SUSE-IU-2025:537-1: Security update of suse/sl-micro/6.1/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Feb 7 16:59:09 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:537-1
Image Tags        : suse/sl-micro/6.1/baremetal-os-container:2.2.0 , suse/sl-micro/6.1/baremetal-os-container:2.2.0-4.3 , suse/sl-micro/6.1/baremetal-os-container:latest
Image Release     : 4.3
Severity          : critical
Type              : security
References        : 1234100 1234101 1234102 1234103 1234104 1235475 CVE-2024-12084
                        CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
-----------------------------------------------------------------

The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 15
Released:    Fri Feb  7 10:57:24 2025
Summary:     Security update for rsync
Type:        security
Severity:    critical
References:  1234100,1234101,1234102,1234103,1234104,1235475,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747
This update for rsync fixes the following issues:

- Bump protocol version to 32 - make it easier to show server is patched. 

- Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED

- Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links
 
- Security update, fix multiple vulnerabilities:
  * CVE-2024-12084, bsc#1234100 - Heap Buffer Overflow in Checksum Parsing
  * CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR
  * CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files
  * CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory using symbolic links
  * CVE-2024-12088, bsc#1234104 - --safe-links Bypass


The following package changes have been done:

- rsync-3.3.0-slfo.1.1_3.1 updated
- container:SL-Micro-base-container-2.2.0-4.4 updated

More information about the sle-container-updates mailing list