SUSE-CU-2025:957-1: Security update of suse/manager/5.0/x86_64/server-attestation

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Feb 17 08:09:45 UTC 2025


SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:957-1
Container Tags        : suse/manager/5.0/x86_64/server-attestation:5.0.3 , suse/manager/5.0/x86_64/server-attestation:5.0.3.6.11.3 , suse/manager/5.0/x86_64/server-attestation:latest
Container Release     : 6.11.3
Severity              : important
Type                  : security
References            : 1027642 1212161 1212985 1213437 1215815 1216683 1216946 1217338
                        1220494 1220902 1221219 1222447 1222574 1222820 1224318 1226958
                        1227374 1227644 1227759 1227827 1227852 1227882 1228182 1228232
                        1228261 1228319 1228351 1228856 1228956 1229000 1229077 1229079
                        1229286 1229848 1229902 1230502 1230585 1230670 1230741 1230833
                        1230943 1231053 1231255 1231347 1231377 1231378 1231398 1231404
                        1231428 1231430 1231459 1231463 1231472 1231762 1232042 1232125
                        1232530 1232713 1233258 1233282 1233383 1233400 1233426 1233431
                        1233450 1233497 1233595 1233696 1233699 1233724 1233761 1233793
                        1233871 1233884 1234251 1234441 1234665 1234994 1235145 1235692
                        1235908 1236136 1236278 1236619 1236878 CVE-2024-12133 CVE-2024-13176
                        CVE-2024-21528 CVE-2024-28168 CVE-2024-45801 CVE-2024-52533 CVE-2025-21502
                        CVE-2025-24528 
-----------------------------------------------------------------

The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4045-1
Released:    Mon Nov 25 08:33:05 2024
Summary:     Recommended update for patterns-base
Type:        recommended
Severity:    moderate
References:  
This update for patterns-base fixes the following issue:

- Updated patterns-base, removing plymouth recommendation on s390x archs.
  Our certification team run into an issue (jsc#PED-10532), when they
  run bare metal installation with fully encrypted disk.
  If the whole disk is crypted, the prompt for the password is sent to
  plymouth, which is obviously showing nothing because for booting bare
  metal (LPAR) is used terminal in HMC. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4054-1
Released:    Tue Nov 26 06:05:40 2024
Summary:     Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop
Type:        security
Severity:    moderate
References:  1231347,1231428,CVE-2024-28168
This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues:

xmlgraphics-fop was updated from version 2.8 to 2.10:
 
- Security issues fixed:

  * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)
    
- Upstream changes and bugs fixed:

  * Version 2.10:

    + footnote-body ignores rl-tb writing mode
    + SVG tspan content is displayed out of place
    + Added new schema to handle pdf/a and pdfa/ua
    + Correct fop version at runtime
    + NoSuchElementException when using font with no family name
    + Resolve classpath for binary distribution
    + Switch to spotbugs
    + Set an automatic module name
    + Rename packages to avoid conflicts with modules
    + Resize table only for multicolumn page
    + Missing jars in servlet
    + Optimise performance of PNG with alpha using raw loader
    + basic-link not navigating to corresponding footnote
    + Added option to sign PDF
    + Added secure processing for XSL input
    + Allow sections which need security permissions to be run when AllPermission denied in caller code
    + Remove unused PDFStructElem
    + Remove space generated by fo:wrapper
    + Reset content length for table changing ipd
    + Added alt text to PDF signature
    + Allow change of resource level for SVG in AFP
    + Exclude shape not in clipping path for AFP
    + Only support 1 column for redo of layout without page pos only
    + Switch to Jakarta servlet API
    + NPE when list item is split alongside an ipd change
    + Added mandatory MODCA triplet to AFP
    + Redo layout for multipage columns
    + Added image mask option for AFP
    + Skip written block ipds inside float
    + Allow curly braces for src url
    + Missing content for last page with change ipd
    + Added warning when different pdf languages are used
    + Only restart line manager when there is a linebreak for blocklayout

