SUSE-CU-2025:959-1: Security update of suse/manager/5.0/x86_64/server

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Feb 17 08:09:56 UTC 2025


SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:959-1
Container Tags        : suse/manager/5.0/x86_64/server:5.0.3 , suse/manager/5.0/x86_64/server:5.0.3.7.16.1 , suse/manager/5.0/x86_64/server:latest
Container Release     : 7.16.1
Severity              : important
Type                  : security
References            : 1027642 1047218 1082756 1189451 1193911 1212161 1212985 1213437
                        1215815 1216091 1216683 1216946 1217338 1219736 1220338 1220494
                        1220902 1221219 1222447 1222574 1222820 1224318 1226958 1227374
                        1227644 1227759 1227827 1227852 1227882 1228182 1228182 1228182
                        1228232 1228261 1228319 1228351 1228690 1228690 1228856 1228956
                        1229000 1229077 1229079 1229106 1229228 1229286 1229848 1229902
                        1230502 1230585 1230670 1230741 1230833 1230943 1231053 1231255
                        1231377 1231378 1231398 1231404 1231430 1231459 1231472 1231762
                        1232042 1232125 1232227 1232458 1232530 1232713 1233258 1233297
                        1233383 1233400 1233426 1233431 1233433 1233435 1233450 1233497
                        1233520 1233595 1233667 1233667 1233696 1233724 1233752 1233760
                        1233761 1233793 1233871 1233884 1233954 1234015 1234100 1234101
                        1234102 1234103 1234104 1234214 1234245 1234251 1234313 1234333
                        1234368 1234384 1234384 1234420 1234420 1234441 1234663 1234664
                        1234665 1234752 1234765 1234809 1234994 1235145 1235151 1235475
                        1235636 1235692 1235873 1235895 1235908 1236136 1236267 1236278
                        1236278 1236460 1236588 1236590 1236596 1236597 1236619 1236705
                        1236787 1236809 1236878 1236960 CVE-2021-41495 CVE-2022-49043
                        CVE-2024-11187 CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087
                        CVE-2024-12088 CVE-2024-12133 CVE-2024-12705 CVE-2024-12747 CVE-2024-13176
                        CVE-2024-21528 CVE-2024-45801 CVE-2024-47535 CVE-2024-50379 CVE-2024-52317
                        CVE-2024-54677 CVE-2024-56326 CVE-2024-56337 CVE-2025-0167 CVE-2025-0725
                        CVE-2025-0938 CVE-2025-21502 CVE-2025-21502 CVE-2025-24528 
-----------------------------------------------------------------

The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4407-1
Released:    Mon Dec 23 09:49:24 2024
Summary:     Security update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative
Type:        security
Severity:    moderate
References:  1047218,1233297,CVE-2024-47535
This update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative fixes the following issues:

- CVE-2024-47535: Fixed unsafe reading of large environment files when Netty is loaded by a java application can 
lead to a crash due to the JVM memory limit being exceeded in netty (bsc#1233297)

Other fixes:
- Upgraded netty to upstream version 4.1.115
- Upgraded netty-tcnative to version 2.0.69 Final
- Updated jctools to version 4.0.5
- Updated aalto-xml to version 1.3.3
- Updated moditect to version 1.2.2
- Updated flatten-maven-plugin to version 1.6.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4415-1
Released:    Mon Dec 23 20:45:48 2024
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1233520
This update for binutils fixes the following issues:

Update to current 2.43.1 branch [PED-10254, PED-10306]:

* s390 - Add arch15 instructions
* various fixes from upstream: PR32153, PR32171, PR32189,
  PR32196, PR32191, PR32109, PR32372, PR32387


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:7-1
Released:    Thu Jan  2 15:33:50 2025
Summary:     Recommended update for sssd
Type:        recommended
Severity:    important
References:  1234384,1234420
This update for sssd fixes the following issues:

- Fix filedescriptor leak related to getpwnam()/getpwuid() to /var/lib/sss/pipes/nss socket; (bsc#1234384)
- Revert the change dropping /etc/sssd/conf.d dir (bsc#1234420)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:10-1
Released:    Fri Jan  3 14:53:56 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1220338,1232227,1234015
This update for systemd fixes the following issues:

- Drop support for efivar SystemdOptions (bsc#1220338)
- pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary (bsc#1232227)
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- udev: add new builtin net_driver
- udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard()
- udev-builtin-net_id: split-out get_pci_slot_specifiers()
- udev-builtin-net_id: introduce get_port_specifier() helper function
- udev-builtin-net_id: split out get_dev_port() and make its failure critical
- udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address()
- udev-builtin-net_id: return earlier when hotplug slot is not found
- udev-builtin-net_id: skip non-directory entry earlier
- udev-builtin-net_id: make names_xen() self-contained
- udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim
- udev-builtin-net_id: make names_netdevsim() self-contained
- udev-builtin-net_id: make names_platform() self-contained
- udev-builtin-net_id: make names_vio() self-contained
- udev-builtin-net_id: make names_ccw() self-contained
- udev-builtin-net_id: make dev_devicetree_onboard() self-contained
- udev-builtin-net_id: make names_mac() self-contained
- udev-builtin-net_id: split out get_ifname_prefix()
- udev-builtin-net_id: swap arguments for streq() and friends
- udev-builtin-net_id: drop unused value from NetNameType

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:14-1
Released:    Mon Jan  6 07:28:59 2025
Summary:     Recommended update for python3-Flask
Type:        recommended
Severity:    important
References:  1233954
This update for python3-Flask fixes the following issues:

- Use alternatives for /usr/bin/flask to avoid conflict with python311-Flask package (bsc#1233954)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:29-1
Released:    Tue Jan  7 11:41:20 2025
Summary:     Security update for python-Jinja2
Type:        security
Severity:    important
References:  1234809,CVE-2024-56326
This update for python-Jinja2 fixes the following issues:

  - CVE-2024-56326: Fixed sandbox breakout through indirect reference to format method (bsc#1234809)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:42-1
Released:    Thu Jan  9 16:04:03 2025
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1219736
This update for permissions fixes the following issues:

- Update to version 20240826:

  * chkstat: backport support to operate in insecure mode via envvar opt-in (bsc#1219736)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:77-1
Released:    Mon Jan 13 10:43:05 2025
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1235151

This update for curl fixes the following issue:

- smtp: for starttls, do full upgrade [bsc#1235151]
  * Make sure the TLS handshake after a successful STARTTLS command
    is fully done before further sending/receiving on the connection.
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:79-1
Released:    Mon Jan 13 12:50:24 2025
Summary:     Recommended update for libnl3, ovpn-dco, openVPN
Type:        recommended
Severity:    moderate
References:  1082756,1189451
This update for libnl3, ovpn-dco, openVPN fixes the following issue:

- Update libnl to release 3.9
- Create Multibuild Environment to support openVPN Data Channel Offload (openvpn-dco package)(#PED-8305)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:135-1
Released:    Thu Jan 16 11:20:40 2025
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1234665
This update for glibc fixes the following issues:

- Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665).
- Correctly determine livepatching support.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:156-1
Released:    Fri Jan 17 12:59:07 2025
Summary:     Security update for rsync
Type:        security
Severity:    important
References:  1234100,1234101,1234102,1234103,1234104,1235475,1235895,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747
This update for rsync fixes the following issues:

- CVE-2024-12084: heap buffer overflow in checksum parsing. (bsc#1234100)
- CVE-2024-12085: leak of uninitialized stack data on the server leading to possible ASLR bypass. (bsc#1234101)
- CVE-2024-12086: leak of a client machine's file contents through the processing of checksum data. (bsc#1234102)
- CVE-2024-12087: arbitrary file overwrite possible on clients when symlink syncing is enabled. (bsc#1234103)
- CVE-2024-12088: bypass of the --safe-links flag may allow the placement of unsafe symlinks in a client. (bsc#1234104)
- CVE-2024-12747: race condition in rsync handling symbolic links (bsc#1235475)

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2025:222-1
Released:    Wed Jan 22 12:30:04 2025
Summary:     Feature update for zypper, libzypp
Type:        feature
Severity:    low
References:  
This update for zypper, libzypp fixes the following issues:

- info: Allow to query a specific version (jsc#PED-11268)
  To query for a specific version simply append '-<version>' or
  '-<version>-<release>' to the '<name>' pattern. Note that the
  edition part must always match exactly.
- version 1.14.79

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:225-1
Released:    Wed Jan 22 15:31:54 2025
Summary:     Recommended update for vim
Type:        recommended
Severity:    moderate
References:  1234214,1234245,1234333
This update for vim fixes the following issues:

- Fix for migration problems related to 'xxd', a subpackages of vim (bsc#1234333 / bsc#1234214 / bsc#1234245).

  Package 'xxd' has been obsoleted by Vim, as it provides the xxd
  files directly.

  However, because the 'Obsoletes' entry was versioned, depending on
  which version of 'xxd' that is installed, the 'Obsoletes' isn't
  actually triggered. Thus, there is a conflict between 'vim' and
  'xxd' in these cases.

  Fixing this by removing the version completely. The 'vim' package
  should always replace 'xxd', even if people are migrating from an
  older SLE15 service pack which has the exact same version.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:316-1
Released:    Fri Jan 31 19:19:10 2025
Summary:     Recommended update for sssd
Type:        recommended
Severity:    important
References:  1234368,1234384,1234420
This update for sssd fixes the following issues:

- Allow multiple services per port (bsc#1234368).
- Fix nss socket leaks (bsc#1234384).
- Fix missing /etc/sssd/conf.d sub directory (bsc#1234420).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:330-1
Released:    Mon Feb  3 11:50:09 2025
Summary:     Recommended update for apache2
Type:        recommended
Severity:    moderate
References:  1233433
This update for apache2 fixes the following issue:

- update-alternatives script not called during httpd update, never triggered
  from 'zypper dup' (bsc#1233433).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:338-1
Released:    Mon Feb  3 16:12:41 2025
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    moderate
References:  1236278,CVE-2025-21502
This update for java-11-openjdk fixes the following issues:

Upgrade to upstream tag jdk-11.0.26+4 (January 2025 CPU)

Security fixes:

- CVE-2025-21502: Enhance array handling (JDK-8330045, bsc#1236278)

Other changes:

- JDK-8224624: Inefficiencies in CodeStrings::add_comment cause - timeouts
- JDK-8225045: javax/swing/JInternalFrame/8146321//JInternalFrameIconTest.java fails on linux-x64
- JDK-8232367: Update Reactive Streams to 1.0.3 -- tests only
- JDK-8247706: Unintentional use of new Date(year...) with absolute year
- JDK-8299254: Support dealing with standard assert macro
- JDK-8303920: Avoid calling out to python in DataDescriptorSignatureMissing test
- JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test
- JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak
- JDK-8328300: Convert PrintDialogsTest.java from Applet to main program
- JDK-8328642: Convert applet test MouseDraggedOutCauseScrollingTest.html to main
- JDK-8334332: TestIOException.java fails if run by root
- JDK-8335428: Enhanced Building of Processes
- JDK-8335801: [11u] Backport of 8210988 to 11u removes gcc warnings
- JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
- JDK-8336564: Enhance mask blit functionality redux
- JDK-8338402: GHA: some of bundles may not get removed
- JDK-8339082: Bump update version for OpenJDK: jdk-11.0.26
- JDK-8339180: Enhanced Building of Processes: Follow-on Issue
- JDK-8339470: [17u] More defensive fix for 8163921
- JDK-8339637: (tz) Update Timezone Data to 2024b
- JDK-8339644: Improve parsing of Day/Month in tzdata rules
- JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files
- JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names
- JDK-8340671: GHA: Bump macOS and Xcode versions to macos-12 and XCode 13.4.1
- JDK-8340815: Add SECURITY.md file
- JDK-8342426: [11u] javax/naming/module/RunBasic.java javac compile fails
- JDK-8342629: [11u] Properly message out that shenandoah is disabled
- JDK-8347483: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.26


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:339-1
Released:    Mon Feb  3 16:14:14 2025
Summary:     Security update for java-17-openjdk
Type:        security
Severity:    moderate
References:  1236278,CVE-2025-21502
This update for java-17-openjdk fixes the following issues:

Update to upstream tag jdk-17.0.14+7 (January 2025 CPU):

Security fixes:

- CVE-2025-21502: Enhance array handling (JDK-8330045, bsc#1236278)

Other changes:

- JDK-7093691: Nimbus LAF: disabled JComboBox using renderer has bad font color
- JDK-8028127: Regtest java/security/Security/SynchronizedAccess.java is incorrect
- JDK-8071693: Introspector ignores default interface methods
- JDK-8195675: Call to insertText with single character from custom Input Method ignored
- JDK-8202926: Test java/awt/Focus/WindowUpdateFocusabilityTest/WindowUpdateFocusabilityTest.html fails
- JDK-8207908: JMXStatusTest.java fails assertion intermittently
- JDK-8225220: When the Tab Policy is checked,the scroll button direction displayed incorrectly.
- JDK-8240343: JDI stopListening/stoplis001 'FAILED: listening is successfully stopped without starting listening'
- JDK-8254759: [TEST_BUG] [macosx] javax/swing/JInternalFrame/4202966/IntFrameCoord.html fails
- JDK-8258734: jdk/jfr/event/oldobject/TestClassLoaderLeak.java failed with 'RuntimeException: Could not find class leak'
- JDK-8268364: jmethod clearing should be done during unloading
- JDK-8269770: nsk tests should start IOPipe channel before launch debuggee - Debugee.prepareDebugee
- JDK-8271003: hs_err improvement: handle CLASSPATH env setting longer than O_BUFLEN
- JDK-8271456: Avoid looking up standard charsets in 'java.desktop' module
- JDK-8271821: mark hotspot runtime/MinimalVM tests which ignore external VM flags
- JDK-8271825: mark hotspot runtime/LoadClass tests which ignore external VM flags
- JDK-8271836: runtime/ErrorHandling/ClassPathEnvVar.java fails with release VMs
- JDK-8272746: ZipFile can't open big file (NegativeArraySizeException)
- JDK-8273914: Indy string concat changes order of operations
- JDK-8274170: Add hooks for custom makefiles to augment jtreg test execution
- JDK-8274505: Too weak variable type leads to unnecessary cast in java.desktop
- JDK-8276763: java/nio/channels/SocketChannel/AdaptorStreams.java fails with 'SocketTimeoutException: Read timed out'
- JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test
- JDK-8280131: jcmd reports 'Module jdk.jfr not found.' when 'jdk.management.jfr' is missing
- JDK-8281379: Assign package declarations to all jtreg test cases under gc
- JDK-8282578: AIOOBE in javax.sound.sampled.Clip
- JDK-8283214: [macos] Screen magnifier does not show the magnified text for JComboBox
- JDK-8283222: improve diagnosability of runtime/8176717/TestInheritFD.java timeouts
- JDK-8284291: sun/security/krb5/auto/Renew.java fails intermittently on Windows 11
- JDK-8284874: Add comment to ProcessHandle/OnExitTest to describe zombie problem
- JDK-8286160: (fs) Files.exists returns unexpected results with C:\pagefile.sys because it's not readable
- JDK-8287003: InputStreamReader::read() can return zero despite writing a char in the buffer
- JDK-8288976: classfile parser 'wrong name' error message has the names the wrong way around
- JDK-8289184: runtime/ClassUnload/DictionaryDependsTest.java failed with 'Test failed: should be unloaded'
- JDK-8290023: Remove use of IgnoreUnrecognizedVMOptions in gc tests
- JDK-8290269: gc/shenandoah/TestVerifyJCStress.java fails due to invalid tag: required after JDK-8290023
- JDK-8292309: Fix 'java/awt/PrintJob/ConstrainedPrintingTest/ConstrainedPrintingTest.java' test
- JDK-8293061: Combine CDSOptions and AppCDSOptions test utility classes
- JDK-8293877: Rewrite MineField test
- JDK-8294193: Files.createDirectories throws FileAlreadyExistsException for a symbolic link whose target is an existing directory
- JDK-8294726: Update URLs in minefield tests
- JDK-8295239: Refactor java/util/Formatter/Basic script into a Java native test launcher
- JDK-8295344: Harden runtime/StackGuardPages/TestStackGuardPages.java
- JDK-8295859: Update Manual Test Groups
- JDK-8296709: WARNING: JNI call made without checking exceptions
- JDK-8296718: Refactor bootstrap Test Common Functionalities to test/lib/Utils
- JDK-8296787: Unify debug printing format of X.509 cert serial numbers
- JDK-8296972: [macos13] java/awt/Frame/MaximizedToIconified/MaximizedToIconified.java: getExtendedState() != 6 as expected.
- JDK-8298513: vmTestbase/nsk/jdi/EventSet/suspendPolicy/suspendpolicy009/TestDescription.java fails with usage tracker
- JDK-8300416: java.security.MessageDigestSpi clone can result in thread-unsafe clones
- JDK-8301379: Verify TLS_ECDH_* cipher suites cannot be negotiated
- JDK-8302225: SunJCE Provider doesn't validate key sizes when using 'constrained' transforms for AES/KW and AES/KWP
- JDK-8303697: ProcessTools doesn't print last line of process output
- JDK-8303705: Field sleeper.started should be volatile JdbLockTestTarg.java
- JDK-8303742: CompletableFuture.orTimeout leaks if the future completes exceptionally
- JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose
- JDK-8304557: java/util/concurrent/CompletableFuture/CompletableFutureOrTimeoutExceptionallyTest.java times out
- JDK-8306015: Update sun.security.ssl TLS tests to use SSLContextTemplate or SSLEngineTemplate
- JDK-8307297: Move some DnD tests to open
- JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM
- JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1
- JDK-8309303: jdk/internal/misc/VM/RuntimeArguments test ignores jdk/internal/vm/options
- JDK-8309532: java/lang/Class/getDeclaredField/FieldSetAccessibleTest should filter modules that depend on JVMCI
- JDK-8310072: JComboBox/DisabledComboBoxFontTestAuto: Enabled and disabled ComboBox does not match in these LAFs: GTK-
- JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests
- JDK-8312111: open/test/jdk/java/awt/Robot/ModifierRobotKey/ModifierRobotKeyTest.java fails on ubuntu 23.04
- JDK-8313374: --enable-ccache's CCACHE_BASEDIR breaks builds
- JDK-8313638: Add test for dump of resolved references
- JDK-8313854: Some tests in serviceability area fail on localized Windows platform
- JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le
- JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..)
- JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags
- JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags
- JDK-8314831: NMT tests ignore vm flags
- JDK-8315097: Rename createJavaProcessBuilder
- JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags
- JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm
- JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm
- JDK-8316446: 4 sun/management/jdp tests ignore VM flags
- JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags
- JDK-8316464: 3 sun/tools tests ignore VM flags
- JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829
- JDK-8316581: Improve performance of Symbol::print_value_on()
- JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm
- JDK-8317116: Provide layouts for multiple test UI in PassFailJFrame
- JDK-8317188: G1: Make  TestG1ConcRefinementThreads use createTestJvm
- JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm
- JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm
- JDK-8317738: CodeCacheFullCountTest failed with 'VirtualMachineError: Out of space in CodeCache for method handle intrinsic'
- JDK-8318964: Fix build failures caused by 8315097
- JDK-8319574: Exec/process tests should be marked as flagless
- JDK-8319640: ClassicFormat::parseObject (from DateTimeFormatter) does not conform to the javadoc and may leak DateTimeException
- JDK-8319651: Several network tests ignore vm flags when start java process
- JDK-8319817: Charset constructor should make defensive copy of aliases
- JDK-8320586: update manual test/jdk/TEST.groups
- JDK-8320665: update jdk_core at open/test/jdk/TEST.groups
- JDK-8320673: PageFormat/CustomPaper.java has no Pass/Fail buttons; multiple instructions
- JDK-8320675: PrinterJob/SecurityDialogTest.java hangs
- JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed
- JDK-8321299: runtime/logging/ClassLoadUnloadTest.java doesn't reliably trigger class unloading
- JDK-8321470: ThreadLocal.nextHashCode can be static final
- JDK-8321543: Update NSS to version 3.96
- JDK-8321616: Retire binary test vectors in test/jdk/java/util/zip/ZipFile
- JDK-8322754: click JComboBox when dialog about to close causes IllegalComponentStateException
- JDK-8322766: Micro bench SSLHandshake should use default algorithms
- JDK-8322809: SystemModulesMap::classNames and moduleNames arrays do not match the order
- JDK-8322830: Add test case for ZipFile opening a ZIP with no entries
- JDK-8323562: SaslInputStream.read() may return wrong value
- JDK-8323688: C2: Fix UB of jlong overflow in PhaseIdealLoop::is_counted_loop()
- JDK-8324808: Manual printer tests have no Pass/Fail buttons, instructions close set 3
- JDK-8324841: PKCS11 tests still skip execution
- JDK-8325038: runtime/cds/appcds/ProhibitedPackage.java can fail with UseLargePages
- JDK-8325525: Create jtreg test case for JDK-8325203
- JDK-8325587: Shenandoah: ShenandoahLock should allow blocking in VM
- JDK-8325610: CTW: Add StressIncrementalInlining to stress options
- JDK-8325616: JFR ZGC Allocation Stall events should record stack traces
- JDK-8325762: Use PassFailJFrame.Builder.splitUI() in PrintLatinCJKTest.java
- JDK-8325851: Hide PassFailJFrame.Builder constructor
- JDK-8326100: DeflaterDictionaryTests should use Deflater.getBytesWritten instead of Deflater.getTotalOut
- JDK-8326121: vmTestbase/gc/g1/unloading/tests/unloading_keepRef_rootClass_inMemoryCompilation_keep_cl failed with Full gc happened. Test was useless.
- JDK-8326611: Clean up vmTestbase/nsk/stress/stack tests
- JDK-8326898: NSK tests should listen on loopback addresses only
- JDK-8326948: Force English locale for timeout formatting
- JDK-8327401: Some jtreg tests fail on Wayland without any tracking bug
- JDK-8327474: Review use of java.io.tmpdir in jdk tests
- JDK-8327924: Simplify TrayIconScalingTest.java
- JDK-8328021: Convert applet test java/awt/List/SetFontTest/SetFontTest.html to main program
- JDK-8328242: Add a log area to the PassFailJFrame
- JDK-8328303: 3 JDI tests timed out with UT enabled
- JDK-8328379: Convert URLDragTest.html applet test to main
- JDK-8328402: Implement pausing functionality for the PassFailJFrame
- JDK-8328619: sun/management/jmxremote/bootstrap/SSLConfigFilePermissionTest.java failed with BindException: Address already in use
- JDK-8328697: SubMenuShowTest and SwallowKeyEvents tests stabilization
