sasl-digestmd5-2.1.28-150600.7.14.1 updated
- openssh-server-9.6p1-150600.6.34.1 updated
- openssh-clients-9.6p1-150600.6.34.1 updated
- libgnutls30-3.8.3-150600.4.12.1 updated
- zchunk-1.1.16-150600.9.3 added
- python3-susemanager-retail-1.2.0-150600.3.6.1 updated
- python3-solv-0.7.34-150600.8.19.2 updated
- prometheus-exporters-formula-1.4.2-150600.3.3.1 updated
- postgresql-server-18-150600.17.9.1 updated
- postgresql16-server-16.11-150600.16.25.1 updated
- susemanager-docs_en-pdf-5.0.6-150600.11.18.1 updated
- susemanager-schema-5.0.17-150600.3.20.2 updated
- perl-Satcon-5.0.2-150600.3.3.1 updated
- susemanager-sync-data-5.0.14-150600.3.25.1 updated
- apache2-2.4.58-150600.5.38.1 updated
- openssh-9.6p1-150600.6.34.1 updated
- grub2-2.12-150600.8.44.2 updated
- grub2-i386-pc-2.12-150600.8.44.2 updated
- susemanager-retail-tools-1.2.0-150600.3.6.1 updated
- virtual-host-gatherer-1.0.29-150600.8.3.1 updated
- python3-pyasn1-modules-0.2.1-150000.3.7.1 added
- postgresql16-contrib-16.11-150600.16.25.1 updated
- postgresql-contrib-18-150600.17.9.1 updated
- sssd-ldap-2.9.3-150600.3.28.1 updated
- sssd-2.9.3-150600.3.28.1 updated
- sssd-krb5-common-2.9.3-150600.3.28.1 updated
- java-17-openjdk-headless-17.0.17.0-150400.3.60.2 updated
- grub2-x86_64-efi-2.12-150600.8.44.2 updated
- grub2-powerpc-ieee1275-2.12-150600.8.44.2 updated
- grub2-arm64-efi-2.12-150600.8.44.2 updated
- inter-server-sync-0.3.9-150600.3.9.2 updated
- spacecmd-5.0.14-150600.4.18.1 updated
- virtual-host-gatherer-Nutanix-1.0.29-150600.8.3.1 updated
- python3-ldap-3.4.0-150400.3.3.1 added
- spacewalk-backend-sql-postgresql-5.0.16-150600.4.23.7 updated
- sssd-krb5-2.9.3-150600.3.28.1 updated
- sssd-dbus-2.9.3-150600.3.28.1 updated
- python3-sssd-config-2.9.3-150600.3.28.1 updated
- sssd-ad-2.9.3-150600.3.28.1 updated
- tomcat-servlet-4_0-api-9.0.111-150200.99.1 updated
- tomcat-el-3_0-api-9.0.111-150200.99.1 updated
- java-17-openjdk-17.0.17.0-150400.3.60.2 updated
- spacewalk-base-minimal-5.0.25-150600.3.33.9 updated
- spacewalk-config-5.0.8-150600.3.15.1 updated
- virtual-host-gatherer-Libvirt-1.0.29-150600.8.3.1 updated
- sssd-tools-2.9.3-150600.3.28.1 updated
- sssd-ipa-2.9.3-150600.3.28.1 updated
- tomcat-jsp-2_3-api-9.0.111-150200.99.1 updated
- apache-commons-text-1.10.0-150200.5.11.1 added
- netty-4.1.128-150200.4.37.1 updated
- python3-firewall-1.3.4-150600.13.3.1 updated
- spacewalk-base-minimal-config-5.0.25-150600.3.33.9 updated
- tomcat-lib-9.0.111-150200.99.1 updated
- ongres-scram-2.1-150400.8.5.1 updated
- firewalld-1.3.4-150600.13.3.1 updated
- python3-rhnlib-5.0.6-150600.4.9.1 updated
- ongres-scram-client-2.1-150400.8.5.1 updated
- spacewalk-backend-5.0.16-150600.4.23.7 updated
- python3-spacewalk-client-tools-5.0.11-150600.4.15.5 updated
- spacewalk-client-tools-5.0.11-150600.4.15.5 updated
- spacewalk-base-5.0.25-150600.3.33.9 updated
- spacewalk-search-5.0.6-150600.3.12.1 updated
- salt-3006.0-150600.8.12.2 updated
- python3-salt-3006.0-150600.8.12.2 updated
- spacewalk-backend-sql-5.0.16-150600.4.23.7 updated
- python3-spacewalk-certs-tools-5.0.12-150600.3.17.1 updated
- spacewalk-certs-tools-5.0.12-150600.3.17.1 updated
- mgr-push-5.0.3-150600.2.3.1 updated
- python3-mgr-push-5.0.3-150600.2.3.1 updated
- spacewalk-admin-5.0.12-150600.3.14.1 updated
- tomcat-9.0.111-150200.99.1 updated
- salt-master-3006.0-150600.8.12.2 updated
- virtual-host-gatherer-VMware-1.0.29-150600.8.3.1 updated
- virtual-host-gatherer-libcloud-1.0.29-150600.8.3.1 updated
- cobbler-3.3.3-150600.5.17.5 updated
- spacewalk-backend-server-5.0.16-150600.4.23.7 updated
- susemanager-sls-5.0.20-150600.3.27.1 updated
- uyuni-base-server-5.0.3-150600.2.3.1 updated
- spacewalk-java-postgresql-5.0.30-150600.3.41.4 updated
- spacewalk-branding-5.0.3-150600.3.3.1 updated
- spacewalk-java-config-5.0.30-150600.3.41.4 updated
- salt-api-3006.0-150600.8.12.2 updated
- susemanager-tftpsync-5.0.2-150600.3.3.1 updated
- spacewalk-backend-xmlrpc-5.0.16-150600.4.23.7 updated
- spacewalk-backend-xml-export-libs-5.0.16-150600.4.23.7 updated
- spacewalk-backend-package-push-server-5.0.16-150600.4.23.7 updated
- spacewalk-backend-iss-5.0.16-150600.4.23.7 updated
- spacewalk-backend-app-5.0.16-150600.4.23.7 updated
- spacewalk-reports-5.0.4-150600.3.6.1 updated
- spacewalk-html-5.0.25-150600.3.33.9 updated
- spacewalk-taskomatic-5.0.30-150600.3.41.4 updated
- spacewalk-java-5.0.30-150600.3.41.4 updated
- spacewalk-backend-iss-export-5.0.16-150600.4.23.7 updated
- susemanager-tools-5.0.16-150600.3.22.1 updated
- spacewalk-backend-tools-5.0.16-150600.4.23.7 updated
- supportutils-plugin-susemanager-5.0.6-150600.3.9.1 updated
- spacewalk-common-5.0.4-150600.3.3.1 updated
- spacewalk-utils-5.0.8-150600.3.12.1 updated
- spacewalk-postgresql-5.0.4-150600.3.3.1 updated
- spacewalk-setup-5.0.8-150600.3.9.1 updated
- susemanager-5.0.16-150600.3.22.1 updated
- container:suse-manager-5.0-init-5.0.6-5.0.6-7.27.8 added
- container:suse-manager-5.0-init-5.0.5.1-5.0.5.1-7.24.10 removed
- susemanager-frontend-libs-5.0.0-150600.1.1 removed
More information about the sle-container-updates
mailing list