  * Version 2.9:

    + Values in PDF Number Trees must be indirect references
    + Do not delete files on syntax errors using command line
    + Surrogate pair edge-case causes Exception
    + Reset character spacing
    + SVG text containing certain glyphs isn't rendered
    + Remove duplicate classes from maven classpath
    + Allow use of page position only on redo of layout
    + Failure to render multi-block itemBody alongside float
    + Update to PDFBox 2.0.27
    + NPE if link destination is missing with accessibility
    + Make property cache thread safe
    + Font size was rounded to 0 for AFP TTF
    + Cannot process a SVG using mvn jars
    + Remove serializer jar
    + Allow creating a PDF 2.0 document
    + Text missing after page break inside table inline
    + IllegalArgumentException for list in a table
    + Table width may be too wide when layout width changes
    + NPE when using broken link and PDF 1.5
    + Allow XMP at PDF page level
    + Symbol font was not being mapped to unicode
    + Correct font differences table for Chrome
    + Link against Java 8 API
    + Added support for font-selection-strategy=character-by-character
    + Merge form fields in external PDFs
    + Fixed test for Java 11

xmlgraphics-batik was updated from version 1.17 to 1.18:

- PNG transcoder references nonexistent class
- Set offset to 0 if missing in stop tag
- Validate throws NPE
- Fixed missing arabic characters
- Animated rotate tranform ignores y-origin at exactly 270 degrees
- Set an automatic module name
- Ignore inkscape properties
- Switch to spotbugs
- Allow source and target resolution configuration

xmlgraphics-commons was updated from version 2.8 to 2.10:

- Fixed test for Java 11
- Allow XMP at PDF page level
- Allow source resolution configuration
- Added new schema to handle pdf/a and pdfa/ua
- Set an automatic module name
- Switch to spotbugs
- Do not use a singleton for ImageImplRegistry

javapackages-tools was updated from version 6.3.0 to 6.3.4:

- Version 6.3.4:

  * A corner case when which is not present
  * Remove dependency on which
  * Simplify after the which -> type -p change
  * jpackage_script: Remove pointless assignment when %java_home is unset
  * Don't export JAVA_HOME (bsc#1231347)

- Version 6.3.2:

  * Search for JAVACMD under JAVA_HOME only if it's set
  * Obsolete set_jvm and set_jvm_dirs functions
  * Drop unneeded _set_java_home function
  * Remove JAVA_HOME check from check_java_env function
  * Bump codecov/codecov-action from 2.0.2 to 4.6.0
  * Bump actions/setup-python from 4 to 5
  * Bump actions/checkout from 2 to 4
  * Added custom dependabot config
  * Remove the test for JAVA_HOME and error if it is not set
  * java-functions: Remove unneeded local variables
  * Fixed build status shield

- Version 6.3.1:

  * Allow missing components with abs2rel
  * Fixed tests with python 3.4
  * Sync spec file from Fedora
  * Drop default JRE/JDK
  * Fixed the use of java-functions in scripts
  * Test that we don't bomb on <relativePath/>
  * Test variable expansion in artifactId
  * Interpolate properties also in the current artifact
  * Rewrite abs2rel in shell
  * Use asciidoctor instead of asciidoc
  * Fixed incompatibility with RPM 4.20
  * Reproducible exclusions order in maven metadata
  * Do not bomb on <relativePath/> construct
  * Make maven_depmap order of aliases reproducible

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4055-1
Released:    Tue Nov 26 06:25:26 2024
Summary:     Recommended update for Jackson
Type:        recommended
Severity:    moderate
References:  
This update for Jackson fixes the following issues:

jackson-annotations was updated from version 2.16.1 to 2.17.3:
    