- JDK-8328723: IP Address error when client enables HTTPS endpoint check on server socket
- JDK-8328957: Update PKCS11Test.java to not use hardcoded path
- JDK-8330278: Have SSLSocketTemplate.doClientSide use loopback address
- JDK-8330464: hserr generic events - add entry for the before_exit calls
- JDK-8330621: Make 5 compiler tests use ProcessTools.executeProcess
- JDK-8330814: Cleanups for KeepAliveCache tests
- JDK-8331142: Add test for number of loader threads in BasicDirectoryModel
- JDK-8331391: Enhance the keytool code by invoking the buildTrustedCerts method for essential options
- JDK-8331405: Shenandoah: Optimize ShenandoahLock with TTAS
- JDK-8331411: Shenandoah: Reconsider spinning duration in ShenandoahLock
- JDK-8331495: Limit BasicDirectoryModel/LoaderThreadCount.java to Windows only
- JDK-8331626: unsafe.cpp:162:38: runtime error in index_oop_from_field_offset_long - applying non-zero offset 4563897424 to null pointer
- JDK-8331789: ubsan: deoptimization.cpp:403:29: runtime error: load of value 208, which is not a valid value for type 'bool'
- JDK-8331863: DUIterator_Fast used before it is constructed
- JDK-8331864: Update Public Suffix List to 1cbd6e7
- JDK-8331999: BasicDirectoryModel/LoaderThreadCount.java frequently fails on Windows in CI
- JDK-8332340: Add JavacBench as a test case for CDS
- JDK-8332473: ubsan: growableArray.hpp:290:10: runtime error: null pointer passed as argument 1, which is declared to never be null
- JDK-8332589: ubsan: unix/native/libjava/ProcessImpl_md.c:562:5: runtime error: null pointer passed as argument 2, which is declared to never be null
- JDK-8332720: ubsan: instanceKlass.cpp:3550:76: runtime error: member call on null pointer of type 'struct Array'
- JDK-8332724: x86 MacroAssembler may over-align code
- JDK-8332777: Update JCStress test suite
- JDK-8332825: ubsan: guardedMemory.cpp:35:11: runtime error: null pointer passed as argument 2, which is declared to never be null
- JDK-8332866: Crash in ImageIO JPEG decoding when MEM_STATS in enabled
- JDK-8332901: Select{Current,New}ItemTest.java for Choice don't open popup on macOS
- JDK-8332903: ubsan: opto/output.cpp:1002:18: runtime error: load of value 171, which is not a valid value for type 'bool'
- JDK-8332904: ubsan ppc64le: c1_LIRGenerator_ppc.cpp:581:21: runtime error: signed integer overflow: 9223372036854775807 - 1 cannot be represented in type 'long int'
- JDK-8332935: Crash:  assert(*lastPtr != 0) failed: Mismatched JNINativeInterface tables, check for new entries
- JDK-8333317: Test sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java failed with: Invalid ECDH ServerKeyExchange signature
- JDK-8333824: Unused ClassValue in VarHandles
- JDK-8334057: JLinkReproducibleTest.java support receive test.tool.vm.opts
- JDK-8334405: java/nio/channels/Selector/SelectWithConsumer.java#id0 failed in testWakeupDuringSelect
- JDK-8334562: Automate com/sun/security/auth/callback/TextCallbackHandler/Default.java test
- JDK-8334567: [test] runtime/os/TestTracePageSizes move ppc handling
- JDK-8335142: compiler/c1/TestTraceLinearScanLevel.java occasionally times out with -Xcomp
- JDK-8335267: [XWayland] move screencast tokens from .awt to .java folder
- JDK-8335344: test/jdk/sun/security/tools/keytool/NssTest.java fails to compile
- JDK-8335428: Enhanced Building of Processes
- JDK-8335449: runtime/cds/DeterministicDump.java fails with File content different at byte ...
- JDK-8335493: check_gc_overhead_limit should reset SoftRefPolicy::_should_clear_all_soft_refs
- JDK-8335530: Java file extension missing in AuthenticatorTest
- JDK-8335709: C2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop
- JDK-8335904: Fix invalid comment in ShenandoahLock
- JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
- JDK-8336240: Test com/sun/crypto/provider/Cipher/DES/PerformanceTest.java fails with java.lang.ArithmeticException
- JDK-8336257: Additional tests in jmxremote/startstop to match on PID not app name
- JDK-8336315: tools/jpackage/windows/WinChildProcessTest.java Failed: Check is calculator process is alive
- JDK-8336342: Fix known X11 library locations in sysroot
- JDK-8336343: Add more known sysroot library locations for ALSA
- JDK-8336413: gtk headers : Fix typedef redeclaration of GMainContext and GdkPixbuf
- JDK-8336564: Enhance mask blit functionality redux
- JDK-8336854: CAInterop.java#actalisauthenticationrootca conflicted with /manual and /timeout
- JDK-8337066: Repeated call of StringBuffer.reverse with double byte string returns wrong result
- JDK-8337320: Update ProblemList.txt with tests known to fail on XWayland
- JDK-8337410: The makefiles should set problemlist and adjust timeout basing on the given VM flags
- JDK-8337780: RISC-V: C2: Change C calling convention for sp to NS
- JDK-8337810: ProblemList BasicDirectoryModel/LoaderThreadCount.java on Windows
- JDK-8337851: Some tests have name which confuse jtreg
- JDK-8337966: (fs) Files.readAttributes fails with Operation not permitted on older docker releases
- JDK-8338058: map_or_reserve_memory_aligned Windows enhance remap assertion
- JDK-8338101: remove old remap assertion in map_or_reserve_memory_aligned  after JDK-8338058
- JDK-8338109: java/awt/Mouse/EnterExitEvents/ResizingFrameTest.java duplicate in ProblemList
- JDK-8338286: GHA: Demote x86_32 to hotspot build only
- JDK-8338380: Update TLSCommon/interop/AbstractServer to specify an interface to listen for connections
- JDK-8338402: GHA: some of bundles may not get removed
- JDK-8338748: [17u,21u] Test Disconnect.java compile error: cannot find symbol after JDK-8299813
- JDK-8338751: ConfigureNotify behavior has changed in KWin 6.2
- JDK-8338759: Add extra diagnostic to java/net/InetAddress/ptr/Lookup.java
- JDK-8339081: Bump update version for OpenJDK: jdk-17.0.14
- JDK-8339180: Enhanced Building of Processes: Follow-on Issue
- JDK-8339248: RISC-V: Remove li64 macro assembler routine and related code
- JDK-8339384: Unintentional IOException in jdk.jdi module when JDWP end of stream occurs
- JDK-8339470: [17u] More defensive fix for 8163921
- JDK-8339487: ProcessHandleImpl os_getChildren sysctl call - retry in case of ENOMEM and enhance exception message
- JDK-8339548: GHA: RISC-V: Use Debian snapshot archive for bootstrap
- JDK-8339560: Unaddressed comments during code review of JDK-8337664
- JDK-8339591: Mark jdk/jshell/ExceptionMessageTest.java intermittent
- JDK-8339637: (tz) Update Timezone Data to 2024b
- JDK-8339644: Improve parsing of Day/Month in tzdata rules
- JDK-8339731: java.desktop/share/classes/javax/swing/text/html/default.css typo in margin settings
- JDK-8339741: RISC-V: C ABI breakage for integer on stack
- JDK-8339787: Add some additional diagnostic output to java/net/ipv6tests/UdpTest.java
- JDK-8339803: Acknowledge case insensitive unambiguous keywords in tzdata files
- JDK-8339892: Several security shell tests don't set TESTJAVAOPTS
- JDK-8339931: Update problem list for WindowUpdateFocusabilityTest.java
- JDK-8340007: Refactor KeyEvent/FunctionKeyTest.java
- JDK-8340008: KeyEvent/KeyTyped/Numpad1KeyTyped.java has 15 seconds timeout
- JDK-8340210: Add positionTestUI() to PassFailJFrame.Builder
- JDK-8340230: Tests crash: assert(is_in_encoding_range || k->is_interface() || k->is_abstract()) failed: sanity
- JDK-8340306: Add border around instructions in PassFailJFrame
- JDK-8340308: PassFailJFrame: Make rows default to number of lines in instructions
- JDK-8340365: Position the first window of a window list
- JDK-8340387: Update OS detection code to recognize Windows Server 2025
- JDK-8340418: GHA: MacOS AArch64 bundles can be removed prematurely
- JDK-8340461: Amend description for logArea
- JDK-8340466: Add description for PassFailJFrame constructors
- JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names
- JDK-8340632: ProblemList java/nio/channels/DatagramChannel/ for Macos
- JDK-8340657: [PPC64] SA determines wrong unextendedSP
- JDK-8340684: Reading from an input stream backed by a closed ZipFile has no test coverage
- JDK-8340785: Update description of PassFailJFrame and samples
- JDK-8340799: Add border inside instruction frame in PassFailJFrame
- JDK-8340812: LambdaForm customization via MethodHandle::updateForm is not thread safe
- JDK-8340815: Add SECURITY.md file
- JDK-8340899: Remove wildcard bound in PositionWindows.positionTestWindows
- JDK-8341146: RISC-V: Unnecessary fences used for load-acquire in template interpreter
- JDK-8341235: Improve default instruction frame title in PassFailJFrame
- JDK-8341562: RISC-V: Generate comments in -XX:-PrintInterpreter to link to source code
- JDK-8341635: [17u] runtime/ErrorHandling/ClassPathEnvVar test ignores external VM flags
- JDK-8341688: Aarch64: Generate comments in -XX:-PrintInterpreter to link to source code
- JDK-8341806: Gcc version detection failure on Alinux3
- JDK-8341927: Replace hardcoded security providers with new test.provider.name system property
- JDK-8341997: Tests create files in src tree instead of scratch dir
- JDK-8342181: Update tests to use stronger Key and Salt size
- JDK-8342183: Update tests to use stronger algorithms and keys
- JDK-8342188: Update tests to use stronger key parameters and certificates
- JDK-8342496: C2/Shenandoah: SEGV in compiled code when running jcstress
- JDK-8342578: GHA: RISC-V: Bootstrap using Debian snapshot is still failing
- JDK-8342669: [21u] Fix TestArrayAllocatorMallocLimit after backport of JDK-8315097
- JDK-8342681: TestLoadBypassesNullCheck.java fails improperly specified VM option
- JDK-8342701: [PPC64] TestOSRLotsOfLocals.java crashes
- JDK-8342962: [s390x] TestOSRLotsOfLocals.java crashes
- JDK-8343285: java.lang.Process is unresponsive and CPU usage spikes to 100%
- JDK-8343474: [updates] Customize README.md to specifics of update project
- JDK-8343687: [17u] TestAntiDependencyForPinnedLoads requires UTF-8
- JDK-8343848: Fix typo of property name in TestOAEPPadding after 8341927
- JDK-8343877: Test AsyncClose.java intermittent fails - Socket.getInputStream().read() wasn't preempted
- JDK-8343923: GHA: Switch to Xcode 15 on MacOS AArch64 runners
- JDK-8347011: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.14

