From sle-container-updates at lists.suse.com Tue Jul 1 07:05:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:05:14 +0200 (CEST) Subject: SUSE-CU-2025:4777-1: Security update of containers/open-webui Message-ID: <20250701070514.3C15FFD12@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4777-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.23 Container Release : 10.23 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - python311-certifi-2024.7.4-150600.1.43 updated - python311-cchardet-2.1.19-150600.1.39 updated - python311-numpy1-1.26.4-150600.1.47 updated - python311-scipy-1.14.1-150600.1.48 updated - python311-pandas-2.2.3-150600.1.49 updated - python311-pyarrow-17.0.0-150600.2.43 updated - python311-scikit-learn-1.5.1-150600.1.50 updated - python311-open-webui-0.6.9-150600.2.6 updated - container:registry.suse.com-bci-bci-base-15.6-34fc0c8b1252970b2e39ece026c2c951370720c53bd38dc29b119378020a41db-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:05:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:05:25 +0200 (CEST) Subject: SUSE-CU-2025:4780-1: Security update of containers/pytorch Message-ID: <20250701070525.37EE7FD12@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4780-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.23 Container Release : 2.23 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - python311-numpy-2.1.1-150600.1.47 updated - python311-torch-cuda-2.7.0-150600.2.11 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:06:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:06:46 +0200 (CEST) Subject: SUSE-IU-2025:1707-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250701070646.BE132FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1707-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.181 , suse/sle-micro/base-5.5:latest Image Release : 5.8.181 Severity : important Type : security References : 1184350 1193629 1204562 1204569 1204619 1204705 1205282 1206051 1206073 1206649 1206843 1206886 1206887 1207361 1208105 1208542 1209292 1209556 1209684 1209780 1209980 1210337 1210763 1210767 1211465 1213012 1213013 1213094 1213096 1213233 1213946 1214991 1218470 1222629 1223096 1225903 1228659 1231293 1232649 1234395 1234454 1234887 1235100 1235870 1238303 1238570 1239986 1240785 1240802 1241038 1241525 1241640 1242006 1242146 1242147 1242150 1242151 1242154 1242157 1242158 1242160 1242164 1242165 1242169 1242215 1242217 1242218 1242219 1242222 1242224 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242240 1242241 1242244 1242245 1242248 1242249 1242261 1242264 1242265 1242270 1242276 1242278 1242279 1242280 1242281 1242282 1242285 1242286 1242289 1242294 1242295 1242298 1242302 1242305 1242311 1242312 1242320 1242338 1242349 1242351 1242352 1242353 1242355 1242357 1242358 1242359 1242360 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242381 1242382 1242385 1242387 1242389 1242391 1242392 1242393 1242394 1242398 1242399 1242400 1242402 1242403 1242405 1242406 1242409 1242410 1242411 1242415 1242416 1242421 1242422 1242425 1242426 1242428 1242440 1242443 1242448 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242465 1242467 1242469 1242473 1242474 1242478 1242481 1242484 1242489 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242740 1242743 1242744 1242745 1242746 1242747 1242748 1242749 1242751 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1243047 1243133 1243737 1243919 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-49762 CVE-2022-49763 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49773 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49781 CVE-2022-49783 CVE-2022-49784 CVE-2022-49786 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49795 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49837 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49886 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49901 CVE-2022-49902 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49917 CVE-2022-49918 CVE-2022-49921 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49929 CVE-2022-49931 CVE-2023-1990 CVE-2023-28866 CVE-2023-53035 CVE-2023-53036 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53042 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53057 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53070 CVE-2023-53071 CVE-2023-53073 CVE-2023-53074 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53082 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53095 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53102 CVE-2023-53105 CVE-2023-53106 CVE-2023-53108 CVE-2023-53109 CVE-2023-53111 CVE-2023-53112 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53128 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2024-26804 CVE-2024-28956 CVE-2024-53168 CVE-2024-56558 CVE-2025-21999 CVE-2025-22056 CVE-2025-23145 CVE-2025-37785 CVE-2025-37789 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2173-1 Released: Mon Jun 30 15:01:26 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204562,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206843,1206886,1206887,1207361,1208105,1208542,1209292,1209556,1209684,1209780,1209980,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213233,1213946,1214991,1218470,1222629,1223096,1225903,1228659,1231293,1232649,1234395,1234454,1234887,1235100,1235870,1238303,1238570,1239986,1240785,1240802,1241038,1241525,1241640,1242006,1242146,1242147,1242150,1242151,1242154,1242157,1242158,1242160,1242164,1242165,1242169,1242215,1242217,1242218,1242219,1242222,1242224,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242240,1242241,1242244,1242245,1242248,1242249,1242261,1242264,1242265,1242270,1242276,1242278,1242279,1242280,1242281,1242282,1242285,1242286,1242289,1242294,1242295,1242298,1242302,1242305,1242311,1242312,1242320,1242338,1242349,1242351,1242352,1242353,1242355,1242357,1242358,1242359,1242360,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1 242377,1242378,1242380,1242381,1242382,1242385,1242387,1242389,1242391,1242392,1242393,1242394,1242398,1242399,1242400,1242402,1242403,1242405,1242406,1242409,1242410,1242411,1242415,1242416,1242421,1242422,1242425,1242426,1242428,1242440,1242443,1242448,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1242464,1242465,1242467,1242469,1242473,1242474,1242478,1242481,1242484,1242489,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242740,1242743,1242744,1242745,1242746,1242747,1242748,1242749,1242751,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49762,CVE-2022-49763,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49773,CVE-2022-49775,CVE-2022-49776,CVE-2022-4977 7,CVE-2022-49779,CVE-2022-49781,CVE-2022-49783,CVE-2022-49784,CVE-2022-49786,CVE-2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49795,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49837,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49886,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2 022-49892,CVE-2022-49900,CVE-2022-49901,CVE-2022-49902,CVE-2022-49905,CVE-2022-49906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49917,CVE-2022-49918,CVE-2022-49921,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49929,CVE-2022-49931,CVE-2023-1990,CVE-2023-28866,CVE-2023-53035,CVE-2023-53036,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53042,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53052,CVE-2023-53054,CVE-2023-53056,CVE-2023-53057,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53070,CVE-2023-53071,CVE-2023-53073,CVE-2023-53074,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53082,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53095,CVE-2023-53096,CVE-2023-53098,CVE-2023-5309 9,CVE-2023-53100,CVE-2023-53101,CVE-2023-53102,CVE-2023-53105,CVE-2023-53106,CVE-2023-53108,CVE-2023-53109,CVE-2023-53111,CVE-2023-53112,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53128,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-26804,CVE-2024-28956,CVE-2024-53168,CVE-2024-56558,CVE-2025-21999,CVE-2025-22056,CVE-2025-23145,CVE-2025-37785,CVE-2025-37789 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2024-28956: x86/its: Add support for ITS-safe indirect thunk (bsc#1242006). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). The following non-security bugs were fixed: - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - Move upstreamed sched/membarrier patch into sorted section - Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.4 anymore. - Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.5 anymore. - Use gcc-13 for build on SLE16 (jsc#PED-10028). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - net :mana :Add remaining GDMA stats for MANA to ethtool (bsc#1234395). - net :mana :Request a V2 response version for MANA_QUERY_GF_STAT (bsc#1234395). - net: mana: Add gdma stats to ethtool output for mana (bsc#1234395). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (bsc#1223096). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) - rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454) - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - tcp: Dump bound-only sockets in inet_diag (bsc#1204562). - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). The following package changes have been done: - kernel-default-5.14.21-150500.55.110.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:09:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:09:40 +0200 (CEST) Subject: SUSE-IU-2025:1712-1: Security update of suse/sle-micro/5.5 Message-ID: <20250701070940.E1012FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1712-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.316 , suse/sle-micro/5.5:latest Image Release : 5.5.316 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2179-1 Released: Mon Jun 30 19:54:01 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.12p1-150500.7.13.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:03:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:03:53 +0200 (CEST) Subject: SUSE-CU-2025:4775-1: Security update of containers/ollama Message-ID: <20250701070353.64929FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/ollama ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4775-1 Container Tags : containers/ollama:0 , containers/ollama:0.6.8 , containers/ollama:0.6.8-10.25 Container Release : 10.25 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container containers/ollama was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.6-7f1a9a6fc65c96293ea124e432d476840e77b5afceecce79e19e67ab2153d3c1-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:15:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:15:40 +0200 (CEST) Subject: SUSE-CU-2025:4786-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250701071540.18AC4F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4786-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.150 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.150 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2178-1 Released: Mon Jun 30 19:53:34 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.9-150400.4.39.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:07:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:07:31 +0200 (CEST) Subject: SUSE-IU-2025:1708-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250701070731.45464FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1708-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.346 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.346 Severity : important Type : security References : 1184350 1193629 1204562 1204569 1204619 1204705 1205282 1206051 1206073 1206649 1206843 1206886 1206887 1207361 1208105 1208542 1209292 1209556 1209684 1209780 1209980 1210337 1210763 1210767 1211465 1213012 1213013 1213094 1213096 1213233 1213946 1214991 1218470 1222629 1223096 1225903 1228659 1231293 1232649 1234395 1234454 1234887 1235100 1235870 1238303 1238570 1239986 1240785 1240802 1241038 1241525 1241640 1242006 1242146 1242147 1242150 1242151 1242154 1242157 1242158 1242160 1242164 1242165 1242169 1242215 1242217 1242218 1242219 1242222 1242224 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242240 1242241 1242244 1242245 1242248 1242249 1242261 1242264 1242265 1242270 1242276 1242278 1242279 1242280 1242281 1242282 1242285 1242286 1242289 1242294 1242295 1242298 1242302 1242305 1242311 1242312 1242320 1242338 1242349 1242351 1242352 1242353 1242355 1242357 1242358 1242359 1242360 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242381 1242382 1242385 1242387 1242389 1242391 1242392 1242393 1242394 1242398 1242399 1242400 1242402 1242403 1242405 1242406 1242409 1242410 1242411 1242415 1242416 1242421 1242422 1242425 1242426 1242428 1242440 1242443 1242448 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242465 1242467 1242469 1242473 1242474 1242478 1242481 1242484 1242489 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242740 1242743 1242744 1242745 1242746 1242747 1242748 1242749 1242751 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1243047 1243133 1243737 1243919 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-49762 CVE-2022-49763 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49773 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49781 CVE-2022-49783 CVE-2022-49784 CVE-2022-49786 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49795 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49837 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49886 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49901 CVE-2022-49902 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49917 CVE-2022-49918 CVE-2022-49921 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49929 CVE-2022-49931 CVE-2023-1990 CVE-2023-28866 CVE-2023-53035 CVE-2023-53036 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53042 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53057 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53070 CVE-2023-53071 CVE-2023-53073 CVE-2023-53074 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53082 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53095 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53102 CVE-2023-53105 CVE-2023-53106 CVE-2023-53108 CVE-2023-53109 CVE-2023-53111 CVE-2023-53112 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53128 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2024-26804 CVE-2024-28956 CVE-2024-53168 CVE-2024-56558 CVE-2025-21999 CVE-2025-22056 CVE-2025-23145 CVE-2025-37785 CVE-2025-37789 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2173-1 Released: Mon Jun 30 15:01:26 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204562,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206843,1206886,1206887,1207361,1208105,1208542,1209292,1209556,1209684,1209780,1209980,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213233,1213946,1214991,1218470,1222629,1223096,1225903,1228659,1231293,1232649,1234395,1234454,1234887,1235100,1235870,1238303,1238570,1239986,1240785,1240802,1241038,1241525,1241640,1242006,1242146,1242147,1242150,1242151,1242154,1242157,1242158,1242160,1242164,1242165,1242169,1242215,1242217,1242218,1242219,1242222,1242224,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242240,1242241,1242244,1242245,1242248,1242249,1242261,1242264,1242265,1242270,1242276,1242278,1242279,1242280,1242281,1242282,1242285,1242286,1242289,1242294,1242295,1242298,1242302,1242305,1242311,1242312,1242320,1242338,1242349,1242351,1242352,1242353,1242355,1242357,1242358,1242359,1242360,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1 242377,1242378,1242380,1242381,1242382,1242385,1242387,1242389,1242391,1242392,1242393,1242394,1242398,1242399,1242400,1242402,1242403,1242405,1242406,1242409,1242410,1242411,1242415,1242416,1242421,1242422,1242425,1242426,1242428,1242440,1242443,1242448,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1242464,1242465,1242467,1242469,1242473,1242474,1242478,1242481,1242484,1242489,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242740,1242743,1242744,1242745,1242746,1242747,1242748,1242749,1242751,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49762,CVE-2022-49763,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49773,CVE-2022-49775,CVE-2022-49776,CVE-2022-4977 7,CVE-2022-49779,CVE-2022-49781,CVE-2022-49783,CVE-2022-49784,CVE-2022-49786,CVE-2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49795,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49837,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49886,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2 022-49892,CVE-2022-49900,CVE-2022-49901,CVE-2022-49902,CVE-2022-49905,CVE-2022-49906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49917,CVE-2022-49918,CVE-2022-49921,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49929,CVE-2022-49931,CVE-2023-1990,CVE-2023-28866,CVE-2023-53035,CVE-2023-53036,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53042,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53052,CVE-2023-53054,CVE-2023-53056,CVE-2023-53057,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53070,CVE-2023-53071,CVE-2023-53073,CVE-2023-53074,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53082,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53095,CVE-2023-53096,CVE-2023-53098,CVE-2023-5309 9,CVE-2023-53100,CVE-2023-53101,CVE-2023-53102,CVE-2023-53105,CVE-2023-53106,CVE-2023-53108,CVE-2023-53109,CVE-2023-53111,CVE-2023-53112,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53128,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-26804,CVE-2024-28956,CVE-2024-53168,CVE-2024-56558,CVE-2025-21999,CVE-2025-22056,CVE-2025-23145,CVE-2025-37785,CVE-2025-37789 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2024-28956: x86/its: Add support for ITS-safe indirect thunk (bsc#1242006). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). The following non-security bugs were fixed: - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - Move upstreamed sched/membarrier patch into sorted section - Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.4 anymore. - Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.5 anymore. - Use gcc-13 for build on SLE16 (jsc#PED-10028). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - net :mana :Add remaining GDMA stats for MANA to ethtool (bsc#1234395). - net :mana :Request a V2 response version for MANA_QUERY_GF_STAT (bsc#1234395). - net: mana: Add gdma stats to ethtool output for mana (bsc#1234395). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (bsc#1223096). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) - rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454) - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - tcp: Dump bound-only sockets in inet_diag (bsc#1204562). - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). The following package changes have been done: - kernel-default-base-5.14.21-150500.55.110.1.150500.6.51.3 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.181 updated - dracut-055+suse.396.g701c6212-150500.3.29.2 removed - elfutils-0.185-150400.5.3.1 removed - file-5.32-7.14.1 removed - libasm1-0.185-150400.5.3.1 removed - perl-Bootloader-0.947-150400.3.12.1 removed - pigz-2.3.3-1.28 removed - systemd-sysvinit-249.17-150400.8.46.1 removed - zstd-1.5.0-150400.3.3.1 removed From sle-container-updates at lists.suse.com Tue Jul 1 07:17:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:17:50 +0200 (CEST) Subject: SUSE-CU-2025:4787-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250701071750.9006BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4787-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.12 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.12 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2178-1 Released: Mon Jun 30 19:53:34 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.9-150400.4.39.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:19:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:19:14 +0200 (CEST) Subject: SUSE-CU-2025:4788-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250701071914.BF53EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4788-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.150 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.150 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2178-1 Released: Mon Jun 30 19:53:34 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.9-150400.4.39.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:19:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:19:47 +0200 (CEST) Subject: SUSE-IU-2025:1713-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250701071947.BF3D2F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1713-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.13 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.13 Severity : moderate Type : security References : 1236931 1239119 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 370 Released: Mon Jun 30 10:20:23 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: * Fix regression for the recent malicious subkey DoS fix in CVE-2025-30258. [bsc#1236931, bsc#1239119, CVE-2025-30258] The following package changes have been done: - SL-Micro-release-6.0-25.31 updated - gpg2-2.4.4-4.1 updated - container:suse-toolbox-image-1.0.0-9.7 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:21:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:21:28 +0200 (CEST) Subject: SUSE-CU-2025:4791-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250701072128.B8A05F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4791-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.7 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.7 Severity : moderate Type : security References : 1236931 1239119 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 370 Released: Mon Jun 30 10:20:23 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: * Fix regression for the recent malicious subkey DoS fix in CVE-2025-30258. [bsc#1236931, bsc#1239119, CVE-2025-30258] The following package changes have been done: - SL-Micro-release-6.0-25.31 updated - gpg2-2.4.4-4.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.30 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:27:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:27:34 +0200 (CEST) Subject: SUSE-CU-2025:4797-1: Security update of bci/bci-init Message-ID: <20250701072734.BEAF3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4797-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.9 Container Release : 44.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.6-34fc0c8b1252970b2e39ece026c2c951370720c53bd38dc29b119378020a41db-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:29:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:29:02 +0200 (CEST) Subject: SUSE-CU-2025:4799-1: Security update of bci/python Message-ID: <20250701072902.8C2C1F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4799-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.7 Container Release : 69.7 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.6-34fc0c8b1252970b2e39ece026c2c951370720c53bd38dc29b119378020a41db-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:31:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:31:07 +0200 (CEST) Subject: SUSE-CU-2025:4800-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250701073107.EA1ABF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4800-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.9 Container Release : 44.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.6-34fc0c8b1252970b2e39ece026c2c951370720c53bd38dc29b119378020a41db-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:31:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:31:44 +0200 (CEST) Subject: SUSE-CU-2025:4801-1: Security update of suse/sle15 Message-ID: <20250701073144.E6E40F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4801-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.6 , suse/sle15:15.6 , suse/sle15:15.6.47.23.6 Container Release : 47.23.6 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:32:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:32:36 +0200 (CEST) Subject: SUSE-CU-2025:4802-1: Security update of bci/spack Message-ID: <20250701073236.180A1F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4802-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.6 Container Release : 11.6 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:32:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:32:36 +0200 (CEST) Subject: SUSE-CU-2025:4803-1: Security update of bci/spack Message-ID: <20250701073236.D92B9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4803-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.8 Container Release : 11.8 Severity : important Type : security References : 1245274 1245275 CVE-2025-32462 CVE-2025-32463 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - sudo-1.9.15p5-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-34fc0c8b1252970b2e39ece026c2c951370720c53bd38dc29b119378020a41db-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:33:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:33:01 +0200 (CEST) Subject: SUSE-CU-2025:4812-1: Security update of bci/gcc Message-ID: <20250701073301.48EB1F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4812-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.9 , bci/gcc:latest Container Release : 10.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:33:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:33:04 +0200 (CEST) Subject: SUSE-CU-2025:4813-1: Security update of bci/golang Message-ID: <20250701073304.1F368F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4813-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.9 , bci/golang:oldstable , bci/golang:oldstable-2.71.9 Container Release : 71.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:33:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:33:07 +0200 (CEST) Subject: SUSE-CU-2025:4814-1: Security update of bci/golang Message-ID: <20250701073307.08C92F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4814-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.9 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.9 Container Release : 71.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 07:33:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 09:33:10 +0200 (CEST) Subject: SUSE-CU-2025:4815-1: Security update of bci/golang Message-ID: <20250701073310.06876F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4815-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.9 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.9 Container Release : 71.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:05:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:05:26 +0200 (CEST) Subject: SUSE-CU-2025:4816-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250701130526.7FDD0FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4816-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.53 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.53 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2179-1 Released: Mon Jun 30 19:54:01 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.12p1-150500.7.13.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:09:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:09:59 +0200 (CEST) Subject: SUSE-CU-2025:4815-1: Security update of bci/golang Message-ID: <20250701130959.834DEFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4815-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.9 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.9 Container Release : 71.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:03 +0200 (CEST) Subject: SUSE-CU-2025:4817-1: Security update of bci/golang Message-ID: <20250701131003.CBEE3FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4817-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.9 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.9 Container Release : 71.