- Allow `@JsonAnySetter` on `ElementType.PARAMETER` (for use on constructor parameters)
- Build the module-info.java source too (with release=9)

jackson-bom was updated from version 2.16.1 to 2.17.3:

- Added `jackson-jr-extension-javatime`
- Added managed dependency to JUnit5
- Removed unused JUnit5 dependency

jackson-core, jackson-databind, jackson-dataformats-binary were updated from version 2.16.1 to 2.17.3:

- Various minor bugs have been fixed

jackson-modules-base was updated from version 2.16.1 to 2.17.3:

- Version update with no changes

jackson-parent was updated from version 2.16 to 2.17:

- Update to oss-parent 58 (plugin version updates)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4156-1
Released:    Tue Dec  3 14:13:15 2024
Summary:     Recommended update for sles15-image
Type:        recommended
Severity:    moderate
References:  
This update for sles15-image fixes the following issues:

- README.md updates
- explicitly require openssl-3 cli
- reorder tags (list the more specific ones first)
- set oci.ref.name and oci.authors correctly

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4224-1
Released:    Fri Dec  6 10:24:50 2024
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1233699
This update for glibc fixes the following issue:

- Remove nss-systemd from default nsswitch.conf (bsc#1233699).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4254-1
Released:    Fri Dec  6 18:03:05 2024
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1231463,1233282,CVE-2024-52533
This update for glib2 fixes the following issues:

Security issues fixed:

- CVE-2024-52533: Fix a single byte buffer overflow in set_connect_msg() (bsc#1233282).

Non-security issue fixed:

- Fix error when uninstalling packages (bsc#1231463).


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:38-1
Released:    Thu Jan  9 10:24:48 2025
Summary:     Recommended update for sles15-image
Type:        recommended
Severity:    moderate
References:  
This update for sles15-image fixes the following issues:

- switch to public-dl.suse.com

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:135-1
Released:    Thu Jan 16 11:20:40 2025
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1234665
This update for glibc fixes the following issues:

- Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665).
- Correctly determine livepatching support.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:338-1
Released:    Mon Feb  3 16:12:41 2025
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    moderate
References:  1236278,CVE-2025-21502
This update for java-11-openjdk fixes the following issues:

Upgrade to upstream tag jdk-11.0.26+4 (January 2025 CPU)

Security fixes:

- CVE-2025-21502: Enhance array handling (JDK-8330045, bsc#1236278)

Other changes:

- JDK-8224624: Inefficiencies in CodeStrings::add_comment cause - timeouts
- JDK-8225045: javax/swing/JInternalFrame/8146321//JInternalFrameIconTest.java fails on linux-x64
- JDK-8232367: Update Reactive Streams to 1.0.3 -- tests only
- JDK-8247706: Unintentional use of new Date(year...) with absolute year
- JDK-8299254: Support dealing with standard assert macro
- JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test
- JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test
- JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak
- JDK-8328300: Convert PrintDialogsTest.java from Applet to main program
- JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main
- JDK-8334332: TestIOException.java fails if run by root
- JDK-8335428: Enhanced Building of Processes
- JDK-8335801: [11u] Backport of 8210988 to 11u removes gcc warnings
- JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
- JDK-8336564: Enhance mask blit functionality redux
- JDK-8338402: GHA: some of bundles may not get removed
- JDK-8339082: Bump update version for OpenJDK: jdk-11.0.26
- JDK-8339180: Enhanced Building of Processes: Follow-on Issue
- JDK-8339470: [17u] More defensive fix for 8163921
- JDK-8339637: (tz) Update Timezone Data to 2024b
- JDK-8339644: Improve parsing of Day/Month in tzdata rules
- JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files
- JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names
- JDK-8340671: GHA: Bump macOS and Xcode versions to macos-12 and XCode 13.4.1
- JDK-8340815: Add SECURITY.md file
- JDK-8342426: [11u] javax/naming/module/RunBasic.java javac compile fails
- JDK-8342629: [11u] Properly message out that shenandoah is disabled
- JDK-8347483: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.26


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:401-1
Released:    Mon Feb 10 10:38:28 2025
Summary:     Security update for crypto-policies, krb5
Type:        security
Severity:    moderate
References:  1236619,CVE-2025-24528
This update for crypto-policies and krb5 fixes the following issues:

Security issue fixed:

- CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619).