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:348-1
Released:    Tue Feb  4 08:10:23 2025
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1236460,CVE-2022-49043
This update for libxml2 fixes the following issues:

- CVE-2022-49043: Fixed a use-after-free in xmlXIncludeAddNode. (bsc#1236460)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:355-1
Released:    Tue Feb  4 13:59:25 2025
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1236596,1236597,CVE-2024-11187,CVE-2024-12705
This update for bind fixes the following issues:

Update to release 9.18.33

Security Fixes:

- CVE-2024-11187: Fixes CPU exhaustion caused by many records in the additional section (bsc#1236596)
- CVE-2024-12705: Fixes multiple issues in DNS-over-HTTPS implementation when under heavy query load (bsc#1236597)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:358-1
Released:    Wed Feb  5 10:06:22 2025
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1235873
This update for permissions fixes the following issues:

- Version update 20240826:
  * permissions: remove legacy and nonsensical entries.
  * permissions: remove traceroute entry.
  * permissions: remove outdated sudo directories.
  * permissions: remove legacy RPM directory entries.
  * permissions: remove some static /var/spool/* dirs.
  * permissions: remove unnecessary static dirs and devices (bsc#1235873).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:363-1
Released:    Wed Feb  5 11:01:45 2025
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1216091,1229106,1232458,1234752,1235636
This update for libzypp, zypper fixes the following issues:

- Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages
  of all repos cached there (bsc#1232458)
- Fix missing UID checks in repomanager workflow
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp
- Fix 'zypper ps' when running in incus container. Should apply to lxc and lxd containers as well. (bsc#1229106)
- Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)
- lr: show the repositories keep-packages flag (bsc#1232458)
  It is shown in the  details view or by using -k,--keep-packages.
  In addition libyzpp supports to enforce keeping downloaded
  packages of all repos within a package cache by creating a
  '.keep_packages' file there.
- Try to refresh update repos first to have updated GPG keys on
  the fly (bsc#1234752)
  An update repo may contain a prolonged GPG key for the GA repo.
  Refreshing the update repo first updates a trusted key on the fly
  and avoids a 'key has expired' warning being issued when
  refreshing the GA repo.
- Refresh: Restore legacy behavior and suppress Exception
  reporting as non-root (bsc#1235636)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:58-1
Released:    Wed Feb  5 11:33:59 2025
Summary:     Security update for tomcat
Type:        security
Severity:    important
References:  1233435,1234663,1234664,1236809,CVE-2024-50379,CVE-2024-52317,CVE-2024-54677,CVE-2024-56337
This update for tomcat fixes the following issues:

Update to Tomcat 9.0.98

- Fixed CVEs:
  + CVE-2024-54677: DoS in examples web application (bsc#1234664)
  + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
  + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
- Catalina
  + Add: Add option to serve resources from subpath only with WebDAV Servlet
    like with DefaultServlet. (michaelo)
  + Fix: Add special handling for the protocols attribute of SSLHostConfig in
    storeconfig. (remm)
  + Fix: 69442: Fix case sensitive check on content-type when parsing request
    parameters. (remm)
  + Code: Refactor duplicate code for extracting media type and subtype from
    content-type into a single method. (markt)
  + Fix: Compatibility of generated embedded code with components where
    constructors or property related methods throw a checked exception. (remm)
  + Fix: The previous fix for inconsistent resource metadata during concurrent
    reads and writes was incomplete. (markt)
  + Fix: 69444: Ensure that the javax.servlet.error.message request attribute
    is set when an application defined error page is called. (markt)
  + Fix: Avoid quotes for numeric values in the JSON generated by the status
    servlet. (remm)
  + Add: Add strong ETag support for the WebDAV and default servlet, which can
    be enabled by using the useStrongETags init parameter with a value set to
    true. The ETag generated will be a SHA-1 checksum of the resource content.
    (remm)
  + Fix: Use client locale for directory listings. (remm)
  + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
    ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
  + Fix: 69447: Update the support for caching classes the web application
    class loader cannot find to take account of classes loaded from external
    repositories. Prior to this fix, these classes could be incorrectly marked
    as not found. (markt)
  + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
    users will not be removed and any header present in a HEAD request will
    also be present in the equivalent GET request. There may be some headers,
    as per RFC 9110, section 9.3.2, that are present in a GET request that are
    not present in the equivalent HEAD request. (markt)
  + Fix: 69471: Log instances of CloseNowException caught by
    ApplicationDispatcher.invoke() at debug level rather than error level as
    they are very likely to have been caused by a client disconnection or
    similar I/O issue. (markt)
  + Add: Add a test case for the fix for 69442. Also refactor references to
    application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
    (markt)
  + Fix: 69476: Catch possible ISE when trying to report PUT failure in the
    DefaultServlet. (remm)
  + Add: Add support for RateLimit header fields for HTTP (draft) in the
    RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
  + Add: #787: Add regression tests for 69478. Pull request provided by Thomas
    Krisch. (markt)
  + Fix: The default servlet now rejects HTTP range requests when two or more
    of the requested ranges overlap. Based on pull request #782 provided by
    Chenjp. (markt)
  + Fix: Enhance Content-Range verification for partial PUT requests handled
    by the default servlet. Provided by Chenjp in pull request #778. (markt)
  + Fix: Harmonize DataSourceStore lookup in the global resources to
    optionally avoid the comp/env prefix which is usually not used there.
    (remm)
  + Fix: As required by RFC 9110, the HTTP Range header will now only be
    processed for GET requests. Based on pull request #790 provided by Chenjp.
    (markt)
  + Fix: Deprecate the useAcceptRanges initialisation parameter for the
    default servlet. It will be removed in Tomcat 12 onwards where it will
    effectively be hard coded to true. (markt)
  + Add: Add DataSource based property storage for the WebdavServlet. (remm)
- Coyote
  + Fix: Align encodedSolidusHandling with the Servlet specification. If the
    pass-through mode is used, any %25 sequences will now also be passed
    through to avoid errors and/or corruption when the application decodes the
    path. (markt)
- Jasper
  + Fix: Further optimise EL evaluation of method parameters. Patch provided
    by Paolo B. (markt)
  + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
    lookup performance in expression language to an additional location.
    (markt)
- Web applications
  + Fix: Documentation. Remove references to the ResourceParams element.
    Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
  + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
    The attribute is internalProxies rather than allowedInternalProxies. Pull
    request #786 (markt)
  + Fix: Examples. Fix broken links when Servlet Request Info example is
    called via a URL that includes a pathInfo component. (markt)
  + Fix: Examples. Expand the obfuscation of session cookie values in the
    request header example to JSON responses. (markt)
  + Add: Examples. Add the ability to delete session attributes in the servlet
    session example. (markt)
  + Add: Examples. Add a hard coded limit of 10 attributes per session for the
    servlet session example. (markt)
  + Add: Examples. Add the ability to delete session attributes and add a hard
    coded limit of 10 attributes per session for the JSP form authentication
    example. (markt)
  + Add: Examples. Limit the shopping cart example to only allow adding the
    pre-defined items to the cart. (markt)
  + Fix: Examples. Remove JSP calendar example. (markt)
- Other
  + Fix: 69465: Fix warnings during native image compilation using the Tomcat
    embedded JARs. (markt)
  + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
  + Update: Update EasyMock to 5.5.0. (markt)
  + Update: Update Checkstyle to 10.20.2. (markt)
  + Update: Update BND to 7.1.0. (markt)
  + Add: Improvements to French translations. (remm)
  + Add: Improvements to Korean translations. (markt)
  + Add: Improvements to Chinese translations. (markt)
  + Add: Improvements to Japanese translations by tak7iji. (markt)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:367-1
Released:    Wed Feb  5 14:25:31 2025
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1236267
This update for gcc7 fixes the following issues:

- Fix vec_madd and vec_msub vector intrinsics on s390x.  [bsc#1236267]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:369-1
Released:    Wed Feb  5 16:32:36 2025
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1236588,1236590,CVE-2025-0167,CVE-2025-0725
This update for curl fixes the following issues:

- CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590)
- CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:401-1
Released:    Mon Feb 10 10:38:28 2025
Summary:     Security update for crypto-policies, krb5
Type:        security
Severity:    moderate
References:  1236619,CVE-2025-24528
This update for crypto-policies and krb5 fixes the following issues:

Security issue fixed:

- CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619).

Feature addition:

- Add crypto-policies support; (jsc#PED-12018)

  * The default krb5.conf has been updated to include config
    snippets in the krb5.conf.d directory, where crypto-policies
    drops its.

- Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); 

  * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 
    and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active
    directory. If these encryption types are allowed or not in 
    FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:404-1
Released:    Mon Feb 10 12:49:48 2025
Summary:     Security update for rsync
Type:        security
Severity:    moderate
References:  1233760
This update for rsync fixes the following issues:

- Bump rsync protocol version to 32 to show server is patched against recent vulnerabilities. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:424-1
Released:    Tue Feb 11 11:31:10 2025
Summary:     Security update for python3-numpy
Type:        security
Severity:    moderate
References:  1193911,1236787,CVE-2021-41495
This update for python3-numpy fixes the following issues:

- CVE-2021-41495: missing return value validation can lead to null pointer dereference. (bsc#1193911)

Other bug fixes:	

- Correction of advance in PCG with emulated int128.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:430-1
Released:    Tue Feb 11 15:13:32 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1236136,CVE-2024-13176
This update for openssl-3 fixes the following issues:

- CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:433-1
Released:    Tue Feb 11 17:40:33 2025
Summary:     Recommended update for skelcd
Type:        recommended
Severity:    moderate
References:  
This update for skelcd fixes the following issues:

- add SUSE logo into BCI skelcd (jsc#PED-12111)
- Update EULA with SLE BCI section (jsc#SLE-18082)
  Else in case beta EULAs have a more recent date than final EULAs
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:438-1
Released:    Wed Feb 12 06:06:59 2025
Summary:     Recommended update for bouncycastle, jsch, ed25519-java
Type:        recommended
Severity:    moderate
References:  
This update for bouncycastle, jsch and ed25519-java fixes the following issues:

bouncycastle was updated from version 1.78 to 1.79:

- Bugfixes to address issues with:
  * Ed25519 signatures
  * Elephant cipher handling of large messages
  * CMSSignedData signer replacement
  * ERSInputStreamData hashing
  * CRL loading
  * EC curve name lookups
  * PhotonBeetle and Xoodyak digest resetting
  * OCSP caching
  * Java 21 provider service handling
  * CMS version calculation
  * Incorrect PGP armored output version strings
  * PGP algorithm lookups