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:06 +0200 (CEST) Subject: SUSE-CU-2025:4818-1: Security update of suse/helm Message-ID: <20250701131006.E7A91FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4818-1 Container Tags : suse/helm:3 , suse/helm:3.18 , suse/helm:3.18.3 , suse/helm:3.18.3-61.1 , suse/helm:latest Container Release : 61.1 Severity : important Type : security References : 1241802 CVE-2025-22872 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2121-1 Released: Thu Jun 26 10:34:05 2025 Summary: Security update for helm Type: security Severity: important References: 1241802,CVE-2025-22872 This update for helm fixes the following issues: Update to version 3.18.3: * build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot]) * fix: user username password for login 5b9e2f6 (Terry Howe) * Update pkg/registry/transport.go 2782412 (Terry Howe) * Update pkg/registry/transport.go e66cf6a (Terry Howe) * fix: add debug logging to oci transport 191f05c (Terry Howe) Update to version 3.18.2: * fix: legacy docker support broken for login 04cad46 (Terry Howe) * Handle an empty registry config file. bc9f8a2 (Matt Farina) Update to version 3.18.1: * Notes: - This release fixes regressions around template generation and OCI registry interaction in 3.18.0 - There are at least 2 known regressions unaddressed in this release. They are being worked on. - Empty registry configuration files. When the file exists but it is empty. - Login to Docker Hub on some domains fails. * Changelog - fix(client): skipnode utilization for PreCopy - fix(client): layers now returns manifest - remove duplicate from descriptors - fix(client): return nil on non-allowed media types - Prevent fetching newReference again as we have in calling method - Prevent failure when resolving version tags in oras memory store - Update pkg/plugin/plugin.go - Update pkg/plugin/plugin.go - Wait for Helm v4 before raising when platformCommand and Command are set - Fix 3.18.0 regression: registry login with scheme - Revert 'fix (helm) : toToml` renders int as float [ backport to v3 ]' Update to version 3.18.0 (bsc#1241802, CVE-2025-22872): * Notable Changes - Add support for JSON Schema 2020 - Enabled cpu and memory profiling - Add hook annotation to output hook logs to client on error * Changelog - build(deps): bump the k8s-io group with 7 updates - fix: govulncheck workflow - bump version to v3.18.0 - fix:add proxy support when mTLS configured - docs: Note about http fallback for OCI registries - Bump net package to avoid CVE on dev-v3 - Bump toml - backport #30677to dev3 - build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0 - Add install test for TakeOwnership flag - Fix --take-ownership - build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2 - build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 - build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0 - Testing text bump - Permit more Go version and not only 1.23.8 - Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0 - Unarchiving fix - Fix typo - Report as debug log, the time spent waiting for resources - build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27 - Update pkg/registry/fallback.go - automatic fallback to http - chore(oci): upgrade to ORAS v2 - Updating to 0.37.0 for x/net - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 - build(deps): bump github.com/opencontainers/image-spec - build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26 - build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0 - Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3 - Add HookOutputFunc and generic yaml unmarshaller - clarify fix error message - fix err check - add short circuit return - Add hook annotations to output pod logs to client on success and fail - chore: use []error instead of []string - Update cmd/helm/profiling.go - chore: update profiling doc in CONTRIBUTING.md - Update CONTRIBUTING guide - Prefer environment variables to CLI flags - Move pprof paths to HELM_PPROF env variable - feat: Add flags to enable CPU and memory profiling - build(deps): bump github.com/distribution/distribution/v3 - build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 - Moving to SetOut and SetErr for Cobra - build(deps): bump the k8s-io group with 7 updates - build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 - build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0 - build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 - build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 - build(deps): bump github.com/cyphar/filepath-securejoin - build(deps): bump github.com/evanphx/json-patch - build(deps): bump the k8s-io group with 7 updates - fix: check group for resource info match - Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0 - add test for nullifying nested global value - Ensuring the file paths are clean prior to passing to securejoin - Bump github.com/containerd/containerd from 1.7.24 to 1.7.25 - Bump golang.org/x/crypto from 0.31.0 to 0.32.0 - Bump golang.org/x/term from 0.27.0 to 0.28.0 - bump version to v3.17.0 - Bump github.com/moby/term from 0.5.0 to 0.5.2 - Add test case for removing an entire object - Tests for bugfix: Override subcharts with null values #12879 - feat: Added multi-platform plugin hook support to v3 - This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into . - merge null child chart objects The following package changes have been done: - helm-3.18.3-150000.1.50.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:11 +0200 (CEST) Subject: SUSE-CU-2025:4819-1: Security update of bci/bci-init Message-ID: <20250701131011.CA4EEFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4819-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.12 , bci/bci-init:latest Container Release : 41.12 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:13 +0200 (CEST) Subject: SUSE-CU-2025:4820-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250701131013.D1D9BFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4820-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-61.10 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 61.10 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgthread-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:18 +0200 (CEST) Subject: SUSE-CU-2025:4821-1: Security update of bci/kiwi Message-ID: <20250701131018.1F110FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4821-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.14 , bci/kiwi:latest Container Release : 16.14 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgthread-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - glib2-devel-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:42 +0200 (CEST) Subject: SUSE-CU-2025:4829-1: Security update of suse/pcp Message-ID: <20250701131042.06B97FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4829-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.15 , suse/pcp:latest Container Release : 61.15 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:bci-bci-init-15.7-9c8da4f38e8469c0332dc66bdbc8ece6cd671feea99168f9843a9726a75f86c8-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:10:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:10:57 +0200 (CEST) Subject: SUSE-CU-2025:4835-1: Security update of bci/python Message-ID: <20250701131057.751B4FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4835-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.11 Container Release : 71.11 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:02 +0200 (CEST) Subject: SUSE-CU-2025:4836-1: Security update of bci/python Message-ID: <20250701131102.E6EC9FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4836-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-71.11 , bci/python:latest Container Release : 71.11 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:06 +0200 (CEST) Subject: SUSE-CU-2025:4837-1: Security update of bci/python Message-ID: <20250701131106.D7D85FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4837-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.10 Container Release : 71.10 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:15 +0200 (CEST) Subject: SUSE-CU-2025:4839-1: Security update of bci/ruby Message-ID: <20250701131115.4E11FFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4839-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.9 Container Release : 11.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:19 +0200 (CEST) Subject: SUSE-CU-2025:4840-1: Security update of bci/ruby Message-ID: <20250701131119.070E4FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4840-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.9 , bci/ruby:latest Container Release : 10.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:22 +0200 (CEST) Subject: SUSE-CU-2025:4841-1: Security update of bci/rust Message-ID: <20250701131122.4E244FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4841-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.14 , bci/rust:oldstable , bci/rust:oldstable-2.2.14 Container Release : 2.14 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:25 +0200 (CEST) Subject: SUSE-CU-2025:4842-1: Security update of bci/rust Message-ID: <20250701131125.8DD79FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4842-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.3.9 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.9 Container Release : 3.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:30 +0200 (CEST) Subject: SUSE-CU-2025:4843-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250701131130.4414FFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4843-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.10 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.10 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:34 +0200 (CEST) Subject: SUSE-CU-2025:4844-1: Security update of suse/sle15 Message-ID: <20250701131134.593B5FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4844-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.7 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.7 , suse/sle15:latest Container Release : 5.8.7 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:39 +0200 (CEST) Subject: SUSE-CU-2025:4845-1: Security update of bci/spack Message-ID: <20250701131139.7E68BFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4845-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.9 , bci/spack:latest Container Release : 13.9 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:11:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:11:40 +0200 (CEST) Subject: SUSE-CU-2025:4847-1: Security update of bci/spack Message-ID: <20250701131140.E706AFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4847-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.11 , bci/spack:latest Container Release : 13.11 Severity : important Type : security References : 1245274 1245275 CVE-2025-32462 CVE-2025-32463 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). The following package changes have been done: - sudo-1.9.15p5-150600.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:13:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:13:34 +0200 (CEST) Subject: SUSE-CU-2025:4850-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250701131334.14D32FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4850-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.142 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.142 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2175-1 Released: Mon Jun 30 16:32:18 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.5p2-150300.3.36.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:18:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:18:56 +0200 (CEST) Subject: SUSE-CU-2025:4852-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250701131856.A8693FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4852-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.144 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.144 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2175-1 Released: Mon Jun 30 16:32:18 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.5p2-150300.3.36.1 updated From sle-container-updates at lists.suse.com Tue Jul 1 13:29:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 1 Jul 2025 15:29:48 +0200 (CEST) Subject: SUSE-CU-2025:4852-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250701132948.13905FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4852-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.144 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.144 Severity : important Type : security References : 1245274 CVE-2025-32462 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2175-1 Released: Mon Jun 30 16:32:18 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). The following package changes have been done: - sudo-1.9.5p2-150300.3.36.1 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:04:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:04:14 +0200 (CEST) Subject: SUSE-IU-2025:1739-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250702070414.BF862FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1739-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.46 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.46 Severity : important Type : security References : 1236931 1239119 1243389 1244079 1244509 CVE-2025-30258 CVE-2025-40909 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) ----------------------------------------------------------------- Advisory ID: 367 Released: Tue Jun 24 10:39:31 2025 Summary: Recommended update for selinux-policy Type: recommended Severity: moderate References: 1243389 This update for selinux-policy fixes the following issues: Update to version 20230523+git27.6fee49569: * qemu-guest-agent: fix denial for guest-get-fsinfo (bsc#1243389) ----------------------------------------------------------------- Advisory ID: 370 Released: Mon Jun 30 10:20:23 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: * Fix regression for the recent malicious subkey DoS fix in CVE-2025-30258. [bsc#1236931, bsc#1239119, CVE-2025-30258] ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) The following package changes have been done: - perl-base-5.38.2-4.1 updated - pam-1.6.0-5.1 updated - SL-Micro-release-6.0-25.32 updated - gpg2-2.4.4-4.1 updated - perl-5.38.2-4.1 updated - selinux-policy-20230523+git27.6fee49569-1.1 updated - selinux-policy-targeted-20230523+git27.6fee49569-1.1 updated - container:SL-Micro-base-container-2.1.3-7.14 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:04:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:04:45 +0200 (CEST) Subject: SUSE-IU-2025:1740-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250702070445.4696BFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1740-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.14 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.14 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) The following package changes have been done: - perl-base-5.38.2-4.1 updated - SL-Micro-release-6.0-25.32 updated - container:suse-toolbox-image-1.0.0-9.8 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:05:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:05:23 +0200 (CEST) Subject: SUSE-IU-2025:1741-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250702070523.0383FFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1741-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.41 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.41 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) The following package changes have been done: - perl-base-5.38.2-4.1 updated - SL-Micro-release-6.0-25.32 updated - container:SL-Micro-base-container-2.1.3-7.14 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:06:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:06:06 +0200 (CEST) Subject: SUSE-IU-2025:1742-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250702070606.4B067FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1742-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.48 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.48 Severity : important Type : security References : 1244079 1244509 CVE-2025-40909 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) The following package changes have been done: - perl-base-5.38.2-4.1 updated - pam-1.6.0-5.1 updated - SL-Micro-release-6.0-25.32 updated - container:SL-Micro-container-2.1.3-6.46 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:07:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:07:11 +0200 (CEST) Subject: SUSE-CU-2025:4858-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250702070711.A650EFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4858-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.8 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.8 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 372 Released: Tue Jul 1 13:42:56 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) The following package changes have been done: - SL-Micro-release-6.0-25.32 updated - perl-base-5.38.2-4.1 updated - perl-5.38.2-4.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.31 updated From sle-container-updates at lists.suse.com Wed Jul 2 07:07:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 2 Jul 2025 09:07:41 +0200 (CEST) Subject: SUSE-IU-2025:1743-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250702070741.1B3D7FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1743-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.57 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.57 Severity : important Type : security References : 1189788 1216091 1222044 1223098 1223726 1225451 1228434 1229106 1230267 1232458 1233285 1233287 1233292 1233447 1233973 1234752 1235598 1235636 1236384 1236481 1236820 1236931 1236931 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239119 1239119 1239543 1239809 1240132 1240529 1241463 1243279 1243457 1243887 1243901 1244042 1244105 614646 CVE-2024-27306 CVE-2024-30251 CVE-2024-52304 CVE-2024-52530 CVE-2024-52531 CVE-2024-52532 CVE-2024-53008 CVE-2025-30258 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 163 Released: Mon Jun 30 10:31:31 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1233973,1236931,1239119,CVE-2024-53008,CVE-2025-30258 This update for gpg2 fixes the following issues: * Fixed regressions for the recent malicious subkey DoS fix for CVE-2025-30258 (bsc#1239119). ----------------------------------------------------------------- Advisory ID: 165 Released: Tue Jul 1 13:27:41 2025 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1233285,1233287,1233292,1236931,1239119,CVE-2024-52530,CVE-2024-52531,CVE-2024-52532,CVE-2025-30258 This update for gpg2 fixes the following issues: This reverts the CVE-2025-30258 fix, as it changed behaviour when using expired keys. ----------------------------------------------------------------- Advisory ID: 161 Released: Tue Jul 1 14:39:34 2025 Summary: Recommended update for zypper, libzypp, libsolv Type: recommended Severity: important References: 1189788,1216091,1222044,1223098,1223726,1225451,1228434,1229106,1230267,1232458,1233447,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,614646,CVE-2024-27306,CVE-2024-30251,CVE-2024-52304 This update for zypper, libzypp, libsolv fixes the following issues: libsolv was updated to 0.7.33: - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency libzypp was updated to 17.37.6: - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to '/var/log/YaST2/autoTestcase' should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash (fixes #643) - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries (fixes #638) - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Code16: Enable curl2 backend and parallel package download by default. In Code15 it's optional. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks (fixes openSUSE/zypper#605) - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - fixed build with boost 1.88. - XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - Disable zypp.conf:download.use_deltarpm by default (fixes #620) Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) Released libyui packages compile with -Werror=deprecated-declarations so we can't add deprecated warnings without breaking them. - make gcc15 happy (fixes #613) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps'. - Fix Repoverification plugin not being executed (fixes #614) - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Allow libzypp to compile with C++20. - Deprecate RepoReports we do not trigger. - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cahed there (bsc#1232458) - Fix missing UID checks in repomanager workflow (fixes #603) - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28) - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well. - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) zypper was updated to 1.14.91: - BuildRequires: libzypp-devel >= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - Annonunce --root in commands not launching a Target (bsc#1237044) - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939, fixes #446) - New system-architecture command (bsc#1236384) Prints the detected system architecture. - Change versioncmp command to return exit code according to the comparison result (#593) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) - man: Update 'search' command description. Hint to 'se -v' showing the matches within the packages metadata. Explain that search strings starting with a '/' will implicitly look into the filelist as well. Otherfise an explicit '-f' is needed. The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.40 updated - libsolv-tools-base-0.7.33-slfo.1.1_1.1 updated - gpg2-2.4.4-slfo.1.1_4.1 updated - libzypp-17.37.6-slfo.1.1_1.1 updated - zypper-1.14.91-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.47 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:06:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:06:07 +0200 (CEST) Subject: SUSE-IU-2025:1756-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250703070607.45C1EFD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1756-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.318 , suse/sle-micro/5.5:latest Image Release : 5.5.318 Severity : moderate Type : recommended References : 1245169 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2209-1 Released: Wed Jul 2 18:12:06 2025 Summary: Recommended update for open-vm-tools Type: recommended Severity: moderate References: 1245169 This update for open-vm-tools fixes the following issues: - Update to open-vm-tools 13.0.0 based on build 24696409. (bsc#1245169): There are no new features in the open-vm-tools 13.0.0 release. This is primarily a maintenance release that addresses a few issues, including: + The vm-support script has been updated to collect the open-vm-tools log files from the Linux guest and information from the systemd journal. + Github pull requests has been integrated and issues fixed. Please see the Resolved Issues section of the Release Notes. - Add patch: Currently the 'telinit 6' command is used to reboot a Linux VM following Guest OS Customization. As the classic Linux init system, SysVinit, is deprecated in favor of a newer init system, systemd, the telinit command may not be available on the base Linux OS. This change adds support to Guest OS Customization for the systemd init system. If the modern init system, systemd, is available, then a 'systemctl reboot' command will be used to trigger reboot. Otherwise, the 'telinit 6' command will be used assuming the traditional init system, SysVinit, is still available. - Drop patch now contained in 13.0.0: - Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes file where source validator was failing. The following package changes have been done: - libvmtools0-13.0.0-150300.61.1 updated - open-vm-tools-13.0.0-150300.61.1 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:06:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:06:05 +0200 (CEST) Subject: SUSE-IU-2025:1755-1: Security update of suse/sle-micro/5.5 Message-ID: <20250703070605.ED5EAFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1755-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.317 , suse/sle-micro/5.5:latest Image Release : 5.5.317 Severity : low Type : security References : 1230092 CVE-2024-45310 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. The following package changes have been done: - runc-1.2.6-150000.73.2 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:15:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:15:06 +0200 (CEST) Subject: SUSE-CU-2025:4866-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250703071506.6FCAAF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4866-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.13 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.13 Severity : moderate Type : recommended References : 1245169 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2209-1 Released: Wed Jul 2 18:12:06 2025 Summary: Recommended update for open-vm-tools Type: recommended Severity: moderate References: 1245169 This update for open-vm-tools fixes the following issues: - Update to open-vm-tools 13.0.0 based on build 24696409. (bsc#1245169): There are no new features in the open-vm-tools 13.0.0 release. This is primarily a maintenance release that addresses a few issues, including: + The vm-support script has been updated to collect the open-vm-tools log files from the Linux guest and information from the systemd journal. + Github pull requests has been integrated and issues fixed. Please see the Resolved Issues section of the Release Notes. - Add patch: Currently the 'telinit 6' command is used to reboot a Linux VM following Guest OS Customization. As the classic Linux init system, SysVinit, is deprecated in favor of a newer init system, systemd, the telinit command may not be available on the base Linux OS. This change adds support to Guest OS Customization for the systemd init system. If the modern init system, systemd, is available, then a 'systemctl reboot' command will be used to trigger reboot. Otherwise, the 'telinit 6' command will be used assuming the traditional init system, SysVinit, is still available. - Drop patch now contained in 13.0.0: - Ran /usr/lib/obs/service/source_validators/helpers/fix_changelog to fix changes file where source validator was failing. The following package changes have been done: - libvmtools0-13.0.0-150300.61.1 updated - open-vm-tools-13.0.0-150300.61.1 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:19:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:19:49 +0200 (CEST) Subject: SUSE-CU-2025:4867-1: Security update of suse/kea Message-ID: <20250703071949.92F31F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4867-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-61.9 , suse/kea:latest Container Release : 61.9 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:19:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:19:55 +0200 (CEST) Subject: SUSE-CU-2025:4868-1: Recommended update of bci/kiwi Message-ID: <20250703071955.1CE74F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4868-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.16 , bci/kiwi:latest Container Release : 16.16 Severity : moderate Type : recommended References : 1226413 1240789 1241474 1242696 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2199-1 Released: Wed Jul 2 12:49:15 2025 Summary: Recommended update for mdadm Type: recommended Severity: moderate References: 1226413,1240789,1241474,1242696 This update for mdadm fixes the following issues: - Add MAILFROM address to email envelope to avoid smtp auth errors (bsc#1241474). - Allow any valid minor name in md device name (bsc#1240789). - Add dependency on suse-module-tools for SLE15 (bsc#1242696). - Remove a redundant macro definition. - Remove duplicated code (bsc#1226413). The following package changes have been done: - mdadm-4.4-150700.4.5.3 updated From sle-container-updates at lists.suse.com Thu Jul 3 07:19:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 3 Jul 2025 09:19:56 +0200 (CEST) Subject: SUSE-CU-2025:4869-1: Security update of suse/kiosk/xorg Message-ID: <20250703071956.BBF0CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4869-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-62.3 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 62.3 Severity : important Type : security References : 1244084 CVE-2025-49176 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2206-1 Released: Wed Jul 2 17:15:30 2025 Summary: Security update for xorg-x11-server Type: security Severity: important References: 1244084,CVE-2025-49176 This update for xorg-x11-server fixes the following issues: - CVE-2025-49176: Fixed the integer overflow in Big Requests Extension (bsc#1244084). The following package changes have been done: - xorg-x11-server-Xvfb-21.1.15-150700.5.6.1 updated - xorg-x11-server-21.1.15-150700.5.6.