Feature addition:

- Add crypto-policies support; (jsc#PED-12018)

  * The default krb5.conf has been updated to include config
    snippets in the krb5.conf.d directory, where crypto-policies
    drops its.

- Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); 

  * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 
    and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active
    directory. If these encryption types are allowed or not in 
    FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:430-1
Released:    Tue Feb 11 15:13:32 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1236136,CVE-2024-13176
This update for openssl-3 fixes the following issues:

- CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:508-1
Released:    Thu Feb 13 12:29:31 2025
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1231472
This update for findutils fixes the following issue:

- fix crash when file system loop was encountered (bsc#1231472).

-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-523
Released:    Fri Feb 14 08:15:57 2025
Summary:     Maintenance update for SUSE Manager 5.0: Server, Proxy and Retail Branch Server
Type:        recommended
Severity:    moderate
References:  1027642,1212161,1212985,1213437,1215815,1216683,1216946,1217338,1220494,1220902,1221219,1222447,1222574,1222820,1224318,1226958,1227374,1227644,1227759,1227827,1227852,1227882,1228182,1228232,1228261,1228319,1228351,1228856,1228956,1229000,1229077,1229079,1229286,1229848,1229902,1230502,1230585,1230670,1230741,1230833,1230943,1231053,1231255,1231377,1231378,1231398,1231404,1231430,1231459,1231762,1232042,1232125,1232530,1232713,1233258,1233383,1233400,1233426,1233431,1233450,1233497,1233595,1233696,1233724,1233761,1233793,1233871,1233884,1234251,1234441,1234994,1235145,1235692,1235908,CVE-2024-21528,CVE-2024-45801
Maintenance update for SUSE Manager 5.0: Server, Proxy and Retail Branch Server

This is a codestream only update

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:548-1
Released:    Fri Feb 14 11:19:24 2025
Summary:     Security update for libtasn1
Type:        security
Severity:    important
References:  1236878,CVE-2024-12133
This update for libtasn1 fixes the following issues:

- CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes
  quadratic time to complete. (bsc#1236878)


The following package changes have been done:

- findutils-4.8.0-150300.3.3.2 updated
- libtasn1-6-4.13-150000.4.11.1 updated
- libtasn1-4.13-150000.4.11.1 updated
- glibc-2.38-150600.14.20.3 updated
- libglib-2_0-0-2.78.6-150600.4.8.1 updated
- crypto-policies-20230920.570ea89-150600.3.3.1 updated
- openssl-3-3.1.4-150600.5.24.1 updated
- patterns-base-fips-20200124-150600.32.3.2 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.24.1 updated
- javapackages-filesystem-6.3.4-150200.3.15.1 updated
- libopenssl3-3.1.4-150600.5.24.1 updated
- javapackages-tools-6.3.4-150200.3.15.1 updated
- java-11-openjdk-headless-11.0.26.0-150000.3.122.1 updated
- jackson-core-2.17.3-150200.3.19.1 updated
- jackson-annotations-2.17.3-150200.3.19.1 updated
- jackson-databind-2.17.3-150200.3.23.1 updated
- uyuni-java-common-5.0.6-150600.3.6.3 updated
- uyuni-coco-attestation-core-5.0.6-150600.3.6.3 updated
- uyuni-coco-attestation-module-snpguest-5.0.6-150600.3.6.3 updated
- uyuni-coco-attestation-module-secureboot-5.0.6-150600.3.6.3 updated
- container:sles15-image-15.6.0-47.18.1 updated


More information about the sle-container-updates mailing list