- New Features and Functionalities:
  * Object Identifiers have been added for ML-KEM, ML-DSA, and SLH-DSA.
  * The PQC algorithms, ML-KEM, ML-DSA (including pre-hash), and SLH-DSA
    (including pre-hash) have been added to the BC provider and the lightweight API.
  * A new spec, ContextParameterSpec, has been added to support
    signature contexts for ML-DSA and SLH-DSA.
  * BCJSSE: Added support for security property
    'jdk.tls.server.defaultDHEParameters' (disabled in FIPS mode).
  * BCJSSE: Added support for signature_algorithms_cert configuration via
    'org.bouncycastle.jsse.client.SignatureSchemesCert' and
    'org.bouncycastle.jsse.server.SignatureSchemesCert' system properties
    or BCSSLParameters property 'SignatureSchemesCert'.
  * BCJSSE: Added support for boolean system property
    'org.bouncycastle.jsse.fips.allowGCMCiphersIn12' (false by default).
  * (D)TLS: Removed redundant verification of self-generated RSA signatures.
  * CompositePrivateKeys now support the latest revision of the composite
    signature draft.
  * Delta Certificates now support the latest revision of the delta
    certificate extension draft.
  * A general KeyIdentifier class, encapsulating both PGP KeyID and the
    PGP key fingerprint has been added to the PGP API.
  * Support for the LibrePGP PreferredEncryptionModes signature subpacket
    has been added to the PGP API.
  * Support for Version 6 signatures, including salts, has been added to the PGP API.
  * Support for the PreferredKeyServer signature supacket has been added to the PGP API.
  * Support for RFC 9269, 'Using KEMs in Cryptographic Message Syntax (CMS)',
    has been added to the CMS API.
  * Support for the Argon2 S2K has been added to the PGP API.
  * The system property 'org.bouncycastle.pemreader.lax' has been introduced
    for situations where the BC PEM parsing is now too strict.
  * The system property 'org.bouncycastle.ec.disable_f2m' has been introduced
    to allow F2m EC support to be disabled.

jsch was updated from version 0.2.15 to 0.2.22:

- Key changes across these versions:
  * Authentication and logging improvements
  * Date handling improvements using java.time classes
  * DHGEX prime modulus enforcement
  * Expanded KEX algorithm support, this requires Bouncy Castle
  * Fixed a GSSAPI authentication issue
  * Fixed possible rekeying timeouts
  * Fixed SignatureECDSAN private key handling
  * Improved handling of negated patterns
  * Introduction of JSchProxyException
  * Modernized fingerprint output
  * More accurate ext-info logging
  * PBKDF2 algorithm additions (SHA512/256 & SHA512/224)

ed25519-java:

- Fixed minor build issues


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:501-1
Released:    Thu Feb 13 10:53:21 2025
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1236960
This update for permissions fixes the following issues:

- Version update 20240826.
- Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:508-1
Released:    Thu Feb 13 12:29:31 2025
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1231472
This update for findutils fixes the following issue:

- fix crash when file system loop was encountered (bsc#1231472).

-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-523
Released:    Fri Feb 14 08:15:57 2025
Summary:     Maintenance update for SUSE Manager 5.0: Server, Proxy and Retail Branch Server
Type:        recommended
Severity:    moderate
References:  1027642,1212161,1212985,1213437,1215815,1216683,1216946,1217338,1220494,1220902,1221219,1222447,1222574,1222820,1224318,1226958,1227374,1227644,1227759,1227827,1227852,1227882,1228182,1228232,1228261,1228319,1228351,1228856,1228956,1229000,1229077,1229079,1229286,1229848,1229902,1230502,1230585,1230670,1230741,1230833,1230943,1231053,1231255,1231377,1231378,1231398,1231404,1231430,1231459,1231762,1232042,1232125,1232530,1232713,1233258,1233383,1233400,1233426,1233431,1233450,1233497,1233595,1233696,1233724,1233761,1233793,1233871,1233884,1234251,1234441,1234994,1235145,1235692,1235908,CVE-2024-21528,CVE-2024-45801
Maintenance update for SUSE Manager 5.0: Server, Proxy and Retail Branch Server

This is a codestream only update

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:543-1
Released:    Fri Feb 14 08:22:40 2025
Summary:     Recommended update for salt
Type:        recommended
Severity:    important
References:  1228182,1228690,1233667
This update for salt fixes the following issues:

- Revert setting SELinux context for minion service (bsc#1233667)
- Removed System V init support
- Fix the condition of alternatives for Tumbleweed and Leap 16
- Build all python bindings for all flavors
- Make minion reconnecting on changing master IP (bsc#1228182)
- Handle logger exception when flushing already closed file
- Include passlib as a recommended dependency
- Make Salt Bundle more tolerant to long running jobs (bsc#1228690)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:544-1
Released:    Fri Feb 14 08:23:37 2025
Summary:     Recommended update for salt
Type:        recommended
Severity:    important
References:  1228182,1228690,1233667
This update for salt fixes the following issues:

- Revert setting SELinux context for minion service (bsc#1233667)
- Removed System V init support
- Fix the condition of alternatives for Tumbleweed and Leap 16
- Build all python bindings for all flavors
- Make minion reconnecting on changing master IP (bsc#1228182)
- Handle logger exception when flushing already closed file
- Include passlib as a recommended dependency
- Make Salt Bundle more tolerant to long running jobs (bsc#1228690)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:547-1
Released:    Fri Feb 14 08:26:30 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1229228,1233752,1234313,1234765
This update for systemd fixes the following issues:

- Fix agetty failing to open credentials directory (bsc#1229228)
- stdio-bridge: fix polled fds
- hwdb: comment out the entry for Logitech MX Keys for Mac
- core/unit-serialize: fix serialization of markers
- locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged
- core: fix assert when AddDependencyUnitFiles is called with invalid parameter
- Fix systemd-network recommending libidn2-devel (bsc#1234765) 
- tpm2-util: also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:548-1
Released:    Fri Feb 14 11:19:24 2025
Summary:     Security update for libtasn1
Type:        security
Severity:    important
References:  1236878,CVE-2024-12133
This update for libtasn1 fixes the following issues:

- CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes
  quadratic time to complete. (bsc#1236878)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:554-1
Released:    Fri Feb 14 16:10:40 2025
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1236705,CVE-2025-0938
This update for python3 fixes the following issues:

- CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse. (bsc#1236705)


The following package changes have been done:

- findutils-4.8.0-150300.3.3.2 updated
- libtasn1-4.13-150000.4.11.1 updated
- permissions-20240826-150600.10.18.2 updated
- glibc-2.38-150600.14.20.3 updated
- libtasn1-6-4.13-150000.4.11.1 updated
- crypto-policies-20230920.570ea89-150600.3.3.1 updated
- libopenssl3-3.1.4-150600.5.24.1 updated
- libxml2-2-2.10.3-150500.5.20.1 updated
- openssl-3-3.1.4-150600.5.24.1 updated
- krb5-1.20.1-150600.11.8.1 updated
- libzypp-17.35.19-150600.3.44.1 updated
- libasan4-7.5.0+r278197-150000.4.44.1 updated
- branch-network-formula-0.1.1728559936.c16d4fb-150600.3.3.3 updated
- zypper-1.14.81-150600.10.22.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.44.1 updated
- libctf-nobfd0-2.43-150100.7.52.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.24.1 updated
- libudev1-254.23-150600.4.25.1 updated
- libcurl4-8.6.0-150600.4.21.1 updated
- glibc-locale-base-2.38-150600.14.20.3 updated
- libsystemd0-254.23-150600.4.25.1 updated
- systemd-254.23-150600.4.25.1 updated
- curl-8.6.0-150600.4.21.1 updated
- libipa_hbac0-2.9.3-150600.3.18.3 updated
- libnl-config-3.9.0-150600.15.4.4 updated
- libsss_idmap0-2.9.3-150600.3.18.3 updated
- libsss_nss_idmap0-2.9.3-150600.3.18.3 updated
- libubsan0-7.5.0+r278197-150000.4.44.1 updated
- libxml2-tools-2.10.3-150500.5.20.1 updated
- pxe-formula-0.3.0-150600.3.3.3 updated
- release-notes-susemanager-5.0.3-150600.11.24.1 updated
- skelcd-EULA-suse-manager-server-container-20250207-150600.3.3.1 updated
- susemanager-schema-utility-5.0.13-150600.3.9.3 updated
- uyuni-config-modules-5.0.12-150600.3.9.3 updated
- vim-data-common-9.1.0836-150500.20.18.1 updated
- woodstox-4.4.2-150600.3.3.3 updated
- glibc-locale-2.38-150600.14.20.3 updated
- libctf0-2.43-150100.7.52.1 updated
- binutils-2.43-150100.7.52.1 updated
- libnl3-200-3.9.0-150600.15.4.4 updated
- libpython3_6m1_0-3.6.15-150300.10.81.1 updated
- python3-base-3.6.15-150300.10.81.1 updated
- python3-3.6.15-150300.10.81.1 updated
- python3-curses-3.6.15-150300.10.81.1 updated
- libgfortran4-7.5.0+r278197-150000.4.44.1 updated
- libsss_certmap0-2.9.3-150600.3.18.3 updated
- bind-utils-9.18.33-150600.3.6.1 updated
- glibc-devel-2.38-150600.14.20.3 updated
- susemanager-docs_en-5.0.3-150600.11.9.3 updated
- spacewalk-java-lib-5.0.19-150600.3.14.4 updated
- vim-9.1.0836-150500.20.18.1 updated
- apache2-prefork-2.4.58-150600.5.32.2 updated
- cpp7-7.5.0+r278197-150000.4.44.1 updated
- python3-netaddr-0.7.19-150400.9.3.1 updated
- susemanager-docs_en-pdf-5.0.3-150600.11.9.3 updated
- susemanager-schema-5.0.13-150600.3.9.3 updated
- susemanager-sync-data-5.0.9-150600.3.11.3 updated
- rsync-3.2.7-150600.3.11.1 updated
- apache2-2.4.58-150600.5.32.2 updated
- gcc7-7.5.0+r278197-150000.4.44.1 updated
- python3-libxml2-2.10.3-150500.5.20.1 updated
- python3-numpy-1.17.3-150400.31.1 updated
- sssd-ldap-2.9.3-150600.3.18.3 updated
- sssd-2.9.3-150600.3.18.3 updated
- sssd-krb5-common-2.9.3-150600.3.18.3 updated
- supportutils-plugin-salt-1.2.3-150600.4.3.3 updated
- java-17-openjdk-headless-17.0.14.0-150400.3.51.1 updated
- java-11-openjdk-headless-11.0.26.0-150000.3.122.1 updated
- susemanager-build-keys-15.5.3-150600.5.6.3 updated
- grub2-powerpc-ieee1275-2.12-150600.8.12.1 added
- grub2-arm64-efi-2.12-150600.8.12.1 added
- spacecmd-5.0.11-150600.4.9.3 updated
- python3-Jinja2-2.10.1-150000.3.18.1 updated
- spacewalk-backend-sql-postgresql-5.0.11-150600.4.9.5 updated
- sssd-krb5-2.9.3-150600.3.18.3 updated
- sssd-dbus-2.9.3-150600.3.18.3 updated
- python3-sssd-config-2.9.3-150600.3.18.3 updated
- sssd-ad-2.9.3-150600.3.18.3 updated
- tomcat-servlet-4_0-api-9.0.98-150200.74.1 updated
- tomcat-el-3_0-api-9.0.98-150200.74.1 updated
- jsch-0.2.22-150200.11.16.2 updated
- jctools-4.0.5-150200.3.9.1 updated
- aalto-xml-1.3.3-150200.5.3.1 added
- java-17-openjdk-17.0.14.0-150400.3.51.1 updated
- java-11-openjdk-11.0.26.0-150000.3.122.1 updated
- spacewalk-base-minimal-5.0.16-150600.3.13.5 updated
- susemanager-build-keys-web-15.5.3-150600.5.6.3 updated
- spacewalk-config-5.0.5-150600.3.6.3 updated
- python3-Flask-1.0.4-150400.10.1 updated
- sssd-tools-2.9.3-150600.3.18.3 updated
- sssd-ipa-2.9.3-150600.3.18.3 updated
- tomcat-jsp-2_3-api-9.0.98-150200.74.1 updated
- netty-4.1.115-150200.4.26.1 updated
- spacewalk-base-minimal-config-5.0.16-150600.3.13.5 updated
- tomcat-lib-9.0.98-150200.74.1 updated
- spacewalk-backend-5.0.11-150600.4.9.5 updated
- python3-spacewalk-client-tools-5.0.8-150600.4.6.3 updated
- spacewalk-client-tools-5.0.8-150600.4.6.3 updated
- spacewalk-base-5.0.16-150600.3.13.5 updated
- spacewalk-search-5.0.3-150600.3.3.3 updated
- salt-3006.0-150500.4.47.1 updated
- python3-salt-3006.0-150500.4.47.1 updated
- spacewalk-backend-sql-5.0.11-150600.4.9.5 updated
- tomcat-9.0.98-150200.74.1 updated
- salt-master-3006.0-150500.4.47.1 updated
- cobbler-3.3.3-150600.5.11.3 updated
- spacewalk-backend-server-5.0.11-150600.4.9.5 updated
- susemanager-sls-5.0.12-150600.3.9.3 updated
- spacewalk-java-postgresql-5.0.19-150600.3.14.4 updated
- spacewalk-java-config-5.0.19-150600.3.14.4 updated
- salt-api-3006.0-150500.4.47.1 updated
- locale-formula-0.4.0-150600.3.3.3 updated
- spacewalk-backend-xmlrpc-5.0.11-150600.4.9.5 updated
- spacewalk-backend-xml-export-libs-5.0.11-150600.4.9.5 updated
- spacewalk-backend-package-push-server-5.0.11-150600.4.9.5 updated
- spacewalk-backend-iss-5.0.11-150600.4.9.5 updated
- spacewalk-backend-app-5.0.11-150600.4.9.5 updated
- saltboot-formula-0.1.1728559936.c16d4fb-150600.3.3.3 updated
- spacewalk-html-5.0.16-150600.3.13.5 updated
- spacewalk-taskomatic-5.0.19-150600.3.14.4 updated
- spacewalk-java-5.0.19-150600.3.14.4 updated
- spacewalk-backend-iss-export-5.0.11-150600.4.9.5 updated
- susemanager-tools-5.0.11-150600.3.9.3 updated
- spacewalk-backend-tools-5.0.11-150600.4.9.5 updated
- supportutils-plugin-susemanager-5.0.5-150600.3.6.3 updated
- spacewalk-utils-5.0.6-150600.3.6.3 updated
- spacewalk-setup-5.0.7-150600.3.6.3 updated
- susemanager-5.0.11-150600.3.9.3 updated
- container:suse-manager-5.0-init-5.0.3-5.0.3-7.9.5 added
- container:suse-manager-5.0-init-5.0.2-5.0.2-7.6.16 removed
- dwr-3.0.2-0.150600.10.5 removed
- python3-jmespath-0.9.3-150000.3.5.1 removed
- python3-ply-3.10-150000.3.5.1 removed
- python3-simplejson-3.17.2-150300.3.4.1 removed


More information about the sle-container-updates mailing list