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Fri Jul 4 07:04:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 4 Jul 2025 09:04:11 +0200 (CEST) Subject: SUSE-IU-2025:1757-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250704070411.AB866FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1757-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.47 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.47 Severity : moderate Type : security References : 1236136 CVE-2024-13176 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-9.1 updated - SL-Micro-release-6.0-25.33 updated - container:SL-Micro-base-container-2.1.3-7.15 updated From sle-container-updates at lists.suse.com Fri Jul 4 07:04:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 4 Jul 2025 09:04:43 +0200 (CEST) Subject: SUSE-IU-2025:1758-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250704070443.99EBEFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1758-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.15 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.15 Severity : moderate Type : security References : 1236136 CVE-2024-13176 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-9.1 updated - SL-Micro-release-6.0-25.33 updated - openssl-3-3.1.4-9.1 updated - container:suse-toolbox-image-1.0.0-9.9 updated From sle-container-updates at lists.suse.com Fri Jul 4 07:05:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 4 Jul 2025 09:05:21 +0200 (CEST) Subject: SUSE-IU-2025:1759-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250704070521.0B26CFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1759-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.42 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.42 Severity : moderate Type : security References : 1236136 CVE-2024-13176 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-9.1 updated - SL-Micro-release-6.0-25.33 updated - container:SL-Micro-base-container-2.1.3-7.15 updated From sle-container-updates at lists.suse.com Fri Jul 4 07:06:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 4 Jul 2025 09:06:32 +0200 (CEST) Subject: SUSE-CU-2025:4877-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250704070632.25108FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4877-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.9 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.9 Severity : moderate Type : security References : 1236136 CVE-2024-13176 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - SL-Micro-release-6.0-25.33 updated - libopenssl3-3.1.4-9.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.32 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:04:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:04:06 +0200 (CEST) Subject: SUSE-CU-2025:4879-1: Security update of containers/open-webui Message-ID: <20250705070406.30014FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4879-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.25 Container Release : 10.25 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:04:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:04:10 +0200 (CEST) Subject: SUSE-CU-2025:4880-1: Security update of containers/open-webui-pipelines Message-ID: <20250705070410.05D3FFCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4880-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.11 Container Release : 5.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - python-open-webui-pipelines-0.20250329.151219-150600.3.9 updated - libssh4-0.9.8-150600.11.3.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:04:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:04:17 +0200 (CEST) Subject: SUSE-CU-2025:4881-1: Security update of containers/pytorch Message-ID: <20250705070417.E7A30FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4881-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.24 Container Release : 2.24 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - python311-torch-cuda-2.7.0-150600.2.12 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:06:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:06:59 +0200 (CEST) Subject: SUSE-IU-2025:1763-1: Security update of suse/sle-micro/5.5 Message-ID: <20250705070659.AA4B7FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1763-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.319 , suse/sle-micro/5.5:latest Image Release : 5.5.319 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-small-9.1.1406-150500.20.27.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:12:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:12:50 +0200 (CEST) Subject: SUSE-CU-2025:4885-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250705071250.8F3B3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4885-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.151 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.151 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - xxd-9.1.1406-150000.5.75.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:14:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:14:57 +0200 (CEST) Subject: SUSE-CU-2025:4886-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250705071457.2794FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4886-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.14 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.14 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-small-9.1.1406-150000.5.75.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:16:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:16:20 +0200 (CEST) Subject: SUSE-CU-2025:4887-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250705071620.6EBE7F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4887-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.151 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.151 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - xxd-9.1.1406-150000.5.75.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:17:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:17:25 +0200 (CEST) Subject: SUSE-CU-2025:4888-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250705071725.AEC70F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4888-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.54 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.54 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-9.1.1406-150500.20.27.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:17:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:17:59 +0200 (CEST) Subject: SUSE-IU-2025:1764-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250705071759.F107CF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1764-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.16 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.16 Severity : moderate Type : security References : 1236931 1239119 1243069 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 374 Released: Fri Jul 4 11:02:09 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,1243069,CVE-2025-30258 This update for gpg2 fixes the following issues: - gpg: Allow the use of an ADSK subkey as ADSK subkey. (bsc#1239119 CVE-2025-30258) - Don't install expired sks certificate [bsc#1243069] The following package changes have been done: - SL-Micro-release-6.0-25.34 updated - gpg2-2.4.4-5.1 updated - container:suse-toolbox-image-1.0.0-9.10 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:18:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:18:00 +0200 (CEST) Subject: SUSE-IU-2025:1765-1: Recommended update of suse/sl-micro/6.0/base-os-container Message-ID: <20250705071800.A8ACEFD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1765-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.17 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.17 Severity : moderate Type : recommended References : 1242987 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Fri Jul 4 16:18:40 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: moderate References: 1242987 This update for gptfdisk fixes the following issues: - Fixed boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - gptfdisk-1.0.9-4.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:18:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:18:37 +0200 (CEST) Subject: SUSE-IU-2025:1767-1: Recommended update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250705071837.346E0F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1767-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.44 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.44 Severity : moderate Type : recommended References : 1242987 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 375 Released: Fri Jul 4 16:18:40 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: moderate References: 1242987 This update for gptfdisk fixes the following issues: - Fixed boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - gptfdisk-1.0.9-4.1 updated - container:SL-Micro-base-container-2.1.3-7.17 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:19:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:19:46 +0200 (CEST) Subject: SUSE-CU-2025:4893-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250705071946.83395F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4893-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.10 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.10 Severity : moderate Type : security References : 1236931 1239119 1243069 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 374 Released: Fri Jul 4 11:02:09 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,1243069,CVE-2025-30258 This update for gpg2 fixes the following issues: - gpg: Allow the use of an ADSK subkey as ADSK subkey. (bsc#1239119 CVE-2025-30258) - Don't install expired sks certificate [bsc#1243069] The following package changes have been done: - SL-Micro-release-6.0-25.34 updated - gpg2-2.4.4-5.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.33 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:20:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:20:13 +0200 (CEST) Subject: SUSE-IU-2025:1769-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250705072013.1DD52FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1769-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.3 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.3 Severity : important Type : recommended References : 1242987 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 170 Released: Fri Jul 4 16:31:25 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: important References: 1242987 This update for gptfdisk fixes the following issues: - Fix boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - gptfdisk-1.0.9-slfo.1.1_2.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:20:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:20:12 +0200 (CEST) Subject: SUSE-IU-2025:1768-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250705072012.60E1DF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1768-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.2 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.2 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 168 Released: Fri Jul 4 10:41:41 2025 Summary: Recommended update for elemental-operator Type: recommended Severity: moderate References: This update for elemental-operator fixes the following issues: - [v1.7.x] Label Templates: improve Random family processing - Dockerfile: bump golang container to 1.24 - operator: update RBAC for upgrade plans The following package changes have been done: - elemental-register-1.7.3-slfo.1.1_1.1 updated - elemental-support-1.7.3-slfo.1.1_1.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:20:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:20:39 +0200 (CEST) Subject: SUSE-IU-2025:1771-1: Recommended update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250705072039.CBDD7F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1771-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.3 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.3 Severity : important Type : recommended References : 1242987 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 170 Released: Fri Jul 4 16:31:25 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: important References: 1242987 This update for gptfdisk fixes the following issues: - Fix boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - gptfdisk-1.0.9-slfo.1.1_2.1 updated - container:SL-Micro-base-container-2.2.1-5.3 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:24:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:24:13 +0200 (CEST) Subject: SUSE-CU-2025:4895-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250705072413.AEEDCF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4895-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.67 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.67 Severity : important Type : security References : 1228776 1239602 1242844 1244596 1245309 1245310 1245311 1245314 CVE-2024-41965 CVE-2025-29768 CVE-2025-4373 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 CVE-2025-6052 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - glib2-tools-2.78.6-150600.4.16.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-small-9.1.1406-150500.20.27.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:25:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:25:34 +0200 (CEST) Subject: SUSE-CU-2025:4897-1: Security update of bci/nodejs Message-ID: <20250705072534.187B6F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4897-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.9 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.9 Container Release : 54.9 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:26:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:26:15 +0200 (CEST) Subject: SUSE-CU-2025:4898-1: Security update of bci/python Message-ID: <20250705072615.E283DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4898-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.9 Container Release : 69.9 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:28:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:28:09 +0200 (CEST) Subject: SUSE-CU-2025:4899-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250705072809.3C9D7F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4899-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.11 Container Release : 44.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:28:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:28:42 +0200 (CEST) Subject: SUSE-CU-2025:4900-1: Security update of suse/sle15 Message-ID: <20250705072842.7611FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4900-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.7 , suse/sle15:15.6 , suse/sle15:15.6.47.23.7 Container Release : 47.23.7 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated From sle-container-updates at lists.suse.com Sat Jul 5 07:29:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 5 Jul 2025 09:29:27 +0200 (CEST) Subject: SUSE-CU-2025:4901-1: Security update of bci/spack Message-ID: <20250705072927.AD7C9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4901-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.10 Container Release : 11.10 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:08:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:08:56 +0200 (CEST) Subject: SUSE-CU-2025:4901-1: Security update of bci/spack Message-ID: <20250706070856.5A50CFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4901-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.10 Container Release : 11.10 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:24 +0200 (CEST) Subject: SUSE-CU-2025:4910-1: Security update of bci/gcc Message-ID: <20250706070924.6D517FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4910-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.11 , bci/gcc:latest Container Release : 10.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:27 +0200 (CEST) Subject: SUSE-CU-2025:4911-1: Security update of suse/git Message-ID: <20250706070927.144D3FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4911-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.10 , suse/git:latest Container Release : 61.10 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:30 +0200 (CEST) Subject: SUSE-CU-2025:4912-1: Security update of bci/golang Message-ID: <20250706070930.48E41FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4912-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.11 , bci/golang:oldstable , bci/golang:oldstable-2.71.11 Container Release : 71.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:33 +0200 (CEST) Subject: SUSE-CU-2025:4913-1: Security update of bci/golang Message-ID: <20250706070933.DEF0CFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4913-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.11 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.11 Container Release : 71.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:38 +0200 (CEST) Subject: SUSE-CU-2025:4914-1: Security update of bci/golang Message-ID: <20250706070938.30212FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4914-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.11 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.11 Container Release : 71.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:43 +0200 (CEST) Subject: SUSE-CU-2025:4915-1: Security update of bci/golang Message-ID: <20250706070943.64415FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4915-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.11 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.11 Container Release : 71.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:51 +0200 (CEST) Subject: SUSE-CU-2025:4917-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250706070951.96CEAFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4917-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.2 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.2 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:09:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:09:57 +0200 (CEST) Subject: SUSE-CU-2025:4918-1: Security update of bci/kiwi Message-ID: <20250706070957.112B5FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4918-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.18 , bci/kiwi:latest Container Release : 16.18 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:03 +0200 (CEST) Subject: SUSE-CU-2025:4920-1: Security update of bci/nodejs Message-ID: <20250706071003.99CD0FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4920-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.10 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.10 , bci/nodejs:latest Container Release : 9.10 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:08 +0200 (CEST) Subject: SUSE-CU-2025:4922-1: Security update of bci/openjdk Message-ID: <20250706071008.BCD35FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4922-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.16 Container Release : 7.16 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:14 +0200 (CEST) Subject: SUSE-CU-2025:4924-1: Security update of bci/openjdk Message-ID: <20250706071014.46608FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4924-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.15 , bci/openjdk:latest Container Release : 10.15 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:22 +0200 (CEST) Subject: SUSE-CU-2025:4926-1: Security update of bci/php-apache Message-ID: <20250706071022.2CF60FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4926-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.11 , bci/php-apache:latest Container Release : 10.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:25 +0200 (CEST) Subject: SUSE-CU-2025:4927-1: Security update of bci/php-fpm Message-ID: <20250706071025.3B31FFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4927-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.11 , bci/php-fpm:latest Container Release : 10.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:28 +0200 (CEST) Subject: SUSE-CU-2025:4928-1: Security update of bci/php Message-ID: <20250706071028.5C9B2FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4928-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.11 , bci/php:latest Container Release : 10.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:33 +0200 (CEST) Subject: SUSE-CU-2025:4930-1: Security update of bci/python Message-ID: <20250706071033.CC538FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4930-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.13 Container Release : 71.13 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:38 +0200 (CEST) Subject: SUSE-CU-2025:4931-1: Security update of bci/python Message-ID: <20250706071038.59DCCFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4931-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-71.13 , bci/python:latest Container Release : 71.13 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:41 +0200 (CEST) Subject: SUSE-CU-2025:4932-1: Security update of bci/python Message-ID: <20250706071041.60F6AFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4932-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.12 Container Release : 71.12 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:48 +0200 (CEST) Subject: SUSE-CU-2025:4934-1: Security update of bci/ruby Message-ID: <20250706071048.13CBCFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4934-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.11 Container Release : 11.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:51 +0200 (CEST) Subject: SUSE-CU-2025:4935-1: Security update of bci/ruby Message-ID: <20250706071051.72BF9FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4935-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.11 , bci/ruby:latest Container Release : 10.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Sun Jul 6 07:10:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 6 Jul 2025 09:10:54 +0200 (CEST) Subject: SUSE-CU-2025:4936-1: Security update of bci/rust Message-ID: <20250706071054.7F961FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4936-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.16 , bci/rust:oldstable , bci/rust:oldstable-2.2.16 Container Release : 2.16 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:07:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:07:50 +0200 (CEST) Subject: SUSE-CU-2025:4936-1: Security update of bci/rust Message-ID: <20250707070750.A6DDEFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4936-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.16 , bci/rust:oldstable , bci/rust:oldstable-2.2.16 Container Release : 2.16 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:07:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:07:54 +0200 (CEST) Subject: SUSE-CU-2025:4937-1: Security update of bci/rust Message-ID: <20250707070754.6A58BFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4937-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.3.11 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.11 Container Release : 3.11 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:07:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:07:56 +0200 (CEST) Subject: SUSE-CU-2025:4938-1: Security update of suse/samba-client Message-ID: <20250707070756.32C1CFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4938-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.3 , suse/samba-client:latest Container Release : 62.3 Severity : moderate Type : security References : 1238063 1244136 CVE-2025-0620 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2230-1 Released: Fri Jul 4 18:03:09 2025 Summary: Security update for samba Type: security Severity: moderate References: 1238063,1244136,CVE-2025-0620 This update for samba fixes the following issues: - CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session (bsc#1244136). Other bugfixes: - net ad join fails with 'Failed to join domain: failed to create kerberos keytab' (bsc#1238063). The following package changes have been done: - libldb2-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-libs-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:07:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:07:59 +0200 (CEST) Subject: SUSE-CU-2025:4940-1: Security update of suse/samba-toolbox Message-ID: <20250707070759.E76C1FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4940-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.3 , suse/samba-toolbox:latest Container Release : 62.3 Severity : moderate Type : security References : 1238063 1244136 CVE-2025-0620 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2230-1 Released: Fri Jul 4 18:03:09 2025 Summary: Security update for samba Type: security Severity: moderate References: 1238063,1244136,CVE-2025-0620 This update for samba fixes the following issues: - CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session (bsc#1244136). Other bugfixes: - net ad join fails with 'Failed to join domain: failed to create kerberos keytab' (bsc#1238063). The following package changes have been done: - libldb2-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-libs-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:07:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:07:58 +0200 (CEST) Subject: SUSE-CU-2025:4939-1: Security update of suse/samba-server Message-ID: <20250707070758.090F9FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4939-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.3 , suse/samba-server:latest Container Release : 62.3 Severity : moderate Type : security References : 1238063 1244136 CVE-2025-0620 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2230-1 Released: Fri Jul 4 18:03:09 2025 Summary: Security update for samba Type: security Severity: moderate References: 1238063,1244136,CVE-2025-0620 This update for samba fixes the following issues: - CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session (bsc#1244136). Other bugfixes: - net ad join fails with 'Failed to join domain: failed to create kerberos keytab' (bsc#1238063). The following package changes have been done: - libldb2-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-libs-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-libs-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-client-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-dcerpc-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - samba-4.21.6+git.402.80f493f530f-150700.3.3.1 updated - container:suse-sle15-15.7-87a46906f9bf3b6b8a2f5d858598eb70f4d68fe75af274ee20c6c5b5532c6f4d-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:08:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:08:04 +0200 (CEST) Subject: SUSE-CU-2025:4941-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250707070804.AC610FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4941-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.12 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.12 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:08:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:08:08 +0200 (CEST) Subject: SUSE-CU-2025:4942-1: Security update of suse/sle15 Message-ID: <20250707070808.E4E55FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4942-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.8 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.8 , suse/sle15:latest Container Release : 5.8.8 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:08:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:08:16 +0200 (CEST) Subject: SUSE-CU-2025:4943-1: Security update of bci/spack Message-ID: <20250707070816.06553FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4943-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.13 , bci/spack:latest Container Release : 13.13 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:10:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:10:54 +0200 (CEST) Subject: SUSE-CU-2025:4955-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250707071054.1CA4DFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4955-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.143 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.143 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - xxd-9.1.1406-150000.5.75.1 updated From sle-container-updates at lists.suse.com Mon Jul 7 07:15:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 7 Jul 2025 09:15:41 +0200 (CEST) Subject: SUSE-CU-2025:4957-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250707071541.434B7FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4957-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.145 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.145 Severity : moderate Type : security References : 1228776 1239602 CVE-2024-41965 CVE-2025-29768 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). The following package changes have been done: - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - xxd-9.1.1406-150000.5.75.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:03:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:03:21 +0200 (CEST) Subject: SUSE-CU-2025:4958-1: Security update of containers/milvus Message-ID: <20250708070321.5E00AFCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4958-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.138 Container Release : 7.138 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libssh4-0.9.8-150600.11.3.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:04:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:04:36 +0200 (CEST) Subject: SUSE-CU-2025:4959-1: Recommended update of containers/ollama Message-ID: <20250708070436.C2D63FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/ollama ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4959-1 Container Tags : containers/ollama:0 , containers/ollama:0.6.8 , containers/ollama:0.6.8-10.28 Container Release : 10.28 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container containers/ollama was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:04:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:04:41 +0200 (CEST) Subject: SUSE-CU-2025:4960-1: Recommended update of containers/open-webui-pipelines Message-ID: <20250708070441.6BD52FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4960-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.13 Container Release : 5.13 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - python-open-webui-pipelines-0.20250329.151219-150600.3.10 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:04:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:04:50 +0200 (CEST) Subject: SUSE-CU-2025:4961-1: Recommended update of containers/pytorch Message-ID: <20250708070450.E91ECFCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4961-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.25 Container Release : 2.25 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:07:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:07:48 +0200 (CEST) Subject: SUSE-IU-2025:1773-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250708070748.860F2FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1773-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.320 , suse/sle-micro/5.5:latest Image Release : 5.5.320 Severity : moderate Type : recommended References : 1165294 1222296 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2235-1 Released: Mon Jul 7 14:08:03 2025 Summary: Recommended update for haveged Type: recommended Severity: moderate References: 1165294,1222296 This update for haveged fixes the following issues: - Add patch files introducing the '--once' flag (bsc#1222296, bsc#1165294) The following package changes have been done: - libhavege2-1.9.14-150400.3.8.1 updated - haveged-1.9.14-150400.3.8.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:15:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:15:12 +0200 (CEST) Subject: SUSE-CU-2025:4965-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250708071512.CC633F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4965-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.15 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.15 Severity : moderate Type : recommended References : 1165294 1222296 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2235-1 Released: Mon Jul 7 14:08:03 2025 Summary: Recommended update for haveged Type: recommended Severity: moderate References: 1165294,1222296 This update for haveged fixes the following issues: - Add patch files introducing the '--once' flag (bsc#1222296, bsc#1165294) The following package changes have been done: - haveged-1.9.14-150400.3.8.1 updated - libhavege2-1.9.14-150400.3.8.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:15:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:15:49 +0200 (CEST) Subject: SUSE-IU-2025:1774-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250708071549.EF62DF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1774-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.4 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.4 Severity : moderate Type : security References : 1231463 1240897 1242844 CVE-2025-3360 CVE-2025-4373 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 172 Released: Mon Jul 7 13:11:11 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1231463,1240897,1242844,CVE-2025-3360,CVE-2025-4373 This update for glib2 fixes the following issues: Security issues: - CVE-2025-4373: Fixed handling gssize parameters (bsc#1242844). - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601 (bsc#1240897) Non security issues: - Trigger glib2-tools postun trigger exit normally if glib2-compile-schemas can't be run. Fixes error when uninstalling if libgio is uninstalled first (bsc#1231463). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.41 updated - libglib-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_3.1 updated - glib2-tools-2.78.6-slfo.1.1_3.1 updated - container:suse-toolbox-image-1.0.0-4.48 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:16:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:16:26 +0200 (CEST) Subject: SUSE-IU-2025:1775-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250708071626.6A1E7F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1775-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.4 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.4 Severity : moderate Type : security References : 1231463 1240897 1242844 CVE-2025-3360 CVE-2025-4373 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 172 Released: Mon Jul 7 13:11:11 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1231463,1240897,1242844,CVE-2025-3360,CVE-2025-4373 This update for glib2 fixes the following issues: Security issues: - CVE-2025-4373: Fixed handling gssize parameters (bsc#1242844). - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601 (bsc#1240897) Non security issues: - Trigger glib2-tools postun trigger exit normally if glib2-compile-schemas can't be run. Fixes error when uninstalling if libgio is uninstalled first (bsc#1231463). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.41 updated - libglib-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_3.1 updated - glib2-tools-2.78.6-slfo.1.1_3.1 updated - container:SL-Micro-base-container-2.2.1-5.4 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:20:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:20:34 +0200 (CEST) Subject: SUSE-CU-2025:4967-1: Recommended update of bci/bci-init Message-ID: <20250708072034.43D12F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4967-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.13 Container Release : 44.13 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:20:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:20:35 +0200 (CEST) Subject: SUSE-CU-2025:4968-1: Recommended update of bci/bci-micro-fips Message-ID: <20250708072035.90E04F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4968-1 Container Tags : bci/bci-micro-fips:15.6 , bci/bci-micro-fips:15.6.4.7 Container Release : 4.7 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - container:bci-bci-base-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:21:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:21:18 +0200 (CEST) Subject: SUSE-CU-2025:4969-1: Recommended update of bci/nodejs Message-ID: <20250708072118.5F776F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4969-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.11 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.11 Container Release : 54.11 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:22:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:22:07 +0200 (CEST) Subject: SUSE-CU-2025:4970-1: Recommended update of bci/python Message-ID: <20250708072207.EDFABF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4970-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.12 Container Release : 69.12 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:22:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:22:32 +0200 (CEST) Subject: SUSE-CU-2025:4971-1: Recommended update of suse/mariadb-client Message-ID: <20250708072232.88C31F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4971-1 Container Tags : suse/mariadb-client:10.11 , suse/mariadb-client:10.11.11 , suse/mariadb-client:10.11.11-61.6 Container Release : 61.6 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - container:suse-sle15-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:23:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:23:04 +0200 (CEST) Subject: SUSE-CU-2025:4972-1: Recommended update of suse/mariadb Message-ID: <20250708072304.382D2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4972-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.7 Container Release : 68.7 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - container:suse-sle15-15.6-0cffbb2018bc501494908f27b83c0a28b0e7b5122efad8f392321c4e308d4b67-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:25:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:25:17 +0200 (CEST) Subject: SUSE-CU-2025:4973-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250708072517.2DE65F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4973-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.13 Container Release : 44.13 Severity : moderate Type : recommended References : 1244135 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). The following package changes have been done: - libbpf1-1.2.2-150600.3.6.2 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:25:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:25:19 +0200 (CEST) Subject: SUSE-CU-2025:4974-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250708072519.B8241F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4974-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.14 Container Release : 44.14 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:26:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:26:01 +0200 (CEST) Subject: SUSE-CU-2025:4975-1: Recommended update of suse/sle15 Message-ID: <20250708072601.311DEF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4975-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.8 , suse/sle15:15.6 , suse/sle15:15.6.47.23.8 Container Release : 47.23.8 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:26:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:26:55 +0200 (CEST) Subject: SUSE-CU-2025:4976-1: Recommended update of bci/spack Message-ID: <20250708072655.C0C4CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4976-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.11 Container Release : 11.11 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-devel-3.1.4-150600.5.33.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:27:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:27:04 +0200 (CEST) Subject: SUSE-CU-2025:4978-1: Security update of suse/389-ds Message-ID: <20250708072704.A367CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4978-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.13 , suse/389-ds:latest Container Release : 61.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:27:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:27:24 +0200 (CEST) Subject: SUSE-CU-2025:4982-1: Security update of suse/bind Message-ID: <20250708072724.E5374F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4982-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-61.11 , suse/bind:latest Container Release : 61.11 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 07:27:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 09:27:27 +0200 (CEST) Subject: SUSE-CU-2025:4983-1: Security update of suse/registry Message-ID: <20250708072727.4A41BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4983-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.7 , suse/registry:latest Container Release : 5.7 Severity : important Type : security References : 1240366 1244471 CVE-2025-27587 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2066-1 Released: Mon Jun 23 12:48:32 2025 Summary: Security update for distribution Type: security Severity: important References: 1244471 This update for distribution fixes the following issues: The package is rebuild with more recent go go1.24, fixing respective security issues (bsc#1244471) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - distribution-registry-2.8.3-150400.9.27.1 updated - libopenssl3-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:09:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:09:49 +0200 (CEST) Subject: SUSE-CU-2025:4985-1: Recommended update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250708100949.246A9FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4985-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.70 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.70 Severity : moderate Type : recommended References : 1241667 1244135 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). The following package changes have been done: - libbpf1-1.2.2-150600.3.6.2 updated - libopenssl3-3.1.4-150600.5.33.1 updated - openssh-clients-9.6p1-150600.6.29.2 updated - openssh-common-9.6p1-150600.6.29.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-9.6p1-150600.6.29.2 updated - openssl-3-3.1.4-150600.5.33.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:17 +0200 (CEST) Subject: SUSE-CU-2025:4983-1: Security update of suse/registry Message-ID: <20250708101117.3E11DFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4983-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.7 , suse/registry:latest Container Release : 5.7 Severity : important Type : security References : 1240366 1244471 CVE-2025-27587 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2066-1 Released: Mon Jun 23 12:48:32 2025 Summary: Security update for distribution Type: security Severity: important References: 1244471 This update for distribution fixes the following issues: The package is rebuild with more recent go go1.24, fixing respective security issues (bsc#1244471) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - distribution-registry-2.8.3-150400.9.27.1 updated - libopenssl3-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:37 +0200 (CEST) Subject: SUSE-CU-2025:4990-1: Security update of suse/git Message-ID: <20250708101137.02719FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4990-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.13 , suse/git:latest Container Release : 61.13 Severity : moderate Type : security References : 1240366 1241667 CVE-2025-27587 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - openssh-common-9.6p1-150600.6.29.2 updated - openssh-clients-9.6p1-150600.6.29.2 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:41 +0200 (CEST) Subject: SUSE-CU-2025:4991-1: Security update of bci/golang Message-ID: <20250708101141.DDA9EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4991-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.13 , bci/golang:oldstable , bci/golang:oldstable-2.71.13 Container Release : 71.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:46 +0200 (CEST) Subject: SUSE-CU-2025:4992-1: Security update of bci/golang Message-ID: <20250708101146.81617FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4992-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.12 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.12 Container Release : 71.12 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:51 +0200 (CEST) Subject: SUSE-CU-2025:4994-1: Security update of bci/golang Message-ID: <20250708101151.4E213FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4994-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.13 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.13 Container Release : 71.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:11:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:11:56 +0200 (CEST) Subject: SUSE-CU-2025:4995-1: Security update of bci/golang Message-ID: <20250708101156.B873DFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4995-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.12 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.12 Container Release : 71.12 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:00 +0200 (CEST) Subject: SUSE-CU-2025:4997-1: Security update of suse/helm Message-ID: <20250708101200.AB5C1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4997-1 Container Tags : suse/helm:3 , suse/helm:3.18 , suse/helm:3.18.3 , suse/helm:3.18.3-61.5 , suse/helm:latest Container Release : 61.5 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:05 +0200 (CEST) Subject: SUSE-CU-2025:4998-1: Security update of bci/bci-init Message-ID: <20250708101205.7F7F9FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4998-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.16 , bci/bci-init:latest Container Release : 41.16 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:09 +0200 (CEST) Subject: SUSE-CU-2025:4999-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250708101209.87EC5FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4999-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.4 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.4 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:16 +0200 (CEST) Subject: SUSE-CU-2025:5000-1: Security update of bci/kiwi Message-ID: <20250708101216.8B929FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5000-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.20 , bci/kiwi:latest Container Release : 16.20 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:18 +0200 (CEST) Subject: SUSE-CU-2025:5001-1: Security update of bci/bci-micro-fips Message-ID: <20250708101218.6ED04FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5001-1 Container Tags : bci/bci-micro-fips:15.7 , bci/bci-micro-fips:15.7-5.12 , bci/bci-micro-fips:latest Container Release : 5.12 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:bci-bci-base-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:24 +0200 (CEST) Subject: SUSE-CU-2025:5002-1: Security update of suse/nginx Message-ID: <20250708101224.3D56DFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5002-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.12 , suse/nginx:latest Container Release : 61.12 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:28 +0200 (CEST) Subject: SUSE-CU-2025:5003-1: Security update of bci/nodejs Message-ID: <20250708101228.68296FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5003-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.13 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.13 , bci/nodejs:latest Container Release : 9.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:32 +0200 (CEST) Subject: SUSE-CU-2025:5004-1: Security update of bci/openjdk-devel Message-ID: <20250708101232.418E6FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5004-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.20 Container Release : 7.20 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:bci-openjdk-17-15.7.17-7.19 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:36 +0200 (CEST) Subject: SUSE-CU-2025:5005-1: Security update of bci/openjdk Message-ID: <20250708101236.A8E19FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5005-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.19 Container Release : 7.19 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:41 +0200 (CEST) Subject: SUSE-CU-2025:5006-1: Security update of bci/openjdk-devel Message-ID: <20250708101241.3D3E4FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5006-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.19 , bci/openjdk-devel:latest Container Release : 10.19 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:bci-openjdk-21-15.7.21-10.18 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:46 +0200 (CEST) Subject: SUSE-CU-2025:5007-1: Security update of bci/openjdk Message-ID: <20250708101246.37798FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5007-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.18 , bci/openjdk:latest Container Release : 10.18 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:51 +0200 (CEST) Subject: SUSE-CU-2025:5008-1: Security update of bci/php-apache Message-ID: <20250708101251.24050FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5008-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.14 , bci/php-apache:latest Container Release : 10.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:12:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:12:55 +0200 (CEST) Subject: SUSE-CU-2025:5009-1: Security update of bci/php-fpm Message-ID: <20250708101255.D8275FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5009-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.14 , bci/php-fpm:latest Container Release : 10.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 10:13:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 12:13:00 +0200 (CEST) Subject: SUSE-CU-2025:5010-1: Security update of bci/php Message-ID: <20250708101300.78783FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5010-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.14 , bci/php:latest Container Release : 10.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:20 +0200 (CEST) Subject: SUSE-CU-2025:5010-1: Security update of bci/php Message-ID: <20250708110120.AA57EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5010-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.14 , bci/php:latest Container Release : 10.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:25 +0200 (CEST) Subject: SUSE-CU-2025:5011-1: Security update of suse/postgres Message-ID: <20250708110125.5201BFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5011-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-71.3 Container Release : 71.3 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:29 +0200 (CEST) Subject: SUSE-CU-2025:5012-1: Security update of suse/postgres Message-ID: <20250708110129.C16C9FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5012-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.11 , suse/postgres:latest Container Release : 61.11 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:32 +0200 (CEST) Subject: SUSE-CU-2025:5013-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250708110132.B2750FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5013-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.14 , suse/kiosk/pulseaudio:latest Container Release : 61.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:37 +0200 (CEST) Subject: SUSE-CU-2025:5014-1: Security update of bci/python Message-ID: <20250708110137.9A231FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5014-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.15 Container Release : 71.15 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:43 +0200 (CEST) Subject: SUSE-CU-2025:5015-1: Security update of bci/python Message-ID: <20250708110143.910C2FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5015-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-71.16 , bci/python:latest Container Release : 71.16 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:48 +0200 (CEST) Subject: SUSE-CU-2025:5016-1: Security update of bci/python Message-ID: <20250708110148.8399AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5016-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.15 Container Release : 71.15 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:51 +0200 (CEST) Subject: SUSE-CU-2025:5017-1: Security update of suse/mariadb-client Message-ID: <20250708110151.8E6EBFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5017-1 Container Tags : suse/mariadb-client:11.4 , suse/mariadb-client:11.4.5 , suse/mariadb-client:11.4.5-61.10 , suse/mariadb-client:latest Container Release : 61.10 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:54 +0200 (CEST) Subject: SUSE-CU-2025:5018-1: Security update of suse/mariadb Message-ID: <20250708110154.D48C3FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5018-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.11 , suse/mariadb:latest Container Release : 61.11 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:01:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:01:59 +0200 (CEST) Subject: SUSE-CU-2025:5019-1: Security update of bci/ruby Message-ID: <20250708110159.BE4D3FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5019-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.13 Container Release : 11.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:05 +0200 (CEST) Subject: SUSE-CU-2025:5020-1: Security update of bci/ruby Message-ID: <20250708110205.64C1BFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5020-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.13 , bci/ruby:latest Container Release : 10.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:09 +0200 (CEST) Subject: SUSE-CU-2025:5021-1: Security update of bci/rust Message-ID: <20250708110209.8A7F4FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5021-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.18 , bci/rust:oldstable , bci/rust:oldstable-2.2.18 Container Release : 2.18 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:14 +0200 (CEST) Subject: SUSE-CU-2025:5022-1: Security update of bci/rust Message-ID: <20250708110214.1AC2AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5022-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.3.13 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.13 Container Release : 3.13 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:16 +0200 (CEST) Subject: SUSE-CU-2025:5023-1: Security update of suse/samba-client Message-ID: <20250708110216.A7D7CFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5023-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.5 , suse/samba-client:latest Container Release : 62.5 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:19 +0200 (CEST) Subject: SUSE-CU-2025:5024-1: Security update of suse/samba-server Message-ID: <20250708110219.5C5A2FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5024-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.5 , suse/samba-server:latest Container Release : 62.5 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:22 +0200 (CEST) Subject: SUSE-CU-2025:5025-1: Security update of suse/samba-toolbox Message-ID: <20250708110222.02EE0FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5025-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.5 , suse/samba-toolbox:latest Container Release : 62.5 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:27 +0200 (CEST) Subject: SUSE-CU-2025:5026-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250708110227.A1287FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5026-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.14 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:32 +0200 (CEST) Subject: SUSE-CU-2025:5027-1: Security update of suse/sle15 Message-ID: <20250708110232.A3B2CFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5027-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.9 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.9 , suse/sle15:latest Container Release : 5.8.9 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - libopenssl3-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:40 +0200 (CEST) Subject: SUSE-CU-2025:5028-1: Security update of bci/spack Message-ID: <20250708110240.E2DC9FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5028-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.14 , bci/spack:latest Container Release : 13.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.10.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:43 +0200 (CEST) Subject: SUSE-CU-2025:5029-1: Security update of suse/stunnel Message-ID: <20250708110243.CDB08FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5029-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-61.11 , suse/stunnel:latest Container Release : 61.11 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:02:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:02:47 +0200 (CEST) Subject: SUSE-CU-2025:5030-1: Security update of suse/valkey Message-ID: <20250708110247.5FF31FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5030-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.10 , suse/valkey:latest Container Release : 61.10 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:14:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:14:12 +0200 (CEST) Subject: SUSE-CU-2025:5030-1: Security update of suse/valkey Message-ID: <20250708111412.540B1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5030-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.10 , suse/valkey:latest Container Release : 61.10 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 11:14:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 13:14:14 +0200 (CEST) Subject: SUSE-CU-2025:5031-1: Security update of suse/kiosk/xorg Message-ID: <20250708111414.7717AFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5031-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.3 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.3 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - container:suse-sle15-15.7-f48ce0230d181b5a123e860f0de07d2065afe9756ee52bb343ee5288e156d50c-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:05:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:05:57 +0200 (CEST) Subject: SUSE-CU-2025:5032-1: Security update of containers/milvus Message-ID: <20250708150557.1C0F5FD12@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5032-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.140 Container Release : 7.140 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:07:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:07:28 +0200 (CEST) Subject: SUSE-CU-2025:5033-1: Security update of containers/open-webui Message-ID: <20250708150728.62D66FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5033-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.29 Container Release : 10.29 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - libsystemd0-254.25-150600.4.40.1 updated - python311-certifi-2024.7.4-150600.1.44 updated - python311-cchardet-2.1.19-150600.1.40 updated - python311-numpy1-1.26.4-150600.1.48 updated - python311-scipy-1.14.1-150600.1.49 updated - python311-pandas-2.2.3-150600.1.51 updated - python311-scikit-learn-1.5.1-150600.1.51 updated - python311-open-webui-0.6.9-150600.2.9 updated - container:registry.suse.com-bci-bci-base-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:07:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:07:42 +0200 (CEST) Subject: SUSE-CU-2025:5034-1: Security update of containers/pytorch Message-ID: <20250708150742.60F7AFCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5034-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.27 Container Release : 2.27 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - python311-torch-cuda-2.7.0-150600.2.14 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:09:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:09:12 +0200 (CEST) Subject: SUSE-CU-2025:5035-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250708150912.29EC7FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5035-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.104 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.104 Severity : moderate Type : security References : 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2243-1 Released: Tue Jul 8 10:43:31 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). The following package changes have been done: - libsystemd0-228-157.72.1 updated - libudev1-228-157.72.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:13:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:13:24 +0200 (CEST) Subject: SUSE-CU-2025:5036-1: Security update of bci/bci-init Message-ID: <20250708151324.0FF5AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5036-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.14 Container Release : 44.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:14:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:14:24 +0200 (CEST) Subject: SUSE-CU-2025:5037-1: Security update of bci/nodejs Message-ID: <20250708151424.EB255FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5037-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.12 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.12 Container Release : 54.12 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:15:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:15:29 +0200 (CEST) Subject: SUSE-CU-2025:5038-1: Security update of bci/python Message-ID: <20250708151529.8C9B7FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5038-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.13 Container Release : 69.13 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:16:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:16:13 +0200 (CEST) Subject: SUSE-CU-2025:5039-1: Security update of suse/mariadb Message-ID: <20250708151613.86EF6FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5039-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.9 Container Release : 68.9 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.6-a7f27f7bab64e7f95497baad4f390fdfe90800a959710ce80dd6d03ec4895995-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:18:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:18:35 +0200 (CEST) Subject: SUSE-CU-2025:5040-1: Security update of suse/sle15 Message-ID: <20250708151835.84B42FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5040-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.9 , suse/sle15:15.6 , suse/sle15:15.6.47.23.9 Container Release : 47.23.9 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:19:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:19:55 +0200 (CEST) Subject: SUSE-CU-2025:5041-1: Security update of bci/spack Message-ID: <20250708151955.278AAFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5041-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.13 Container Release : 11.13 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:00 +0200 (CEST) Subject: SUSE-CU-2025:5042-1: Security update of suse/389-ds Message-ID: <20250708152000.C8F1AFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5042-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.14 , suse/389-ds:latest Container Release : 61.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:05 +0200 (CEST) Subject: SUSE-CU-2025:5043-1: Security update of suse/bind Message-ID: <20250708152005.A60D8FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5043-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-61.13 , suse/bind:latest Container Release : 61.13 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:10 +0200 (CEST) Subject: SUSE-CU-2025:5044-1: Security update of suse/git Message-ID: <20250708152010.E150AFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5044-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.16 , suse/git:latest Container Release : 61.16 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:17 +0200 (CEST) Subject: SUSE-CU-2025:5045-1: Security update of bci/golang Message-ID: <20250708152017.96E43FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5045-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.14 , bci/golang:oldstable , bci/golang:oldstable-2.71.14 Container Release : 71.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:25 +0200 (CEST) Subject: SUSE-CU-2025:5046-1: Security update of bci/golang Message-ID: <20250708152025.AFE29FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5046-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.14 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.14 Container Release : 71.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:34 +0200 (CEST) Subject: SUSE-CU-2025:5047-1: Security update of bci/golang Message-ID: <20250708152034.76D84FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5047-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.14 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.14 Container Release : 71.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:41 +0200 (CEST) Subject: SUSE-CU-2025:5048-1: Security update of bci/golang Message-ID: <20250708152041.28E73FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5048-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.14 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.14 Container Release : 71.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:49 +0200 (CEST) Subject: SUSE-CU-2025:5049-1: Security update of bci/bci-init Message-ID: <20250708152049.A6834FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5049-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.17 , bci/bci-init:latest Container Release : 41.17 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:20:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:20:55 +0200 (CEST) Subject: SUSE-CU-2025:5050-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250708152055.8AD96FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5050-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.6 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.6 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:21:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:21:05 +0200 (CEST) Subject: SUSE-CU-2025:5051-1: Security update of bci/kiwi Message-ID: <20250708152105.7C7B6FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5051-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.21 , bci/kiwi:latest Container Release : 16.21 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:21:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:21:12 +0200 (CEST) Subject: SUSE-CU-2025:5052-1: Security update of bci/nodejs Message-ID: <20250708152112.1949AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5052-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.14 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.14 , bci/nodejs:latest Container Release : 9.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:30:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:30:06 +0200 (CEST) Subject: SUSE-CU-2025:5053-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250708153006.482AEFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5053-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.71 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.71 Severity : moderate Type : security References : 1240789 1241474 1242696 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2247-1 Released: Tue Jul 8 10:59:37 2025 Summary: Recommended update for mdadm Type: recommended Severity: moderate References: 1240789,1241474,1242696 This update for mdadm fixes the following issues: - Add MAILFROM address to email envelope to avoid smtp auth errors (bsc#1241474). - Allow any valid minor name in md device name (bsc#1240789). - Add dependency on suse-module-tools for SLE15 (bsc#1242696). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - libudev1-254.25-150600.4.40.1 updated - mdadm-4.3-150600.3.14.2 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:31:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:31:35 +0200 (CEST) Subject: SUSE-CU-2025:5052-1: Security update of bci/nodejs Message-ID: <20250708153135.AFAA5FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5052-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.14 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.14 , bci/nodejs:latest Container Release : 9.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:31:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:31:44 +0200 (CEST) Subject: SUSE-CU-2025:5055-1: Security update of bci/openjdk Message-ID: <20250708153144.7F4E5FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5055-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.20 Container Release : 7.20 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:31:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:31:55 +0200 (CEST) Subject: SUSE-CU-2025:5057-1: Security update of bci/openjdk Message-ID: <20250708153155.6CB2EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5057-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.19 , bci/openjdk:latest Container Release : 10.19 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:01 +0200 (CEST) Subject: SUSE-CU-2025:5058-1: Security update of suse/pcp Message-ID: <20250708153201.B72D2FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5058-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.22 , suse/pcp:latest Container Release : 61.22 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:bci-bci-init-15.7-68c499a9da16db525987cc6219568227271bcdc2d0f9bd4d163a91381d22b51a-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:05 +0200 (CEST) Subject: SUSE-CU-2025:5059-1: Security update of bci/php-apache Message-ID: <20250708153205.D1DE6FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5059-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.15 , bci/php-apache:latest Container Release : 10.15 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:09 +0200 (CEST) Subject: SUSE-CU-2025:5060-1: Security update of suse/postgres Message-ID: <20250708153209.BA516FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5060-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-71.5 Container Release : 71.5 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:13 +0200 (CEST) Subject: SUSE-CU-2025:5061-1: Security update of suse/postgres Message-ID: <20250708153213.5AC3CFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5061-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.13 , suse/postgres:latest Container Release : 61.13 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:18 +0200 (CEST) Subject: SUSE-CU-2025:5062-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250708153218.0AF26FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5062-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.15 , suse/kiosk/pulseaudio:latest Container Release : 61.15 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:23 +0200 (CEST) Subject: SUSE-CU-2025:5063-1: Security update of bci/python Message-ID: <20250708153223.F2FE0FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5063-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.16 Container Release : 71.16 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:30 +0200 (CEST) Subject: SUSE-CU-2025:5064-1: Security update of bci/python Message-ID: <20250708153230.8F761FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5064-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-71.17 , bci/python:latest Container Release : 71.17 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:36 +0200 (CEST) Subject: SUSE-CU-2025:5065-1: Security update of bci/python Message-ID: <20250708153236.4E146FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5065-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.16 Container Release : 71.16 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:40 +0200 (CEST) Subject: SUSE-CU-2025:5066-1: Security update of suse/mariadb Message-ID: <20250708153240.7AFFFFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5066-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.13 , suse/mariadb:latest Container Release : 61.13 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:45 +0200 (CEST) Subject: SUSE-CU-2025:5067-1: Security update of suse/rmt-server Message-ID: <20250708153245.B7FB1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5067-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.22 , suse/rmt-server:2.22-71.14 , suse/rmt-server:latest Container Release : 71.14 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:50 +0200 (CEST) Subject: SUSE-CU-2025:5068-1: Security update of bci/ruby Message-ID: <20250708153250.55229FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5068-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.14 Container Release : 11.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:55 +0200 (CEST) Subject: SUSE-CU-2025:5069-1: Security update of bci/ruby Message-ID: <20250708153255.9517BFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5069-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.14 , bci/ruby:latest Container Release : 10.14 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:32:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:32:58 +0200 (CEST) Subject: SUSE-CU-2025:5070-1: Security update of suse/samba-client Message-ID: <20250708153258.95170FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5070-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.7 , suse/samba-client:latest Container Release : 62.7 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:33:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:33:01 +0200 (CEST) Subject: SUSE-CU-2025:5071-1: Security update of suse/samba-toolbox Message-ID: <20250708153301.AAA7BFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5071-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.7 , suse/samba-toolbox:latest Container Release : 62.7 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:33:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:33:08 +0200 (CEST) Subject: SUSE-CU-2025:5072-1: Security update of suse/sle15 Message-ID: <20250708153308.F2B2DFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5072-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.10 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.10 , suse/sle15:latest Container Release : 5.8.10 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:33:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:33:17 +0200 (CEST) Subject: SUSE-CU-2025:5073-1: Security update of bci/spack Message-ID: <20250708153317.ED110FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5073-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.16 , bci/spack:latest Container Release : 13.16 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - openssl-3-3.2.3-150700.5.10.1 updated - libsystemd0-254.25-150600.4.40.1 updated - container:registry.suse.com-bci-bci-base-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:33:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:33:23 +0200 (CEST) Subject: SUSE-CU-2025:5074-1: Security update of suse/valkey Message-ID: <20250708153323.3D866FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5074-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.12 , suse/valkey:latest Container Release : 61.12 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:43:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:43:25 +0200 (CEST) Subject: SUSE-CU-2025:5074-1: Security update of suse/valkey Message-ID: <20250708154325.47815F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5074-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.12 , suse/valkey:latest Container Release : 61.12 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Tue Jul 8 15:43:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 8 Jul 2025 17:43:30 +0200 (CEST) Subject: SUSE-CU-2025:5075-1: Security update of suse/kiosk/xorg Message-ID: <20250708154330.5208CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5075-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.5 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.5 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-f2b1cfe0af5829ac28493242a7a9b6b5b578979851467643d1bf5c5b4ca69b32-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:05:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:05:42 +0200 (CEST) Subject: SUSE-IU-2025:1776-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250709070542.0DD85FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1776-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.5 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.5 Severity : moderate Type : security References : 1236931 1239119 1243069 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 173 Released: Tue Jul 8 18:15:02 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,1243069,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119, bsc#1236931]] * gpg: Fix regression for the recent malicious subkey DoS fix. * gpg: Fix another regression due to the T7547 fix. * gpg: Allow the use of an ADSK subkey as ADSK subkey. - Don't install expired sks certificate [bsc#1243069] The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.42 updated - gpg2-2.4.4-slfo.1.1_5.1 updated - container:suse-toolbox-image-1.0.0-4.49 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:15:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:15:54 +0200 (CEST) Subject: SUSE-CU-2025:5090-1: Security update of bci/bci-busybox Message-ID: <20250709071554.3056EF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5090-1 Container Tags : bci/bci-busybox:15.7 , bci/bci-busybox:15.7-9.1 , bci/bci-busybox:latest Container Release : 9.1 Severity : important Type : security References : 1243201 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/bci-busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1867-1 Released: Fri Jun 13 09:57:52 2025 Summary: Recommended update for busybox Type: recommended Severity: important References: 1243201 This update for busybox fixes the following issues: - Enable halt, poweroff, reboot commands (bsc#1243201) The following package changes have been done: - busybox-adduser-1.35.0-150500.7.4.1 updated - busybox-attr-1.35.0-150500.7.4.1 updated - busybox-bc-1.35.0-150500.7.4.1 updated - busybox-bind-utils-1.35.0-150500.7.4.1 updated - busybox-bzip2-1.35.0-150500.7.4.1 updated - busybox-coreutils-1.35.0-150500.7.4.1 updated - busybox-cpio-1.35.0-150500.7.4.1 updated - busybox-diffutils-1.35.0-150500.7.4.1 updated - busybox-dos2unix-1.35.0-150500.7.4.1 updated - busybox-ed-1.35.0-150500.7.4.1 updated - busybox-findutils-1.35.0-150500.7.4.1 updated - busybox-gawk-1.35.0-150500.7.4.1 updated - busybox-grep-1.35.0-150500.7.4.1 updated - busybox-gzip-1.35.0-150500.7.4.1 updated - busybox-hostname-1.35.0-150500.7.4.1 updated - busybox-iproute2-1.35.0-150500.7.4.1 updated - busybox-iputils-1.35.0-150500.7.4.1 updated - busybox-kbd-1.35.0-150500.7.4.1 updated - busybox-less-1.35.0-150500.7.4.1 updated - busybox-links-1.35.0-150500.7.4.1 updated - busybox-man-1.35.0-150500.7.4.1 updated - busybox-misc-1.35.0-150500.7.4.1 updated - busybox-ncurses-utils-1.35.0-150500.7.4.1 updated - busybox-net-tools-1.35.0-150500.7.4.1 updated - busybox-netcat-1.35.0-150500.7.4.1 updated - busybox-patch-1.35.0-150500.7.4.1 updated - busybox-policycoreutils-1.35.0-150500.7.4.1 updated - busybox-procps-1.35.0-150500.7.4.1 updated - busybox-psmisc-1.35.0-150500.7.4.1 updated - busybox-sed-1.35.0-150500.7.4.1 updated - busybox-selinux-tools-1.35.0-150500.7.4.1 updated - busybox-sendmail-1.35.0-150500.7.4.1 updated - busybox-sharutils-1.35.0-150500.7.4.1 updated - busybox-sh-1.35.0-150500.7.4.1 updated - busybox-syslogd-1.35.0-150500.7.4.1 updated - busybox-sysvinit-tools-1.35.0-150500.7.4.1 updated - busybox-tar-1.35.0-150500.7.4.1 updated - busybox-telnet-1.35.0-150500.7.4.1 updated - busybox-tftp-1.35.0-150500.7.4.1 updated - busybox-time-1.35.0-150500.7.4.1 updated - busybox-traceroute-1.35.0-150500.7.4.1 updated - busybox-tunctl-1.35.0-150500.7.4.1 updated - busybox-unzip-1.35.0-150500.7.4.1 updated - busybox-util-linux-1.35.0-150500.7.4.1 updated - busybox-vi-1.35.0-150500.7.4.1 updated - busybox-vlan-1.35.0-150500.7.4.1 updated - busybox-wget-1.35.0-150500.7.4.1 updated - busybox-which-1.35.0-150500.7.4.1 updated - busybox-whois-1.35.0-150500.7.4.1 updated - busybox-xz-1.35.0-150500.7.4.1 updated - glibc-2.38-150600.14.32.1 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:15:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:15:56 +0200 (CEST) Subject: SUSE-CU-2025:5091-1: Security update of suse/cosign Message-ID: <20250709071556.2E0BBF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/cosign ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5091-1 Container Tags : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.0 , suse/cosign:2.5.0-11.12 , suse/cosign:latest Container Release : 11.12 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/cosign was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:16:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:16:16 +0200 (CEST) Subject: SUSE-CU-2025:5096-1: Security update of bci/gcc Message-ID: <20250709071616.9588FF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5096-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.16 , bci/gcc:latest Container Release : 10.16 Severity : moderate Type : security References : 1240366 1242827 1243935 CVE-2025-27587 CVE-2025-4598 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - libsystemd0-254.25-150600.4.40.1 updated - container:registry.suse.com-bci-bci-base-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:17:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:17:13 +0200 (CEST) Subject: SUSE-CU-2025:5109-1: Security update of suse/pcp Message-ID: <20250709071713.C8CF4F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5109-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.24 , suse/pcp:latest Container Release : 61.24 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated - container:bci-bci-init-15.7-f81f2b720a0754fcc841df04d04fb19d850aaae6ca6ed4eb6ddba29a05bfee9a-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:17:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:17:23 +0200 (CEST) Subject: SUSE-CU-2025:5112-1: Security update of bci/php-fpm Message-ID: <20250709071723.22BC9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5112-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.17 , bci/php-fpm:latest Container Release : 10.17 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:registry.suse.com-bci-bci-base-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:17:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:17:47 +0200 (CEST) Subject: SUSE-CU-2025:5118-1: Security update of suse/rmt-server Message-ID: <20250709071747.47328F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5118-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.22 , suse/rmt-server:2.22-71.16 , suse/rmt-server:latest Container Release : 71.16 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libudev1-254.25-150600.4.40.1 updated - container:registry.suse.com-bci-bci-base-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated From sle-container-updates at lists.suse.com Wed Jul 9 07:18:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 9 Jul 2025 09:18:01 +0200 (CEST) Subject: SUSE-CU-2025:5122-1: Security update of suse/samba-server Message-ID: <20250709071801.2A208F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5122-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.9 , suse/samba-server:latest Container Release : 62.9 Severity : moderate Type : security References : 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - libsystemd0-254.25-150600.4.40.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:04:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:04:28 +0200 (CEST) Subject: SUSE-CU-2025:5127-1: Security update of containers/pytorch Message-ID: <20250710070428.7A564FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5127-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.30 Container Release : 2.30 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-micro-15.6-9d07d1df486b233daea750f258d1e2674468ae6260c5a168546bc421f8045708-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:04:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:04:58 +0200 (CEST) Subject: SUSE-CU-2025:5128-1: Security update of rancher/elemental-channel/sl-micro Message-ID: <20250710070458.99FC1FCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-channel/sl-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5128-1 Container Tags : rancher/elemental-channel/sl-micro:6.1-baremetal , rancher/elemental-channel/sl-micro:6.1-baremetal-3.4 Container Release : 3.4 Severity : critical Type : security References : 1219503 1225365 1234128 1234665 1239883 1243317 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2024-35235 CVE-2025-4802 ----------------------------------------------------------------- The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libselinux1-3.5-slfo.1.1_1.3 updated - busybox-1.36.1-slfo.1.1_1.2 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:05:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:05:01 +0200 (CEST) Subject: SUSE-CU-2025:5129-1: Security update of rancher/elemental-channel/sl-micro Message-ID: <20250710070501.1DD56FCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-channel/sl-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5129-1 Container Tags : rancher/elemental-channel/sl-micro:6.1-base , rancher/elemental-channel/sl-micro:6.1-base-3.4 Container Release : 3.4 Severity : critical Type : security References : 1219503 1225365 1234128 1234665 1239883 1243317 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2024-35235 CVE-2025-4802 ----------------------------------------------------------------- The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libselinux1-3.5-slfo.1.1_1.3 updated - busybox-1.36.1-slfo.1.1_1.2 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:05:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:05:03 +0200 (CEST) Subject: SUSE-CU-2025:5130-1: Security update of rancher/elemental-channel/sl-micro Message-ID: <20250710070503.7D9D7FCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-channel/sl-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5130-1 Container Tags : rancher/elemental-channel/sl-micro:6.1-kvm , rancher/elemental-channel/sl-micro:6.1-kvm-3.4 Container Release : 3.4 Severity : critical Type : security References : 1219503 1225365 1234128 1234665 1239883 1243317 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2024-35235 CVE-2025-4802 ----------------------------------------------------------------- The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libselinux1-3.5-slfo.1.1_1.3 updated - busybox-1.36.1-slfo.1.1_1.2 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:05:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:05:05 +0200 (CEST) Subject: SUSE-CU-2025:5131-1: Security update of rancher/elemental-channel/sl-micro Message-ID: <20250710070505.C6694FCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-channel/sl-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5131-1 Container Tags : rancher/elemental-channel/sl-micro:6.1-rt , rancher/elemental-channel/sl-micro:6.1-rt-3.4 Container Release : 3.4 Severity : critical Type : security References : 1219503 1225365 1234128 1234665 1239883 1243317 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2024-35235 CVE-2025-4802 ----------------------------------------------------------------- The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libselinux1-3.5-slfo.1.1_1.3 updated - busybox-1.36.1-slfo.1.1_1.2 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:05:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:05:16 +0200 (CEST) Subject: SUSE-CU-2025:5132-1: Security update of rancher/elemental-operator Message-ID: <20250710070516.57FCAFCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/elemental-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5132-1 Container Tags : rancher/elemental-operator:1.7.3 , rancher/elemental-operator:1.7.3-3.4 , rancher/elemental-operator:latest Container Release : 3.4 Severity : critical Type : security References : 1010996 1012628 1193454 1194869 1199079 1205462 1208783 1213123 1214285 1215199 1219503 1220066 1220252 1220877 1221326 1221630 1221645 1221652 1221857 1222254 1222335 1222350 1222364 1222372 1222387 1222433 1222434 1222625 1222633 1222634 1222808 1222967 1222973 1223053 1223074 1223191 1223395 1223635 1223720 1223731 1223742 1223763 1223767 1223777 1223803 1224105 1224415 1224485 1224496 1224510 1224535 1224631 1224636 1224690 1224694 1224700 1224711 1225365 1225475 1225582 1225607 1225718 1225751 1225814 1225832 1225838 1225903 1226031 1226127 1226502 1226530 1226588 1226604 1226743 1226751 1226765 1226798 1226801 1226834 1226874 1226885 1226920 1227149 1227182 1227383 1227437 1227492 1227493 1227494 1227618 1227620 1227623 1227627 1227634 1227706 1227722 1227724 1227725 1227728 1227729 1227732 1227733 1227734 1227747 1227750 1227754 1227758 1227760 1227761 1227764 1227766 1227770 1227771 1227772 1227774 1227781 1227784 1227785 1227787 1227790 1227791 1227792 1227796 1227798 1227799 1227802 1227808 1227810 1227811 1227812 1227815 1227816 1227818 1227820 1227823 1227824 1227826 1227828 1227829 1227830 1227832 1227833 1227834 1227839 1227840 1227846 1227849 1227851 1227853 1227863 1227864 1227865 1227867 1227869 1227870 1227883 1227884 1227891 1227893 1227929 1227950 1227957 1227981 1228020 1228021 1228192 1228235 1228236 1228247 1228321 1228409 1228410 1228426 1228427 1228429 1228446 1228447 1228449 1228450 1228452 1228456 1228457 1228458 1228459 1228460 1228462 1228463 1228466 1228468 1228469 1228470 1228472 1228479 1228480 1228481 1228482 1228483 1228484 1228485 1228486 1228487 1228489 1228491 1228492 1228493 1228494 1228495 1228496 1228499 1228500 1228501 1228502 1228503 1228505 1228508 1228509 1228510 1228511 1228513 1228515 1228516 1228518 1228520 1228525 1228527 1228530 1228531 1228539 1228561 1228563 1228564 1228565 1228567 1228568 1228572 1228576 1228579 1228580 1228581 1228582 1228584 1228586 1228588 1228590 1228591 1228599 1228615 1228616 1228617 1228625 1228626 1228633 1228635 1228636 1228640 1228643 1228644 1228646 1228649 1228650 1228654 1228655 1228656 1228658 1228660 1228662 1228665 1228666 1228667 1228672 1228673 1228674 1228677 1228680 1228687 1228705 1228706 1228707 1228708 1228709 1228710 1228718 1228720 1228721 1228722 1228723 1228724 1228726 1228727 1228733 1228737 1228743 1228748 1228754 1228756 1228757 1228758 1228764 1228766 1228779 1228801 1228849 1228850 1228857 1228959 1228964 1228966 1228967 1228971 1228973 1228977 1228978 1228979 1228986 1228988 1228989 1228991 1228992 1229003 1229005 1229024 1229025 1229042 1229045 1229046 1229054 1229056 1229086 1229134 1229136 1229154 1229156 1229160 1229167 1229168 1229169 1229170 1229171 1229172 1229173 1229174 1229239 1229240 1229241 1229243 1229244 1229245 1229246 1229247 1229248 1229249 1229250 1229251 1229252 1229253 1229254 1229255 1229256 1229287 1229290 1229291 1229292 1229294 1229296 1229297 1229298 1229299 1229301 1229303 1229304 1229305 1229307 1229309 1229312 1229313 1229314 1229315 1229316 1229317 1229318 1229319 1229320 1229327 1229341 1229342 1229344 1229345 1229346 1229347 1229349 1229350 1229351 1229353 1229354 1229355 1229356 1229357 1229358 1229359 1229360 1229365 1229366 1229369 1229370 1229373 1229374 1229379 1229381 1229382 1229383 1229386 1229388 1229390 1229391 1229392 1229395 1229398 1229399 1229400 1229402 1229403 1229404 1229407 1229409 1229410 1229411 1229413 1229414 1229417 1229444 1229451 1229452 1229455 1229456 1229480 1229481 1229482 1229484 1229485 1229486 1229487 1229488 1229489 1229490 1229493 1229495 1229496 1229497 1229500 1229503 1229707 1229739 1229743 1229746 1229747 1229752 1229754 1229755 1229756 1229759 1229761 1229767 1229781 1229784 1229785 1229787 1229788 1229789 1229792 1229820 1229827 1229830 1229837 1229940 1230056 1231264 1231265 1231266 1234128 1234665 1234798 1236878 1238700 1239335 1239883 1240009 1240343 1243317 441356 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2023-52489 CVE-2023-52581 CVE-2023-52668 CVE-2023-52688 CVE-2023-52859 CVE-2023-52885 CVE-2023-52886 CVE-2023-52887 CVE-2023-52889 CVE-2024-10389 CVE-2024-10975 CVE-2024-12133 CVE-2024-26590 CVE-2024-26631 CVE-2024-26637 CVE-2024-26668 CVE-2024-26669 CVE-2024-26677 CVE-2024-26682 CVE-2024-26683 CVE-2024-26735 CVE-2024-26808 CVE-2024-26809 CVE-2024-26812 CVE-2024-26835 CVE-2024-26837 CVE-2024-26849 CVE-2024-26851 CVE-2024-26976 CVE-2024-27010 CVE-2024-27011 CVE-2024-27024 CVE-2024-27049 CVE-2024-27050 CVE-2024-27079 CVE-2024-27403 CVE-2024-27433 CVE-2024-27437 CVE-2024-31076 CVE-2024-31227 CVE-2024-31228 CVE-2024-31449 CVE-2024-35235 CVE-2024-35855 CVE-2024-35897 CVE-2024-35902 CVE-2024-35913 CVE-2024-35939 CVE-2024-35949 CVE-2024-36270 CVE-2024-36286 CVE-2024-36288 CVE-2024-36489 CVE-2024-36881 CVE-2024-36907 CVE-2024-36929 CVE-2024-36933 CVE-2024-36939 CVE-2024-36970 CVE-2024-36979 CVE-2024-38563 CVE-2024-38609 CVE-2024-38662 CVE-2024-39476 CVE-2024-39483 CVE-2024-39484 CVE-2024-39486 CVE-2024-39488 CVE-2024-39489 CVE-2024-39491 CVE-2024-39493 CVE-2024-39497 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501 CVE-2024-39505 CVE-2024-39506 CVE-2024-39508 CVE-2024-39509 CVE-2024-39510 CVE-2024-40899 CVE-2024-40900 CVE-2024-40902 CVE-2024-40903 CVE-2024-40904 CVE-2024-40905 CVE-2024-40909 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912 CVE-2024-40913 CVE-2024-40916 CVE-2024-40920 CVE-2024-40921 CVE-2024-40922 CVE-2024-40924 CVE-2024-40926 CVE-2024-40927 CVE-2024-40929 CVE-2024-40930 CVE-2024-40932 CVE-2024-40934 CVE-2024-40936 CVE-2024-40938 CVE-2024-40939 CVE-2024-40941 CVE-2024-40942 CVE-2024-40943 CVE-2024-40944 CVE-2024-40945 CVE-2024-40954 CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959 CVE-2024-40962 CVE-2024-40964 CVE-2024-40967 CVE-2024-40976 CVE-2024-40977 CVE-2024-40978 CVE-2024-40981 CVE-2024-40982 CVE-2024-40984 CVE-2024-40987 CVE-2024-40988 CVE-2024-40989 CVE-2024-40990 CVE-2024-40992 CVE-2024-40994 CVE-2024-40995 CVE-2024-40997 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002 CVE-2024-41004 CVE-2024-41007 CVE-2024-41009 CVE-2024-41010 CVE-2024-41012 CVE-2024-41015 CVE-2024-41016 CVE-2024-41020 CVE-2024-41022 CVE-2024-41024 CVE-2024-41025 CVE-2024-41028 CVE-2024-41032 CVE-2024-41035 CVE-2024-41036 CVE-2024-41037 CVE-2024-41038 CVE-2024-41039 CVE-2024-41040 CVE-2024-41041 CVE-2024-41044 CVE-2024-41045 CVE-2024-41048 CVE-2024-41049 CVE-2024-41050 CVE-2024-41051 CVE-2024-41056 CVE-2024-41057 CVE-2024-41058 CVE-2024-41059 CVE-2024-41060 CVE-2024-41061 CVE-2024-41062 CVE-2024-41063 CVE-2024-41064 CVE-2024-41065 CVE-2024-41066 CVE-2024-41068 CVE-2024-41069 CVE-2024-41070 CVE-2024-41071 CVE-2024-41072 CVE-2024-41073 CVE-2024-41074 CVE-2024-41075 CVE-2024-41076 CVE-2024-41078 CVE-2024-41079 CVE-2024-41080 CVE-2024-41081 CVE-2024-41084 CVE-2024-41087 CVE-2024-41088 CVE-2024-41089 CVE-2024-41092 CVE-2024-41093 CVE-2024-41094 CVE-2024-41095 CVE-2024-41096 CVE-2024-41097 CVE-2024-41098 CVE-2024-42064 CVE-2024-42069 CVE-2024-42070 CVE-2024-42073 CVE-2024-42074 CVE-2024-42076 CVE-2024-42077 CVE-2024-42079 CVE-2024-42080 CVE-2024-42082 CVE-2024-42085 CVE-2024-42086 CVE-2024-42087 CVE-2024-42089 CVE-2024-42090 CVE-2024-42092 CVE-2024-42093 CVE-2024-42095 CVE-2024-42096 CVE-2024-42097 CVE-2024-42098 CVE-2024-42101 CVE-2024-42104 CVE-2024-42105 CVE-2024-42106 CVE-2024-42107 CVE-2024-42109 CVE-2024-42110 CVE-2024-42113 CVE-2024-42114 CVE-2024-42115 CVE-2024-42117 CVE-2024-42119 CVE-2024-42120 CVE-2024-42121 CVE-2024-42122 CVE-2024-42124 CVE-2024-42125 CVE-2024-42126 CVE-2024-42127 CVE-2024-42130 CVE-2024-42131 CVE-2024-42132 CVE-2024-42133 CVE-2024-42136 CVE-2024-42137 CVE-2024-42138 CVE-2024-42139 CVE-2024-42141 CVE-2024-42142 CVE-2024-42143 CVE-2024-42144 CVE-2024-42145 CVE-2024-42147 CVE-2024-42148 CVE-2024-42152 CVE-2024-42153 CVE-2024-42155 CVE-2024-42156 CVE-2024-42157 CVE-2024-42158 CVE-2024-42159 CVE-2024-42161 CVE-2024-42162 CVE-2024-42223 CVE-2024-42224 CVE-2024-42225 CVE-2024-42226 CVE-2024-42227 CVE-2024-42228 CVE-2024-42229 CVE-2024-42230 CVE-2024-42232 CVE-2024-42236 CVE-2024-42237 CVE-2024-42238 CVE-2024-42239 CVE-2024-42240 CVE-2024-42241 CVE-2024-42244 CVE-2024-42245 CVE-2024-42246 CVE-2024-42247 CVE-2024-42250 CVE-2024-42253 CVE-2024-42259 CVE-2024-42268 CVE-2024-42269 CVE-2024-42270 CVE-2024-42271 CVE-2024-42274 CVE-2024-42276 CVE-2024-42277 CVE-2024-42278 CVE-2024-42279 CVE-2024-42280 CVE-2024-42281 CVE-2024-42283 CVE-2024-42284 CVE-2024-42285 CVE-2024-42286 CVE-2024-42287 CVE-2024-42288 CVE-2024-42289 CVE-2024-42290 CVE-2024-42291 CVE-2024-42292 CVE-2024-42295 CVE-2024-42298 CVE-2024-42301 CVE-2024-42302 CVE-2024-42303 CVE-2024-42308 CVE-2024-42309 CVE-2024-42310 CVE-2024-42311 CVE-2024-42312 CVE-2024-42313 CVE-2024-42314 CVE-2024-42315 CVE-2024-42316 CVE-2024-42318 CVE-2024-42319 CVE-2024-42320 CVE-2024-42322 CVE-2024-43816 CVE-2024-43817 CVE-2024-43818 CVE-2024-43819 CVE-2024-43821 CVE-2024-43823 CVE-2024-43824 CVE-2024-43825 CVE-2024-43826 CVE-2024-43829 CVE-2024-43830 CVE-2024-43831 CVE-2024-43833 CVE-2024-43834 CVE-2024-43837 CVE-2024-43839 CVE-2024-43840 CVE-2024-43841 CVE-2024-43842 CVE-2024-43846 CVE-2024-43847 CVE-2024-43849 CVE-2024-43850 CVE-2024-43851 CVE-2024-43853 CVE-2024-43854 CVE-2024-43855 CVE-2024-43856 CVE-2024-43858 CVE-2024-43860 CVE-2024-43861 CVE-2024-43863 CVE-2024-43864 CVE-2024-43866 CVE-2024-43867 CVE-2024-43871 CVE-2024-43872 CVE-2024-43873 CVE-2024-43874 CVE-2024-43875 CVE-2024-43876 CVE-2024-43877 CVE-2024-43879 CVE-2024-43880 CVE-2024-43881 CVE-2024-43882 CVE-2024-43883 CVE-2024-43884 CVE-2024-43885 CVE-2024-43889 CVE-2024-43892 CVE-2024-43893 CVE-2024-43894 CVE-2024-43895 CVE-2024-43897 CVE-2024-43899 CVE-2024-43900 CVE-2024-43902 CVE-2024-43903 CVE-2024-43905 CVE-2024-43906 CVE-2024-43907 CVE-2024-43908 CVE-2024-43909 CVE-2024-43911 CVE-2024-43912 CVE-2024-44931 CVE-2024-44938 CVE-2024-44939 CVE-2024-45794 CVE-2024-48057 CVE-2024-51735 CVE-2024-51746 CVE-2025-22869 CVE-2025-22870 CVE-2025-4802 ----------------------------------------------------------------- The container rancher/elemental-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 63 Released: Tue Apr 22 15:27:45 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1012628,1193454,1194869,1205462,1208783,1213123,1214285,1215199,1220066,1220252,1220877,1221326,1221630,1221645,1221652,1221857,1222254,1222335,1222350,1222364,1222372,1222387,1222433,1222434,1222625,1222633,1222634,1222808,1222967,1222973,1223053,1223074,1223191,1223395,1223635,1223720,1223731,1223742,1223763,1223767,1223777,1223803,1224105,1224415,1224485,1224496,1224510,1224535,1224631,1224636,1224690,1224694,1224700,1224711,1225475,1225582,1225607,1225718,1225751,1225814,1225832,1225838,1225903,1226031,1226127,1226502,1226530,1226588,1226604,1226743,1226751,1226765,1226798,1226801,1226834,1226874,1226885,1226920,1227149,1227182,1227383,1227437,1227492,1227493,1227494,1227618,1227620,1227623,1227627,1227634,1227706,1227722,1227724,1227725,1227728,1227729,1227732,1227733,1227734,1227747,1227750,1227754,1227758,1227760,1227761,1227764,1227766,1227770,1227771,1227772,1227774,1227781,1227784,1227785,1227787,1227790,1227791,1227792,1227796,1227798,1227799,1227802,1227808,1 227810,1227811,1227812,1227815,1227816,1227818,1227820,1227823,1227824,1227826,1227828,1227829,1227830,1227832,1227833,1227834,1227839,1227840,1227846,1227849,1227851,1227853,1227863,1227864,1227865,1227867,1227869,1227870,1227883,1227884,1227891,1227893,1227929,1227950,1227957,1227981,1228020,1228021,1228192,1228235,1228236,1228247,1228321,1228409,1228410,1228426,1228427,1228429,1228446,1228447,1228449,1228450,1228452,1228456,1228457,1228458,1228459,1228460,1228462,1228463,1228466,1228468,1228469,1228470,1228472,1228479,1228480,1228481,1228482,1228483,1228484,1228485,1228486,1228487,1228489,1228491,1228492,1228493,1228494,1228495,1228496,1228499,1228500,1228501,1228502,1228503,1228505,1228508,1228509,1228510,1228511,1228513,1228515,1228516,1228518,1228520,1228525,1228527,1228530,1228531,1228539,1228561,1228563,1228564,1228565,1228567,1228568,1228572,1228576,1228579,1228580,1228581,1228582,1228584,1228586,1228588,1228590,1228591,1228599,1228615,1228616,1228617,1228625,1228626,122863 3,1228635,1228636,1228640,1228643,1228644,1228646,1228649,1228650,1228654,1228655,1228656,1228658,1228660,1228662,1228665,1228666,1228667,1228672,1228673,1228674,1228677,1228680,1228687,1228705,1228706,1228707,1228708,1228709,1228710,1228718,1228720,1228721,1228722,1228723,1228724,1228726,1228727,1228733,1228737,1228743,1228748,1228754,1228756,1228757,1228758,1228764,1228766,1228779,1228801,1228849,1228850,1228857,1228959,1228964,1228966,1228967,1228971,1228973,1228977,1228978,1228979,1228986,1228988,1228989,1228991,1228992,1229005,1229024,1229025,1229042,1229045,1229046,1229054,1229056,1229086,1229134,1229136,1229154,1229156,1229160,1229167,1229168,1229169,1229170,1229171,1229172,1229173,1229174,1229239,1229240,1229241,1229243,1229244,1229245,1229246,1229247,1229248,1229249,1229250,1229251,1229252,1229253,1229254,1229255,1229256,1229287,1229290,1229291,1229292,1229294,1229296,1229297,1229298,1229299,1229301,1229303,1229304,1229305,1229307,1229309,1229312,1229313,1229314,1229315,122 9316,1229317,1229318,1229319,1229320,1229327,1229341,1229342,1229344,1229345,1229346,1229347,1229349,1229350,1229351,1229353,1229354,1229355,1229356,1229357,1229358,1229359,1229360,1229365,1229366,1229369,1229370,1229373,1229374,1229379,1229381,1229382,1229383,1229386,1229388,1229390,1229391,1229392,1229395,1229398,1229399,1229400,1229402,1229403,1229404,1229407,1229409,1229410,1229411,1229413,1229414,1229417,1229444,1229451,1229452,1229455,1229456,1229480,1229481,1229482,1229484,1229485,1229486,1229487,1229488,1229489,1229490,1229493,1229495,1229496,1229497,1229500,1229503,1229707,1229739,1229743,1229746,1229747,1229752,1229754,1229755,1229756,1229759,1229761,1229767,1229781,1229784,1229785,1229787,1229788,1229789,1229792,1229820,1229827,1229830,1229837,1229940,1230056,1236878,CVE-2023-52489,CVE-2023-52581,CVE-2023-52668,CVE-2023-52688,CVE-2023-52859,CVE-2023-52885,CVE-2023-52886,CVE-2023-52887,CVE-2023-52889,CVE-2024-12133,CVE-2024-26590,CVE-2024-26631,CVE-2024-26637,CVE-2024-2666 8,CVE-2024-26669,CVE-2024-26677,CVE-2024-26682,CVE-2024-26683,CVE-2024-26735,CVE-2024-26808,CVE-2024-26809,CVE-2024-26812,CVE-2024-26835,CVE-2024-26837,CVE-2024-26849,CVE-2024-26851,CVE-2024-26976,CVE-2024-27010,CVE-2024-27011,CVE-2024-27024,CVE-2024-27049,CVE-2024-27050,CVE-2024-27079,CVE-2024-27403,CVE-2024-27433,CVE-2024-27437,CVE-2024-31076,CVE-2024-35855,CVE-2024-35897,CVE-2024-35902,CVE-2024-35913,CVE-2024-35939,CVE-2024-35949,CVE-2024-36270,CVE-2024-36286,CVE-2024-36288,CVE-2024-36489,CVE-2024-36881,CVE-2024-36907,CVE-2024-36929,CVE-2024-36933,CVE-2024-36939,CVE-2024-36970,CVE-2024-36979,CVE-2024-38563,CVE-2024-38609,CVE-2024-38662,CVE-2024-39476,CVE-2024-39483,CVE-2024-39484,CVE-2024-39486,CVE-2024-39488,CVE-2024-39489,CVE-2024-39491,CVE-2024-39493,CVE-2024-39497,CVE-2024-39499,CVE-2024-39500,CVE-2024-39501,CVE-2024-39505,CVE-2024-39506,CVE-2024-39508,CVE-2024-39509,CVE-2024-39510,CVE-2024-40899,CVE-2024-40900,CVE-2024-40902,CVE-2024-40903,CVE-2024-40904,CVE-2024-40905,CVE-2 024-40909,CVE-2024-40910,CVE-2024-40911,CVE-2024-40912,CVE-2024-40913,CVE-2024-40916,CVE-2024-40920,CVE-2024-40921,CVE-2024-40922,CVE-2024-40924,CVE-2024-40926,CVE-2024-40927,CVE-2024-40929,CVE-2024-40930,CVE-2024-40932,CVE-2024-40934,CVE-2024-40936,CVE-2024-40938,CVE-2024-40939,CVE-2024-40941,CVE-2024-40942,CVE-2024-40943,CVE-2024-40944,CVE-2024-40945,CVE-2024-40954,CVE-2024-40956,CVE-2024-40957,CVE-2024-40958,CVE-2024-40959,CVE-2024-40962,CVE-2024-40964,CVE-2024-40967,CVE-2024-40976,CVE-2024-40977,CVE-2024-40978,CVE-2024-40981,CVE-2024-40982,CVE-2024-40984,CVE-2024-40987,CVE-2024-40988,CVE-2024-40989,CVE-2024-40990,CVE-2024-40992,CVE-2024-40994,CVE-2024-40995,CVE-2024-40997,CVE-2024-41000,CVE-2024-41001,CVE-2024-41002,CVE-2024-41004,CVE-2024-41007,CVE-2024-41009,CVE-2024-41010,CVE-2024-41012,CVE-2024-41015,CVE-2024-41016,CVE-2024-41020,CVE-2024-41022,CVE-2024-41024,CVE-2024-41025,CVE-2024-41028,CVE-2024-41032,CVE-2024-41035,CVE-2024-41036,CVE-2024-41037,CVE-2024-41038,CVE-2024-410 39,CVE-2024-41040,CVE-2024-41041,CVE-2024-41044,CVE-2024-41045,CVE-2024-41048,CVE-2024-41049,CVE-2024-41050,CVE-2024-41051,CVE-2024-41056,CVE-2024-41057,CVE-2024-41058,CVE-2024-41059,CVE-2024-41060,CVE-2024-41061,CVE-2024-41062,CVE-2024-41063,CVE-2024-41064,CVE-2024-41065,CVE-2024-41066,CVE-2024-41068,CVE-2024-41069,CVE-2024-41070,CVE-2024-41071,CVE-2024-41072,CVE-2024-41073,CVE-2024-41074,CVE-2024-41075,CVE-2024-41076,CVE-2024-41078,CVE-2024-41079,CVE-2024-41080,CVE-2024-41081,CVE-2024-41084,CVE-2024-41087,CVE-2024-41088,CVE-2024-41089,CVE-2024-41092,CVE-2024-41093,CVE-2024-41094,CVE-2024-41095,CVE-2024-41096,CVE-2024-41097,CVE-2024-41098,CVE-2024-42064,CVE-2024-42069,CVE-2024-42070,CVE-2024-42073,CVE-2024-42074,CVE-2024-42076,CVE-2024-42077,CVE-2024-42079,CVE-2024-42080,CVE-2024-42082,CVE-2024-42085,CVE-2024-42086,CVE-2024-42087,CVE-2024-42089,CVE-2024-42090,CVE-2024-42092,CVE-2024-42093,CVE-2024-42095,CVE-2024-42096,CVE-2024-42097,CVE-2024-42098,CVE-2024-42101,CVE-2024-42104,CVE- 2024-42105,CVE-2024-42106,CVE-2024-42107,CVE-2024-42109,CVE-2024-42110,CVE-2024-42113,CVE-2024-42114,CVE-2024-42115,CVE-2024-42117,CVE-2024-42119,CVE-2024-42120,CVE-2024-42121,CVE-2024-42122,CVE-2024-42124,CVE-2024-42125,CVE-2024-42126,CVE-2024-42127,CVE-2024-42130,CVE-2024-42131,CVE-2024-42132,CVE-2024-42133,CVE-2024-42136,CVE-2024-42137,CVE-2024-42138,CVE-2024-42139,CVE-2024-42141,CVE-2024-42142,CVE-2024-42143,CVE-2024-42144,CVE-2024-42145,CVE-2024-42147,CVE-2024-42148,CVE-2024-42152,CVE-2024-42153,CVE-2024-42155,CVE-2024-42156,CVE-2024-42157,CVE-2024-42158,CVE-2024-42159,CVE-2024-42161,CVE-2024-42162,CVE-2024-42223,CVE-2024-42224,CVE-2024-42225,CVE-2024-42226,CVE-2024-42227,CVE-2024-42228,CVE-2024-42229,CVE-2024-42230,CVE-2024-42232,CVE-2024-42236,CVE-2024-42237,CVE-2024-42238,CVE-2024-42239,CVE-2024-42240,CVE-2024-42241,CVE-2024-42244,CVE-2024-42245,CVE-2024-42246,CVE-2024-42247,CVE-2024-42250,CVE-2024-42253,CVE-2024-42259,CVE-2024-42268,CVE-2024-42269,CVE-2024-42270,CVE-2024-42 271,CVE-2024-42274,CVE-2024-42276,CVE-2024-42277,CVE-2024-42278,CVE-2024-42279,CVE-2024-42280,CVE-2024-42281,CVE-2024-42283,CVE-2024-42284,CVE-2024-42285,CVE-2024-42286,CVE-2024-42287,CVE-2024-42288,CVE-2024-42289,CVE-2024-42290,CVE-2024-42291,CVE-2024-42292,CVE-2024-42295,CVE-2024-42298,CVE-2024-42301,CVE-2024-42302,CVE-2024-42303,CVE-2024-42308,CVE-2024-42309,CVE-2024-42310,CVE-2024-42311,CVE-2024-42312,CVE-2024-42313,CVE-2024-42314,CVE-2024-42315,CVE-2024-42316,CVE-2024-42318,CVE-2024-42319,CVE-2024-42320,CVE-2024-42322,CVE-2024-43816,CVE-2024-43817,CVE-2024-43818,CVE-2024-43819,CVE-2024-43821,CVE-2024-43823,CVE-2024-43824,CVE-2024-43825,CVE-2024-43826,CVE-2024-43829,CVE-2024-43830,CVE-2024-43831,CVE-2024-43833,CVE-2024-43834,CVE-2024-43837,CVE-2024-43839,CVE-2024-43840,CVE-2024-43841,CVE-2024-43842,CVE-2024-43846,CVE-2024-43847,CVE-2024-43849,CVE-2024-43850,CVE-2024-43851,CVE-2024-43853,CVE-2024-43854,CVE-2024-43855,CVE-2024-43856,CVE-2024-43858,CVE-2024-43860,CVE-2024-43861,CVE -2024-43863,CVE-2024-43864,CVE-2024-43866,CVE-2024-43867,CVE-2024-43871,CVE-2024-43872,CVE-2024-43873,CVE-2024-43874,CVE-2024-43875,CVE-2024-43876,CVE-2024-43877,CVE-2024-43879,CVE-2024-43880,CVE-2024-43881,CVE-2024-43882,CVE-2024-43883,CVE-2024-43884,CVE-2024-43885,CVE-2024-43889,CVE-2024-43892,CVE-2024-43893,CVE-2024-43894,CVE-2024-43895,CVE-2024-43897,CVE-2024-43899,CVE-2024-43900,CVE-2024-43902,CVE-2024-43903,CVE-2024-43905,CVE-2024-43906,CVE-2024-43907,CVE-2024-43908,CVE-2024-43909,CVE-2024-43911,CVE-2024-43912,CVE-2024-44931,CVE-2024-44938,CVE-2024-44939 This update for libtasn1 fixes the following issues: - CVE-2024-12133: Fixed potential DoS in handling of numerous SEQUENCE OF or SET OF elements (bsc#1236878) ----------------------------------------------------------------- Advisory ID: 99 Released: Mon May 12 11:14:56 2025 Summary: Security update for ca-certificates-mozilla Type: security Severity: moderate References: 1010996,1199079,1229003,1234798,1240009,1240343,441356,CVE-2024-10389,CVE-2024-10975,CVE-2024-45794,CVE-2024-48057,CVE-2024-51735,CVE-2024-51746 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): Removed: * SecureSign RootCA11 * Security Communication RootCA3 Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: 111 Released: Thu May 15 19:45:43 2025 Summary: Security update for elemental-operator Type: security Severity: important References: 1231264,1231265,1231266,1238700,1239335,CVE-2024-31227,CVE-2024-31228,CVE-2024-31449,CVE-2025-22869,CVE-2025-22870 This update for elemental-operator fixes the following issues: - Updated to v1.7.2: * Updated header year * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) * Label Templates: add IP addresses to the Network variables (#885, #894) * Fixed generation of already present resources (#892, #893) ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) ----------------------------------------------------------------- Advisory ID: 168 Released: Fri Jul 4 10:41:41 2025 Summary: Recommended update for elemental-operator Type: recommended Severity: moderate References: This update for elemental-operator fixes the following issues: - [v1.7.x] Label Templates: improve Random family processing - Dockerfile: bump golang container to 1.24 - operator: update RBAC for upgrade plans The following package changes have been done: - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - elemental-operator-1.7.3-slfo.1.1_1.1 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libtasn1-6-4.19.0-slfo.1.1_2.1 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libgmp10-6.3.0-slfo.1.1_1.5 updated - libgcc_s1-14.2.0+git10526-slfo.1.1_2.1 updated - libffi8-3.4.6-slfo.1.1_1.4 updated - libcap2-2.69-slfo.1.1_1.3 updated - libattr1-2.5.1-slfo.1.1_1.3 updated - libacl1-2.3.1-slfo.1.1_1.3 updated - libselinux1-3.5-slfo.1.1_1.3 updated - libstdc++6-14.2.0+git10526-slfo.1.1_2.1 updated - libp11-kit0-0.25.3-slfo.1.1_1.2 updated - libncurses6-6.4.20240224-slfo.1.1_1.5 updated - terminfo-base-6.4.20240224-slfo.1.1_1.5 updated - p11-kit-0.25.3-slfo.1.1_1.2 updated - p11-kit-tools-0.25.3-slfo.1.1_1.2 updated - libreadline8-8.2-slfo.1.1_1.4 updated - bash-5.2.15-slfo.1.1_1.6 updated - bash-sh-5.2.15-slfo.1.1_1.6 updated - coreutils-9.4-slfo.1.1_1.4 updated - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 updated - ca-certificates-mozilla-2.74-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:11:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:11:49 +0200 (CEST) Subject: SUSE-CU-2025:5135-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250710071149.B9C92FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5135-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.16 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.16 Severity : important Type : security References : 1184350 1193629 1204569 1204619 1204705 1205282 1206051 1206073 1206649 1206886 1206887 1208542 1209292 1209556 1209684 1210337 1210763 1210767 1211465 1213012 1213013 1213094 1213096 1213946 1214991 1218470 1232649 1234887 1235100 1237981 1238032 1240177 1240802 1241525 1241526 1241640 1241648 1242147 1242150 1242151 1242154 1242157 1242158 1242164 1242165 1242169 1242215 1242218 1242219 1242222 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242241 1242244 1242245 1242248 1242261 1242264 1242265 1242270 1242276 1242279 1242280 1242281 1242282 1242284 1242285 1242289 1242294 1242305 1242312 1242320 1242338 1242352 1242353 1242355 1242357 1242358 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242382 1242385 1242387 1242389 1242391 1242392 1242394 1242398 1242399 1242402 1242403 1242409 1242411 1242415 1242416 1242421 1242422 1242426 1242428 1242440 1242443 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242467 1242469 1242473 1242478 1242481 1242484 1242489 1242493 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242743 1242744 1242745 1242746 1242747 1242749 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1243047 1243133 1243649 1243660 1243737 1243919 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-49110 CVE-2022-49139 CVE-2022-49767 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49783 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49931 CVE-2023-1990 CVE-2023-53035 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53051 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53106 CVE-2023-53108 CVE-2023-53111 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2024-53168 CVE-2024-56558 CVE-2025-21888 CVE-2025-21999 CVE-2025-22056 CVE-2025-22060 CVE-2025-23138 CVE-2025-23145 CVE-2025-37785 CVE-2025-37789 CVE-2025-37948 CVE-2025-37963 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2262-1 Released: Thu Jul 10 00:23:39 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206886,1206887,1208542,1209292,1209556,1209684,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213946,1214991,1218470,1232649,1234887,1235100,1237981,1238032,1240177,1240802,1241525,1241526,1241640,1241648,1242147,1242150,1242151,1242154,1242157,1242158,1242164,1242165,1242169,1242215,1242218,1242219,1242222,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242241,1242244,1242245,1242248,1242261,1242264,1242265,1242270,1242276,1242279,1242280,1242281,1242282,1242284,1242285,1242289,1242294,1242305,1242312,1242320,1242338,1242352,1242353,1242355,1242357,1242358,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1242377,1242378,1242380,1242382,1242385,1242387,1242389,1242391,1242392,1242394,1242398,1242399,1242402,1242403,1242409,1242411,1242415,1242416,1242421,1242422,1242426,1242428,1242440,1242443,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1 242464,1242467,1242469,1242473,1242478,1242481,1242484,1242489,1242493,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242743,1242744,1242745,1242746,1242747,1242749,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243649,1243660,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49110,CVE-2022-49139,CVE-2022-49767,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49775,CVE-2022-49776,CVE-2022-49777,CVE-2022-49779,CVE-2022-49783,CVE-2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49 821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2022-49892,CVE-2022-49900,CVE-2022-49905,CVE-2022-49906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49931,CVE-2023-1990,CVE-2023-53035,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53051,CVE-2023-53052,CVE-2023-53054,CVE- 2023-53056,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53096,CVE-2023-53098,CVE-2023-53099,CVE-2023-53100,CVE-2023-53101,CVE-2023-53106,CVE-2023-53108,CVE-2023-53111,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-53168,CVE-2024-56558,CVE-2025-21888,CVE-2025-21999,CVE-2025-22056,CVE-2025-22060,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37789,CVE-2025-37948,CVE-2025-37963 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49110: netfilter: conntrack: revisit gc autotuning (bsc#1237981). - CVE-2022-49139: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (bsc#1238032). - CVE-2022-49767: 9p/trans_fd: always use O_NONBLOCK read/write (bsc#1242493). - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2022-49858: octeontx2-pf: Fix SQE threshold checking (bsc#1242589). - CVE-2023-53058: net/mlx5: E-Switch, Fix an Oops in error handling code (bsc#1242237). - CVE-2023-53060: igb: revert rtnl_lock() that causes deadlock (bsc#1242241). - CVE-2023-53064: iavf: Fix hang on reboot with ice (bsc#1242222). - CVE-2023-53066: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info (bsc#1242227). - CVE-2023-53079: net/mlx5: Fix steering rules cleanup (bsc#1242765). - CVE-2023-53114: i40e: Fix kernel crash during reboot when adapter is in recovery mode (bsc#1242398). - CVE-2023-53134: bnxt_en: Avoid order-5 memory allocation for TPA data (bsc#1242380) - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21888: RDMA/mlx5: Fix a WARN during dereg_mr for DM type (bsc#1240177). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). The following non-security bugs were fixed: - Refresh fixes for cBPF issue (bsc#1242778) - Remove debug flavor (bsc#1243919). - Update metadata and put them into the sorted part of the series - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). The following package changes have been done: - kernel-default-5.14.21-150400.24.167.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:12:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:12:30 +0200 (CEST) Subject: SUSE-IU-2025:1780-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250710071230.D97CBFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1780-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.51 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.51 Severity : moderate Type : security References : 1236931 1239119 1242987 1243069 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 374 Released: Fri Jul 4 11:02:09 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1236931,1239119,1243069,CVE-2025-30258 This update for gpg2 fixes the following issues: - gpg: Allow the use of an ADSK subkey as ADSK subkey. (bsc#1239119 CVE-2025-30258) - Don't install expired sks certificate [bsc#1243069] ----------------------------------------------------------------- Advisory ID: 375 Released: Fri Jul 4 16:18:40 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: moderate References: 1242987 This update for gptfdisk fixes the following issues: - Fixed boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - SL-Micro-release-6.0-25.34 updated - gptfdisk-1.0.9-4.1 updated - gpg2-2.4.4-5.1 updated - container:SL-Micro-base-container-2.1.3-7.20 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:13:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:13:08 +0200 (CEST) Subject: SUSE-IU-2025:1781-1: Recommended update of suse/sl-micro/6.0/base-os-container Message-ID: <20250710071308.9D409F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1781-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.20 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.20 Severity : important Type : recommended References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 614646 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 377 Released: Wed Jul 9 10:56:35 2025 Summary: Recommended update for zypper, libsolv, libzypp Type: recommended Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,614646 This update for zypper, libsolv, libzypp fixes the following issues: libsolv was updated to 0.7.34: - add support for product-obsoletes() provides in the product autopackage generation code - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency libzypp was updated to 17.37.10: - BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486) - Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an 'Obsoletes: product:oldproductname < oldproductversion' into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: 'Provides: product-obsoletes(oldproductname) < oldproductversion' in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a 'filesize exceeded' error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to '/var/log/YaST2/autoTestcase' should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash (fixes #643) - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries (fixes #638) - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Code16: Enable curl2 backend and parallel package download by default. In Code15 it's optional. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks (fixes openSUSE/zypper#605) - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - fixed build with boost 1.88. - XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - Disable zypp.conf:download.use_deltarpm by default (fixes #620) Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) Released libyui packages compile with -Werror=deprecated-declarations so we can't add deprecated warnings without breaking them. - make gcc15 happy (fixes #613) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps'. - Fix Repoverification plugin not being executed (fixes #614) - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Allow libzypp to compile with C++20. - Deprecate RepoReports we do not trigger. - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cahed there (bsc#1232458) - Fix missing UID checks in repomanager workflow (fixes #603) - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28) - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well. - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) zypper was updated to 1.14.92: - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - Annonunce --root in commands not launching a Target (bsc#1237044) - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939, fixes #446) - New system-architecture command (bsc#1236384) Prints the detected system architecture. - Change versioncmp command to return exit code according to the comparison result (#593) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) - man: Update 'search' command description. Hint to 'se -v' showing the matches within the packages metadata. Explain that search strings starting with a '/' will implicitly look into the filelist as well. Otherfise an explicit '-f' is needed. The following package changes have been done: - libsolv-tools-base-0.7.34-1.1 updated - libzypp-17.37.10-1.1 updated - zypper-1.14.92-1.1 updated - container:suse-toolbox-image-1.0.0-9.11 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:14:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:14:39 +0200 (CEST) Subject: SUSE-IU-2025:1783-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250710071439.D8943F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1783-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.53 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.53 Severity : moderate Type : security References : 1236136 1242987 CVE-2024-13176 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 373 Released: Thu Jul 3 12:28:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: 375 Released: Fri Jul 4 16:18:40 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: moderate References: 1242987 This update for gptfdisk fixes the following issues: - Fixed boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - libopenssl3-3.1.4-9.1 updated - SL-Micro-release-6.0-25.34 updated - gptfdisk-1.0.9-4.1 updated - container:SL-Micro-container-2.1.3-6.51 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:14:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:14:55 +0200 (CEST) Subject: SUSE-CU-2025:5136-1: Recommended update of suse/sl-micro/6.0/toolbox Message-ID: <20250710071455.0F682F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5136-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.11 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.11 Severity : important Type : recommended References : 1189788 1216091 1222044 1225451 1228434 1229106 1230267 1232458 1234752 1235598 1235636 1236384 1236481 1236820 1236939 1236983 1237044 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1240132 1240529 1241463 1243279 1243457 1243887 1243901 1244042 1244105 1244710 1245220 1245452 1245496 1245672 614646 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 377 Released: Wed Jul 9 10:56:35 2025 Summary: Recommended update for zypper, libsolv, libzypp Type: recommended Severity: important References: 1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,614646 This update for zypper, libsolv, libzypp fixes the following issues: libsolv was updated to 0.7.34: - add support for product-obsoletes() provides in the product autopackage generation code - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency - improve transaction ordering by allowing more uninst->uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - fix replaces_installed_package using the wrong solvable id when checking the noupdate map - make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - add rpm_query_idarray query function - support rpm's 'orderwithrequires' dependency libzypp was updated to 17.37.10: - BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486) - Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an 'Obsoletes: product:oldproductname < oldproductversion' into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: 'Provides: product-obsoletes(oldproductname) < oldproductversion' in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a 'filesize exceeded' error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to '/var/log/YaST2/autoTestcase' should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash (fixes #643) - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries (fixes #638) - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Code16: Enable curl2 backend and parallel package download by default. In Code15 it's optional. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks (fixes openSUSE/zypper#605) - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - fixed build with boost 1.88. - XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - Disable zypp.conf:download.use_deltarpm by default (fixes #620) Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) Released libyui packages compile with -Werror=deprecated-declarations so we can't add deprecated warnings without breaking them. - make gcc15 happy (fixes #613) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps'. - Fix Repoverification plugin not being executed (fixes #614) - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Allow libzypp to compile with C++20. - Deprecate RepoReports we do not trigger. - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cahed there (bsc#1232458) - Fix missing UID checks in repomanager workflow (fixes #603) - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28) - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well. - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) zypper was updated to 1.14.92: - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - Annonunce --root in commands not launching a Target (bsc#1237044) - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939, fixes #446) - New system-architecture command (bsc#1236384) Prints the detected system architecture. - Change versioncmp command to return exit code according to the comparison result (#593) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) - man: Update 'search' command description. Hint to 'se -v' showing the matches within the packages metadata. Explain that search strings starting with a '/' will implicitly look into the filelist as well. Otherfise an explicit '-f' is needed. The following package changes have been done: - libsolv-tools-base-0.7.34-1.1 updated - libzypp-17.37.10-1.1 updated - zypper-1.14.92-1.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:15:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:15:29 +0200 (CEST) Subject: SUSE-IU-2025:1784-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250710071529.A0AD7F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1784-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.6 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.6 Severity : important Type : recommended References : 1222972 1223356 1223454 1227417 1227419 1227575 1229716 1230368 1230779 1232057 1233332 1233673 1243486 1244710 1245220 1245452 1245496 1245672 CVE-2024-0090 CVE-2024-0091 CVE-2024-0092 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 174 Released: Wed Jul 9 11:05:32 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222972,1223356,1223454,1227417,1227419,1227575,1229716,1230368,1230779,1232057,1233332,1233673,1243486,1244710,1245220,1245452,1245496,1245672,CVE-2024-0090,CVE-2024-0091,CVE-2024-0092 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.34: - add support for product-obsoletes() provides in the product autopackage generation code libzypp was updated to 17.37.10: - BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486) Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an 'Obsoletes: product:oldproductname < oldproductversion' into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: 'Provides: product-obsoletes(oldproductname) < oldproductversion' in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a 'filesize exceeded' error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) zypper was updated to 1.14.92: - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. The following package changes have been done: - libsolv-tools-base-0.7.34-slfo.1.1_1.1 updated - libzypp-17.37.10-slfo.1.1_1.1 updated - zypper-1.14.92-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.50 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:20:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:20:43 +0200 (CEST) Subject: SUSE-CU-2025:5139-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250710072043.5FB37F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5139-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.72 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.72 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:27:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:27:08 +0200 (CEST) Subject: SUSE-CU-2025:5146-1: Security update of suse/sle15 Message-ID: <20250710072708.8BBFBF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5146-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.10 , suse/sle15:15.6 , suse/sle15:15.6.47.23.10 Container Release : 47.23.10 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:28:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:28:09 +0200 (CEST) Subject: SUSE-CU-2025:5147-1: Security update of bci/spack Message-ID: <20250710072809.499A2F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5147-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.16 Container Release : 11.16 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-c1c42c1525decb5b65e08df368b6579fc6b164f8c3d906605353bce7c3fd6694-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:28:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:28:42 +0200 (CEST) Subject: SUSE-CU-2025:5155-1: Security update of suse/bind Message-ID: <20250710072842.BD09BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5155-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-62.2 , suse/bind:latest Container Release : 62.2 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:28:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:28:45 +0200 (CEST) Subject: SUSE-CU-2025:5156-1: Security update of suse/cosign Message-ID: <20250710072845.05F4EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/cosign ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5156-1 Container Tags : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.0 , suse/cosign:2.5.0-11.15 , suse/cosign:latest Container Release : 11.15 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container suse/cosign was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:29:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:29:57 +0200 (CEST) Subject: SUSE-CU-2025:5169-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250710072957.3CDB2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5169-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.9 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.9 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:30:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:30:04 +0200 (CEST) Subject: SUSE-CU-2025:5170-1: Security update of bci/kiwi Message-ID: <20250710073004.D66E6F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5170-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.25 , bci/kiwi:latest Container Release : 16.25 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-tools-2.12.10-150700.4.3.1 updated - libxml2-devel-2.12.10-150700.4.3.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 07:30:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:30:07 +0200 (CEST) Subject: SUSE-CU-2025:5171-1: Security update of bci/kiwi Message-ID: <20250710073007.4A375F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5171-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.27 , bci/kiwi:latest Container Release : 16.27 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:21:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:21:10 +0200 (CEST) Subject: SUSE-CU-2025:5171-1: Security update of bci/kiwi Message-ID: <20250710112110.69FFFFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5171-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.27 , bci/kiwi:latest Container Release : 16.27 Severity : low Type : security References : 1236931 1239119 1239817 CVE-2025-30258 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:21:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:21:19 +0200 (CEST) Subject: SUSE-CU-2025:5172-1: Security update of suse/nginx Message-ID: <20250710112119.5F5D1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5172-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.17 , suse/nginx:latest Container Release : 61.17 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:01 +0200 (CEST) Subject: SUSE-CU-2025:5178-1: Security update of suse/pcp Message-ID: <20250710112201.59300FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5178-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.29 , suse/pcp:latest Container Release : 61.29 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:bci-bci-init-15.7-65011d4b1debadb7814168b3a6c6e2e74f145b72381b09f031c7aa5f6a45356c-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:06 +0200 (CEST) Subject: SUSE-CU-2025:5179-1: Security update of bci/php-apache Message-ID: <20250710112206.D0330FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5179-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.20 , bci/php-apache:latest Container Release : 10.20 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:12 +0200 (CEST) Subject: SUSE-CU-2025:5180-1: Security update of bci/php-fpm Message-ID: <20250710112212.7542BFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5180-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.20 , bci/php-fpm:latest Container Release : 10.20 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:17 +0200 (CEST) Subject: SUSE-CU-2025:5181-1: Security update of bci/php Message-ID: <20250710112217.EEC90FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5181-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.19 , bci/php:latest Container Release : 10.19 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:23 +0200 (CEST) Subject: SUSE-CU-2025:5182-1: Security update of suse/postgres Message-ID: <20250710112223.3AE34FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5182-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-71.10 Container Release : 71.10 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:27 +0200 (CEST) Subject: SUSE-CU-2025:5183-1: Security update of suse/postgres Message-ID: <20250710112227.B8C0DFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5183-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.18 , suse/postgres:latest Container Release : 61.18 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:32 +0200 (CEST) Subject: SUSE-CU-2025:5184-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250710112232.6C93CFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5184-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.18 , suse/kiosk/pulseaudio:latest Container Release : 61.18 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:22:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:22:58 +0200 (CEST) Subject: SUSE-CU-2025:5188-1: Security update of suse/mariadb Message-ID: <20250710112258.19615FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5188-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.18 , suse/mariadb:latest Container Release : 61.18 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:23 +0200 (CEST) Subject: SUSE-CU-2025:5193-1: Security update of suse/samba-client Message-ID: <20250710112323.38DB8FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5193-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.12 , suse/samba-client:latest Container Release : 62.12 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:26 +0200 (CEST) Subject: SUSE-CU-2025:5194-1: Security update of suse/samba-server Message-ID: <20250710112326.B976BFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5194-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.12 , suse/samba-server:latest Container Release : 62.12 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:30 +0200 (CEST) Subject: SUSE-CU-2025:5195-1: Security update of suse/samba-toolbox Message-ID: <20250710112330.64D8AFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5195-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.12 , suse/samba-toolbox:latest Container Release : 62.12 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:37 +0200 (CEST) Subject: SUSE-CU-2025:5196-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250710112337.4D86EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5196-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.19 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.19 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:43 +0200 (CEST) Subject: SUSE-CU-2025:5197-1: Security update of suse/sle15 Message-ID: <20250710112343.91EB5FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5197-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.12 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.12 , suse/sle15:latest Container Release : 5.8.12 Severity : important Type : security References : 1236931 1239119 1239817 1244554 1244555 1244557 1244590 1244700 CVE-2025-30258 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - gpg2-2.4.4-150600.3.9.1 updated - libxml2-2-2.12.10-150700.4.3.1 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:52 +0200 (CEST) Subject: SUSE-CU-2025:5198-1: Security update of bci/spack Message-ID: <20250710112352.02916FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5198-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.20 , bci/spack:latest Container Release : 13.20 Severity : important Type : security References : 1236931 1239119 1239817 1244554 1244555 1244557 1244590 1244700 CVE-2025-30258 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Thu Jul 10 11:23:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 13:23:55 +0200 (CEST) Subject: SUSE-CU-2025:5199-1: Security update of suse/kiosk/xorg Message-ID: <20250710112355.2E841FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5199-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.8 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.8 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - container:suse-sle15-15.7-5796b2ea9eb033483ca60e09f9a5a6445df5299e288d32559b320afb2adb50ae-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:04:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:04:09 +0200 (CEST) Subject: SUSE-IU-2025:1849-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250711070409.A87D5FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1849-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.183 , suse/sle-micro/base-5.5:latest Image Release : 5.8.183 Severity : important Type : security References : 1065729 1081723 1156395 1193629 1194869 1198410 1199356 1199487 1201160 1201956 1202094 1202095 1202564 1202716 1202823 1202860 1203197 1203361 1205220 1205514 1205701 1206451 1206664 1206878 1206880 1207361 1207638 1211226 1212051 1213090 1218184 1218234 1218470 1222634 1223675 1224095 1224113 1224597 1225468 1225820 1226514 1226552 1230827 1232504 1234156 1234381 1235464 1235637 1236821 1236822 1237159 1237312 1237313 1238526 1238876 1241900 1242221 1242414 1242504 1242596 1242778 1242782 1242924 1243330 1243543 1243627 1243649 1243660 1243832 1244114 1244179 1244180 1244234 1244241 1244277 1244309 1244337 1244732 1244764 1244765 1244767 1244770 1244771 1244772 1244773 1244774 1244776 1244779 1244780 1244781 1244782 1244783 1244784 1244786 1244787 1244788 1244790 1244791 1244793 1244794 1244796 1244797 1244798 1244800 1244802 1244804 1244805 1244806 1244807 1244808 1244811 1244813 1244814 1244815 1244816 1244819 1244820 1244823 1244824 1244825 1244826 1244827 1244830 1244831 1244832 1244834 1244836 1244838 1244839 1244840 1244841 1244842 1244843 1244845 1244846 1244848 1244849 1244851 1244853 1244854 1244856 1244858 1244860 1244861 1244866 1244867 1244868 1244869 1244870 1244871 1244872 1244873 1244875 1244876 1244878 1244879 1244881 1244883 1244884 1244886 1244887 1244888 1244890 1244892 1244893 1244895 1244898 1244899 1244900 1244901 1244902 1244903 1244904 1244905 1244908 1244911 1244912 1244914 1244915 1244928 1244936 1244940 1244941 1244942 1244943 1244944 1244945 1244948 1244949 1244950 1244953 1244955 1244956 1244957 1244958 1244959 1244960 1244961 1244965 1244966 1244967 1244968 1244969 1244970 1244973 1244974 1244976 1244977 1244978 1244979 1244983 1244984 1244985 1244986 1244987 1244991 1244992 1244993 1245006 1245007 1245009 1245011 1245012 1245015 1245018 1245019 1245023 1245024 1245028 1245031 1245032 1245033 1245038 1245039 1245040 1245041 1245047 1245048 1245051 1245052 1245057 1245058 1245060 1245062 1245063 1245064 1245069 1245070 1245072 1245073 1245088 1245089 1245092 1245093 1245094 1245098 1245103 1245116 1245117 1245118 1245119 1245121 1245122 1245125 1245129 1245131 1245133 1245134 1245135 1245136 1245138 1245139 1245140 1245142 1245146 1245147 1245149 1245152 1245154 1245155 1245180 1245183 1245189 1245191 1245195 1245197 1245265 1245340 1245348 1245431 1245455 CVE-2021-47557 CVE-2021-47595 CVE-2022-1679 CVE-2022-2585 CVE-2022-2586 CVE-2022-2905 CVE-2022-3903 CVE-2022-4095 CVE-2022-4662 CVE-2022-49934 CVE-2022-49935 CVE-2022-49936 CVE-2022-49937 CVE-2022-49938 CVE-2022-49940 CVE-2022-49942 CVE-2022-49943 CVE-2022-49944 CVE-2022-49945 CVE-2022-49946 CVE-2022-49948 CVE-2022-49949 CVE-2022-49950 CVE-2022-49951 CVE-2022-49952 CVE-2022-49954 CVE-2022-49956 CVE-2022-49957 CVE-2022-49958 CVE-2022-49960 CVE-2022-49962 CVE-2022-49963 CVE-2022-49964 CVE-2022-49965 CVE-2022-49966 CVE-2022-49968 CVE-2022-49969 CVE-2022-49971 CVE-2022-49972 CVE-2022-49977 CVE-2022-49978 CVE-2022-49980 CVE-2022-49981 CVE-2022-49982 CVE-2022-49983 CVE-2022-49984 CVE-2022-49985 CVE-2022-49986 CVE-2022-49987 CVE-2022-49989 CVE-2022-49990 CVE-2022-49993 CVE-2022-49995 CVE-2022-49999 CVE-2022-50002 CVE-2022-50003 CVE-2022-50005 CVE-2022-50006 CVE-2022-50008 CVE-2022-50010 CVE-2022-50011 CVE-2022-50012 CVE-2022-50015 CVE-2022-50016 CVE-2022-50019 CVE-2022-50020 CVE-2022-50021 CVE-2022-50022 CVE-2022-50023 CVE-2022-50024 CVE-2022-50026 CVE-2022-50027 CVE-2022-50028 CVE-2022-50029 CVE-2022-50030 CVE-2022-50031 CVE-2022-50032 CVE-2022-50033 CVE-2022-50034 CVE-2022-50035 CVE-2022-50036 CVE-2022-50037 CVE-2022-50038 CVE-2022-50039 CVE-2022-50040 CVE-2022-50041 CVE-2022-50044 CVE-2022-50045 CVE-2022-50046 CVE-2022-50047 CVE-2022-50049 CVE-2022-50050 CVE-2022-50051 CVE-2022-50052 CVE-2022-50053 CVE-2022-50054 CVE-2022-50055 CVE-2022-50059 CVE-2022-50060 CVE-2022-50061 CVE-2022-50062 CVE-2022-50065 CVE-2022-50066 CVE-2022-50067 CVE-2022-50068 CVE-2022-50072 CVE-2022-50073 CVE-2022-50074 CVE-2022-50076 CVE-2022-50077 CVE-2022-50079 CVE-2022-50083 CVE-2022-50084 CVE-2022-50085 CVE-2022-50086 CVE-2022-50087 CVE-2022-50092 CVE-2022-50093 CVE-2022-50094 CVE-2022-50095 CVE-2022-50097 CVE-2022-50098 CVE-2022-50099 CVE-2022-50100 CVE-2022-50101 CVE-2022-50102 CVE-2022-50103 CVE-2022-50104 CVE-2022-50108 CVE-2022-50109 CVE-2022-50110 CVE-2022-50111 CVE-2022-50112 CVE-2022-50115 CVE-2022-50116 CVE-2022-50117 CVE-2022-50118 CVE-2022-50120 CVE-2022-50121 CVE-2022-50124 CVE-2022-50125 CVE-2022-50126 CVE-2022-50127 CVE-2022-50129 CVE-2022-50131 CVE-2022-50132 CVE-2022-50133 CVE-2022-50134 CVE-2022-50135 CVE-2022-50136 CVE-2022-50137 CVE-2022-50138 CVE-2022-50139 CVE-2022-50140 CVE-2022-50141 CVE-2022-50142 CVE-2022-50143 CVE-2022-50144 CVE-2022-50145 CVE-2022-50146 CVE-2022-50149 CVE-2022-50151 CVE-2022-50152 CVE-2022-50153 CVE-2022-50154 CVE-2022-50155 CVE-2022-50156 CVE-2022-50157 CVE-2022-50158 CVE-2022-50160 CVE-2022-50161 CVE-2022-50162 CVE-2022-50164 CVE-2022-50165 CVE-2022-50166 CVE-2022-50169 CVE-2022-50171 CVE-2022-50172 CVE-2022-50173 CVE-2022-50175 CVE-2022-50176 CVE-2022-50178 CVE-2022-50179 CVE-2022-50181 CVE-2022-50183 CVE-2022-50184 CVE-2022-50185 CVE-2022-50186 CVE-2022-50187 CVE-2022-50188 CVE-2022-50190 CVE-2022-50191 CVE-2022-50192 CVE-2022-50194 CVE-2022-50196 CVE-2022-50197 CVE-2022-50198 CVE-2022-50199 CVE-2022-50200 CVE-2022-50201 CVE-2022-50202 CVE-2022-50203 CVE-2022-50204 CVE-2022-50206 CVE-2022-50207 CVE-2022-50208 CVE-2022-50209 CVE-2022-50211 CVE-2022-50212 CVE-2022-50213 CVE-2022-50215 CVE-2022-50218 CVE-2022-50220 CVE-2022-50221 CVE-2022-50222 CVE-2022-50226 CVE-2022-50228 CVE-2022-50229 CVE-2022-50231 CVE-2023-3111 CVE-2023-52924 CVE-2023-52925 CVE-2023-53046 CVE-2023-53048 CVE-2023-53076 CVE-2023-53097 CVE-2024-26808 CVE-2024-26924 CVE-2024-26935 CVE-2024-27397 CVE-2024-35840 CVE-2024-36978 CVE-2024-46800 CVE-2024-53125 CVE-2024-53141 CVE-2024-53197 CVE-2024-56770 CVE-2024-57999 CVE-2025-21700 CVE-2025-21702 CVE-2025-21703 CVE-2025-21756 CVE-2025-23141 CVE-2025-23145 CVE-2025-37752 CVE-2025-37798 CVE-2025-37823 CVE-2025-37890 CVE-2025-37932 CVE-2025-37948 CVE-2025-37953 CVE-2025-37963 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38014 CVE-2025-38060 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2264-1 Released: Thu Jul 10 10:25:37 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1156395,1193629,1194869,1198410,1199356,1199487,1201160,1201956,1202094,1202095,1202564,1202716,1202823,1202860,1203197,1203361,1205220,1205514,1205701,1206451,1206664,1206878,1206880,1207361,1207638,1211226,1212051,1213090,1218184,1218234,1218470,1222634,1223675,1224095,1224597,1225468,1225820,1226514,1226552,1230827,1232504,1234156,1234381,1235464,1235637,1236821,1236822,1237159,1237312,1237313,1238526,1238876,1241900,1242221,1242414,1242504,1242596,1242778,1242782,1242924,1243330,1243543,1243627,1243649,1243660,1243832,1244114,1244179,1244180,1244234,1244241,1244277,1244309,1244337,1244732,1244764,1244765,1244767,1244770,1244771,1244772,1244773,1244774,1244776,1244779,1244780,1244781,1244782,1244783,1244784,1244786,1244787,1244788,1244790,1244791,1244793,1244794,1244796,1244797,1244798,1244800,1244802,1244804,1244805,1244806,1244807,1244808,1244811,1244813,1244814,1244815,1244816,1244819,1244820,1244823,1244824,1244825,1244826,1244827,1244830,1244831,1244832,1 244834,1244836,1244838,1244839,1244840,1244841,1244842,1244843,1244845,1244846,1244848,1244849,1244851,1244853,1244854,1244856,1244858,1244860,1244861,1244866,1244867,1244868,1244869,1244870,1244871,1244872,1244873,1244875,1244876,1244878,1244879,1244881,1244883,1244884,1244886,1244887,1244888,1244890,1244892,1244893,1244895,1244898,1244899,1244900,1244901,1244902,1244903,1244904,1244905,1244908,1244911,1244912,1244914,1244915,1244928,1244936,1244940,1244941,1244942,1244943,1244944,1244945,1244948,1244949,1244950,1244953,1244955,1244956,1244957,1244958,1244959,1244960,1244961,1244965,1244966,1244967,1244968,1244969,1244970,1244973,1244974,1244976,1244977,1244978,1244979,1244983,1244984,1244985,1244986,1244987,1244991,1244992,1244993,1245006,1245007,1245009,1245011,1245012,1245015,1245018,1245019,1245023,1245024,1245028,1245031,1245032,1245033,1245038,1245039,1245040,1245041,1245047,1245048,1245051,1245052,1245057,1245058,1245060,1245062,1245063,1245064,1245069,1245070,1245072,124507 3,1245088,1245089,1245092,1245093,1245094,1245098,1245103,1245116,1245117,1245118,1245119,1245121,1245122,1245125,1245129,1245131,1245133,1245134,1245135,1245136,1245138,1245139,1245140,1245142,1245146,1245147,1245149,1245152,1245154,1245155,1245180,1245183,1245189,1245191,1245195,1245197,1245265,1245340,1245348,1245431,1245455,CVE-2021-47557,CVE-2021-47595,CVE-2022-1679,CVE-2022-2585,CVE-2022-2586,CVE-2022-2905,CVE-2022-3903,CVE-2022-4095,CVE-2022-4662,CVE-2022-49934,CVE-2022-49935,CVE-2022-49936,CVE-2022-49937,CVE-2022-49938,CVE-2022-49940,CVE-2022-49942,CVE-2022-49943,CVE-2022-49944,CVE-2022-49945,CVE-2022-49946,CVE-2022-49948,CVE-2022-49949,CVE-2022-49950,CVE-2022-49951,CVE-2022-49952,CVE-2022-49954,CVE-2022-49956,CVE-2022-49957,CVE-2022-49958,CVE-2022-49960,CVE-2022-49962,CVE-2022-49963,CVE-2022-49964,CVE-2022-49965,CVE-2022-49966,CVE-2022-49968,CVE-2022-49969,CVE-2022-49971,CVE-2022-49972,CVE-2022-49977,CVE-2022-49978,CVE-2022-49980,CVE-2022-49981,CVE-2022-49982,CVE-2022-49983 ,CVE-2022-49984,CVE-2022-49985,CVE-2022-49986,CVE-2022-49987,CVE-2022-49989,CVE-2022-49990,CVE-2022-49993,CVE-2022-49995,CVE-2022-49999,CVE-2022-50002,CVE-2022-50003,CVE-2022-50005,CVE-2022-50006,CVE-2022-50008,CVE-2022-50010,CVE-2022-50011,CVE-2022-50012,CVE-2022-50015,CVE-2022-50016,CVE-2022-50019,CVE-2022-50020,CVE-2022-50021,CVE-2022-50022,CVE-2022-50023,CVE-2022-50024,CVE-2022-50026,CVE-2022-50027,CVE-2022-50028,CVE-2022-50029,CVE-2022-50030,CVE-2022-50031,CVE-2022-50032,CVE-2022-50033,CVE-2022-50034,CVE-2022-50035,CVE-2022-50036,CVE-2022-50037,CVE-2022-50038,CVE-2022-50039,CVE-2022-50040,CVE-2022-50041,CVE-2022-50044,CVE-2022-50045,CVE-2022-50046,CVE-2022-50047,CVE-2022-50049,CVE-2022-50050,CVE-2022-50051,CVE-2022-50052,CVE-2022-50053,CVE-2022-50054,CVE-2022-50055,CVE-2022-50059,CVE-2022-50060,CVE-2022-50061,CVE-2022-50062,CVE-2022-50065,CVE-2022-50066,CVE-2022-50067,CVE-2022-50068,CVE-2022-50072,CVE-2022-50073,CVE-2022-50074,CVE-2022-50076,CVE-2022-50077,CVE-2022-50079,CVE-20 22-50083,CVE-2022-50084,CVE-2022-50085,CVE-2022-50086,CVE-2022-50087,CVE-2022-50092,CVE-2022-50093,CVE-2022-50094,CVE-2022-50095,CVE-2022-50097,CVE-2022-50098,CVE-2022-50099,CVE-2022-50100,CVE-2022-50101,CVE-2022-50102,CVE-2022-50103,CVE-2022-50104,CVE-2022-50108,CVE-2022-50109,CVE-2022-50110,CVE-2022-50111,CVE-2022-50112,CVE-2022-50115,CVE-2022-50116,CVE-2022-50117,CVE-2022-50118,CVE-2022-50120,CVE-2022-50121,CVE-2022-50124,CVE-2022-50125,CVE-2022-50126,CVE-2022-50127,CVE-2022-50129,CVE-2022-50131,CVE-2022-50132,CVE-2022-50133,CVE-2022-50134,CVE-2022-50135,CVE-2022-50136,CVE-2022-50137,CVE-2022-50138,CVE-2022-50139,CVE-2022-50140,CVE-2022-50141,CVE-2022-50142,CVE-2022-50143,CVE-2022-50144,CVE-2022-50145,CVE-2022-50146,CVE-2022-50149,CVE-2022-50151,CVE-2022-50152,CVE-2022-50153,CVE-2022-50154,CVE-2022-50155,CVE-2022-50156,CVE-2022-50157,CVE-2022-50158,CVE-2022-50160,CVE-2022-50161,CVE-2022-50162,CVE-2022-50164,CVE-2022-50165,CVE-2022-50166,CVE-2022-50169,CVE-2022-50171,CVE-2022-5017 2,CVE-2022-50173,CVE-2022-50175,CVE-2022-50176,CVE-2022-50178,CVE-2022-50179,CVE-2022-50181,CVE-2022-50183,CVE-2022-50184,CVE-2022-50185,CVE-2022-50186,CVE-2022-50187,CVE-2022-50188,CVE-2022-50190,CVE-2022-50191,CVE-2022-50192,CVE-2022-50194,CVE-2022-50196,CVE-2022-50197,CVE-2022-50198,CVE-2022-50199,CVE-2022-50200,CVE-2022-50201,CVE-2022-50202,CVE-2022-50203,CVE-2022-50204,CVE-2022-50206,CVE-2022-50207,CVE-2022-50208,CVE-2022-50209,CVE-2022-50211,CVE-2022-50212,CVE-2022-50213,CVE-2022-50215,CVE-2022-50218,CVE-2022-50220,CVE-2022-50221,CVE-2022-50222,CVE-2022-50226,CVE-2022-50228,CVE-2022-50229,CVE-2022-50231,CVE-2023-3111,CVE-2023-52924,CVE-2023-52925,CVE-2023-53046,CVE-2023-53048,CVE-2023-53076,CVE-2023-53097,CVE-2024-26808,CVE-2024-26924,CVE-2024-26935,CVE-2024-27397,CVE-2024-35840,CVE-2024-36978,CVE-2024-46800,CVE-2024-53125,CVE-2024-53141,CVE-2024-53197,CVE-2024-56770,CVE-2024-57999,CVE-2025-21700,CVE-2025-21702,CVE-2025-21703,CVE-2025-21756,CVE-2025-23141,CVE-2025-23145,CVE-20 25-37752,CVE-2025-37798,CVE-2025-37823,CVE-2025-37890,CVE-2025-37932,CVE-2025-37948,CVE-2025-37953,CVE-2025-37963,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38014,CVE-2025-38060,CVE-2025-38083 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468). - CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552). - CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821). - CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822). - CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634). - CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820). - CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095). - CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514). - CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827). - CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381). - CVE-2024-53197: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (bsc#1235464). - CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876). - CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183). The following non-security bugs were fixed: - ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes). - Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504) - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431). - kernel-source: Do not use multiple -r in sed parameters - kernel-source: Remove log.sh from sources - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - ovl: fix use inode directly in rcu-walk mode (bsc#1241900). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - kernel-default-5.14.21-150500.55.113.1 updated - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:04:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:04:10 +0200 (CEST) Subject: SUSE-IU-2025:1850-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250711070410.5F2BAFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1850-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.184 , suse/sle-micro/base-5.5:latest Image Release : 5.8.184 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:04:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:04:52 +0200 (CEST) Subject: SUSE-IU-2025:1851-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250711070452.3728CFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1851-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.350 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.350 Severity : important Type : security References : 1065729 1081723 1156395 1193629 1194869 1198410 1199356 1199487 1201160 1201956 1202094 1202095 1202564 1202716 1202823 1202860 1203197 1203361 1205220 1205514 1205701 1206451 1206664 1206878 1206880 1207361 1207638 1211226 1212051 1213090 1218184 1218234 1218470 1222634 1223675 1224095 1224113 1224597 1225468 1225820 1226514 1226552 1230827 1232504 1234156 1234381 1235464 1235637 1236821 1236822 1237159 1237312 1237313 1238526 1238876 1241900 1242221 1242414 1242504 1242596 1242778 1242782 1242924 1243330 1243543 1243627 1243649 1243660 1243832 1244114 1244179 1244180 1244234 1244241 1244277 1244309 1244337 1244732 1244764 1244765 1244767 1244770 1244771 1244772 1244773 1244774 1244776 1244779 1244780 1244781 1244782 1244783 1244784 1244786 1244787 1244788 1244790 1244791 1244793 1244794 1244796 1244797 1244798 1244800 1244802 1244804 1244805 1244806 1244807 1244808 1244811 1244813 1244814 1244815 1244816 1244819 1244820 1244823 1244824 1244825 1244826 1244827 1244830 1244831 1244832 1244834 1244836 1244838 1244839 1244840 1244841 1244842 1244843 1244845 1244846 1244848 1244849 1244851 1244853 1244854 1244856 1244858 1244860 1244861 1244866 1244867 1244868 1244869 1244870 1244871 1244872 1244873 1244875 1244876 1244878 1244879 1244881 1244883 1244884 1244886 1244887 1244888 1244890 1244892 1244893 1244895 1244898 1244899 1244900 1244901 1244902 1244903 1244904 1244905 1244908 1244911 1244912 1244914 1244915 1244928 1244936 1244940 1244941 1244942 1244943 1244944 1244945 1244948 1244949 1244950 1244953 1244955 1244956 1244957 1244958 1244959 1244960 1244961 1244965 1244966 1244967 1244968 1244969 1244970 1244973 1244974 1244976 1244977 1244978 1244979 1244983 1244984 1244985 1244986 1244987 1244991 1244992 1244993 1245006 1245007 1245009 1245011 1245012 1245015 1245018 1245019 1245023 1245024 1245028 1245031 1245032 1245033 1245038 1245039 1245040 1245041 1245047 1245048 1245051 1245052 1245057 1245058 1245060 1245062 1245063 1245064 1245069 1245070 1245072 1245073 1245088 1245089 1245092 1245093 1245094 1245098 1245103 1245116 1245117 1245118 1245119 1245121 1245122 1245125 1245129 1245131 1245133 1245134 1245135 1245136 1245138 1245139 1245140 1245142 1245146 1245147 1245149 1245152 1245154 1245155 1245180 1245183 1245189 1245191 1245195 1245197 1245265 1245340 1245348 1245431 1245455 CVE-2021-47557 CVE-2021-47595 CVE-2022-1679 CVE-2022-2585 CVE-2022-2586 CVE-2022-2905 CVE-2022-3903 CVE-2022-4095 CVE-2022-4662 CVE-2022-49934 CVE-2022-49935 CVE-2022-49936 CVE-2022-49937 CVE-2022-49938 CVE-2022-49940 CVE-2022-49942 CVE-2022-49943 CVE-2022-49944 CVE-2022-49945 CVE-2022-49946 CVE-2022-49948 CVE-2022-49949 CVE-2022-49950 CVE-2022-49951 CVE-2022-49952 CVE-2022-49954 CVE-2022-49956 CVE-2022-49957 CVE-2022-49958 CVE-2022-49960 CVE-2022-49962 CVE-2022-49963 CVE-2022-49964 CVE-2022-49965 CVE-2022-49966 CVE-2022-49968 CVE-2022-49969 CVE-2022-49971 CVE-2022-49972 CVE-2022-49977 CVE-2022-49978 CVE-2022-49980 CVE-2022-49981 CVE-2022-49982 CVE-2022-49983 CVE-2022-49984 CVE-2022-49985 CVE-2022-49986 CVE-2022-49987 CVE-2022-49989 CVE-2022-49990 CVE-2022-49993 CVE-2022-49995 CVE-2022-49999 CVE-2022-50002 CVE-2022-50003 CVE-2022-50005 CVE-2022-50006 CVE-2022-50008 CVE-2022-50010 CVE-2022-50011 CVE-2022-50012 CVE-2022-50015 CVE-2022-50016 CVE-2022-50019 CVE-2022-50020 CVE-2022-50021 CVE-2022-50022 CVE-2022-50023 CVE-2022-50024 CVE-2022-50026 CVE-2022-50027 CVE-2022-50028 CVE-2022-50029 CVE-2022-50030 CVE-2022-50031 CVE-2022-50032 CVE-2022-50033 CVE-2022-50034 CVE-2022-50035 CVE-2022-50036 CVE-2022-50037 CVE-2022-50038 CVE-2022-50039 CVE-2022-50040 CVE-2022-50041 CVE-2022-50044 CVE-2022-50045 CVE-2022-50046 CVE-2022-50047 CVE-2022-50049 CVE-2022-50050 CVE-2022-50051 CVE-2022-50052 CVE-2022-50053 CVE-2022-50054 CVE-2022-50055 CVE-2022-50059 CVE-2022-50060 CVE-2022-50061 CVE-2022-50062 CVE-2022-50065 CVE-2022-50066 CVE-2022-50067 CVE-2022-50068 CVE-2022-50072 CVE-2022-50073 CVE-2022-50074 CVE-2022-50076 CVE-2022-50077 CVE-2022-50079 CVE-2022-50083 CVE-2022-50084 CVE-2022-50085 CVE-2022-50086 CVE-2022-50087 CVE-2022-50092 CVE-2022-50093 CVE-2022-50094 CVE-2022-50095 CVE-2022-50097 CVE-2022-50098 CVE-2022-50099 CVE-2022-50100 CVE-2022-50101 CVE-2022-50102 CVE-2022-50103 CVE-2022-50104 CVE-2022-50108 CVE-2022-50109 CVE-2022-50110 CVE-2022-50111 CVE-2022-50112 CVE-2022-50115 CVE-2022-50116 CVE-2022-50117 CVE-2022-50118 CVE-2022-50120 CVE-2022-50121 CVE-2022-50124 CVE-2022-50125 CVE-2022-50126 CVE-2022-50127 CVE-2022-50129 CVE-2022-50131 CVE-2022-50132 CVE-2022-50133 CVE-2022-50134 CVE-2022-50135 CVE-2022-50136 CVE-2022-50137 CVE-2022-50138 CVE-2022-50139 CVE-2022-50140 CVE-2022-50141 CVE-2022-50142 CVE-2022-50143 CVE-2022-50144 CVE-2022-50145 CVE-2022-50146 CVE-2022-50149 CVE-2022-50151 CVE-2022-50152 CVE-2022-50153 CVE-2022-50154 CVE-2022-50155 CVE-2022-50156 CVE-2022-50157 CVE-2022-50158 CVE-2022-50160 CVE-2022-50161 CVE-2022-50162 CVE-2022-50164 CVE-2022-50165 CVE-2022-50166 CVE-2022-50169 CVE-2022-50171 CVE-2022-50172 CVE-2022-50173 CVE-2022-50175 CVE-2022-50176 CVE-2022-50178 CVE-2022-50179 CVE-2022-50181 CVE-2022-50183 CVE-2022-50184 CVE-2022-50185 CVE-2022-50186 CVE-2022-50187 CVE-2022-50188 CVE-2022-50190 CVE-2022-50191 CVE-2022-50192 CVE-2022-50194 CVE-2022-50196 CVE-2022-50197 CVE-2022-50198 CVE-2022-50199 CVE-2022-50200 CVE-2022-50201 CVE-2022-50202 CVE-2022-50203 CVE-2022-50204 CVE-2022-50206 CVE-2022-50207 CVE-2022-50208 CVE-2022-50209 CVE-2022-50211 CVE-2022-50212 CVE-2022-50213 CVE-2022-50215 CVE-2022-50218 CVE-2022-50220 CVE-2022-50221 CVE-2022-50222 CVE-2022-50226 CVE-2022-50228 CVE-2022-50229 CVE-2022-50231 CVE-2023-3111 CVE-2023-52924 CVE-2023-52925 CVE-2023-53046 CVE-2023-53048 CVE-2023-53076 CVE-2023-53097 CVE-2024-26808 CVE-2024-26924 CVE-2024-26935 CVE-2024-27397 CVE-2024-35840 CVE-2024-36978 CVE-2024-46800 CVE-2024-53125 CVE-2024-53141 CVE-2024-53197 CVE-2024-56770 CVE-2024-57999 CVE-2025-21700 CVE-2025-21702 CVE-2025-21703 CVE-2025-21756 CVE-2025-23141 CVE-2025-23145 CVE-2025-37752 CVE-2025-37798 CVE-2025-37823 CVE-2025-37890 CVE-2025-37932 CVE-2025-37948 CVE-2025-37953 CVE-2025-37963 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38014 CVE-2025-38060 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2264-1 Released: Thu Jul 10 10:25:37 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1156395,1193629,1194869,1198410,1199356,1199487,1201160,1201956,1202094,1202095,1202564,1202716,1202823,1202860,1203197,1203361,1205220,1205514,1205701,1206451,1206664,1206878,1206880,1207361,1207638,1211226,1212051,1213090,1218184,1218234,1218470,1222634,1223675,1224095,1224597,1225468,1225820,1226514,1226552,1230827,1232504,1234156,1234381,1235464,1235637,1236821,1236822,1237159,1237312,1237313,1238526,1238876,1241900,1242221,1242414,1242504,1242596,1242778,1242782,1242924,1243330,1243543,1243627,1243649,1243660,1243832,1244114,1244179,1244180,1244234,1244241,1244277,1244309,1244337,1244732,1244764,1244765,1244767,1244770,1244771,1244772,1244773,1244774,1244776,1244779,1244780,1244781,1244782,1244783,1244784,1244786,1244787,1244788,1244790,1244791,1244793,1244794,1244796,1244797,1244798,1244800,1244802,1244804,1244805,1244806,1244807,1244808,1244811,1244813,1244814,1244815,1244816,1244819,1244820,1244823,1244824,1244825,1244826,1244827,1244830,1244831,1244832,1 244834,1244836,1244838,1244839,1244840,1244841,1244842,1244843,1244845,1244846,1244848,1244849,1244851,1244853,1244854,1244856,1244858,1244860,1244861,1244866,1244867,1244868,1244869,1244870,1244871,1244872,1244873,1244875,1244876,1244878,1244879,1244881,1244883,1244884,1244886,1244887,1244888,1244890,1244892,1244893,1244895,1244898,1244899,1244900,1244901,1244902,1244903,1244904,1244905,1244908,1244911,1244912,1244914,1244915,1244928,1244936,1244940,1244941,1244942,1244943,1244944,1244945,1244948,1244949,1244950,1244953,1244955,1244956,1244957,1244958,1244959,1244960,1244961,1244965,1244966,1244967,1244968,1244969,1244970,1244973,1244974,1244976,1244977,1244978,1244979,1244983,1244984,1244985,1244986,1244987,1244991,1244992,1244993,1245006,1245007,1245009,1245011,1245012,1245015,1245018,1245019,1245023,1245024,1245028,1245031,1245032,1245033,1245038,1245039,1245040,1245041,1245047,1245048,1245051,1245052,1245057,1245058,1245060,1245062,1245063,1245064,1245069,1245070,1245072,124507 3,1245088,1245089,1245092,1245093,1245094,1245098,1245103,1245116,1245117,1245118,1245119,1245121,1245122,1245125,1245129,1245131,1245133,1245134,1245135,1245136,1245138,1245139,1245140,1245142,1245146,1245147,1245149,1245152,1245154,1245155,1245180,1245183,1245189,1245191,1245195,1245197,1245265,1245340,1245348,1245431,1245455,CVE-2021-47557,CVE-2021-47595,CVE-2022-1679,CVE-2022-2585,CVE-2022-2586,CVE-2022-2905,CVE-2022-3903,CVE-2022-4095,CVE-2022-4662,CVE-2022-49934,CVE-2022-49935,CVE-2022-49936,CVE-2022-49937,CVE-2022-49938,CVE-2022-49940,CVE-2022-49942,CVE-2022-49943,CVE-2022-49944,CVE-2022-49945,CVE-2022-49946,CVE-2022-49948,CVE-2022-49949,CVE-2022-49950,CVE-2022-49951,CVE-2022-49952,CVE-2022-49954,CVE-2022-49956,CVE-2022-49957,CVE-2022-49958,CVE-2022-49960,CVE-2022-49962,CVE-2022-49963,CVE-2022-49964,CVE-2022-49965,CVE-2022-49966,CVE-2022-49968,CVE-2022-49969,CVE-2022-49971,CVE-2022-49972,CVE-2022-49977,CVE-2022-49978,CVE-2022-49980,CVE-2022-49981,CVE-2022-49982,CVE-2022-49983 ,CVE-2022-49984,CVE-2022-49985,CVE-2022-49986,CVE-2022-49987,CVE-2022-49989,CVE-2022-49990,CVE-2022-49993,CVE-2022-49995,CVE-2022-49999,CVE-2022-50002,CVE-2022-50003,CVE-2022-50005,CVE-2022-50006,CVE-2022-50008,CVE-2022-50010,CVE-2022-50011,CVE-2022-50012,CVE-2022-50015,CVE-2022-50016,CVE-2022-50019,CVE-2022-50020,CVE-2022-50021,CVE-2022-50022,CVE-2022-50023,CVE-2022-50024,CVE-2022-50026,CVE-2022-50027,CVE-2022-50028,CVE-2022-50029,CVE-2022-50030,CVE-2022-50031,CVE-2022-50032,CVE-2022-50033,CVE-2022-50034,CVE-2022-50035,CVE-2022-50036,CVE-2022-50037,CVE-2022-50038,CVE-2022-50039,CVE-2022-50040,CVE-2022-50041,CVE-2022-50044,CVE-2022-50045,CVE-2022-50046,CVE-2022-50047,CVE-2022-50049,CVE-2022-50050,CVE-2022-50051,CVE-2022-50052,CVE-2022-50053,CVE-2022-50054,CVE-2022-50055,CVE-2022-50059,CVE-2022-50060,CVE-2022-50061,CVE-2022-50062,CVE-2022-50065,CVE-2022-50066,CVE-2022-50067,CVE-2022-50068,CVE-2022-50072,CVE-2022-50073,CVE-2022-50074,CVE-2022-50076,CVE-2022-50077,CVE-2022-50079,CVE-20 22-50083,CVE-2022-50084,CVE-2022-50085,CVE-2022-50086,CVE-2022-50087,CVE-2022-50092,CVE-2022-50093,CVE-2022-50094,CVE-2022-50095,CVE-2022-50097,CVE-2022-50098,CVE-2022-50099,CVE-2022-50100,CVE-2022-50101,CVE-2022-50102,CVE-2022-50103,CVE-2022-50104,CVE-2022-50108,CVE-2022-50109,CVE-2022-50110,CVE-2022-50111,CVE-2022-50112,CVE-2022-50115,CVE-2022-50116,CVE-2022-50117,CVE-2022-50118,CVE-2022-50120,CVE-2022-50121,CVE-2022-50124,CVE-2022-50125,CVE-2022-50126,CVE-2022-50127,CVE-2022-50129,CVE-2022-50131,CVE-2022-50132,CVE-2022-50133,CVE-2022-50134,CVE-2022-50135,CVE-2022-50136,CVE-2022-50137,CVE-2022-50138,CVE-2022-50139,CVE-2022-50140,CVE-2022-50141,CVE-2022-50142,CVE-2022-50143,CVE-2022-50144,CVE-2022-50145,CVE-2022-50146,CVE-2022-50149,CVE-2022-50151,CVE-2022-50152,CVE-2022-50153,CVE-2022-50154,CVE-2022-50155,CVE-2022-50156,CVE-2022-50157,CVE-2022-50158,CVE-2022-50160,CVE-2022-50161,CVE-2022-50162,CVE-2022-50164,CVE-2022-50165,CVE-2022-50166,CVE-2022-50169,CVE-2022-50171,CVE-2022-5017 2,CVE-2022-50173,CVE-2022-50175,CVE-2022-50176,CVE-2022-50178,CVE-2022-50179,CVE-2022-50181,CVE-2022-50183,CVE-2022-50184,CVE-2022-50185,CVE-2022-50186,CVE-2022-50187,CVE-2022-50188,CVE-2022-50190,CVE-2022-50191,CVE-2022-50192,CVE-2022-50194,CVE-2022-50196,CVE-2022-50197,CVE-2022-50198,CVE-2022-50199,CVE-2022-50200,CVE-2022-50201,CVE-2022-50202,CVE-2022-50203,CVE-2022-50204,CVE-2022-50206,CVE-2022-50207,CVE-2022-50208,CVE-2022-50209,CVE-2022-50211,CVE-2022-50212,CVE-2022-50213,CVE-2022-50215,CVE-2022-50218,CVE-2022-50220,CVE-2022-50221,CVE-2022-50222,CVE-2022-50226,CVE-2022-50228,CVE-2022-50229,CVE-2022-50231,CVE-2023-3111,CVE-2023-52924,CVE-2023-52925,CVE-2023-53046,CVE-2023-53048,CVE-2023-53076,CVE-2023-53097,CVE-2024-26808,CVE-2024-26924,CVE-2024-26935,CVE-2024-27397,CVE-2024-35840,CVE-2024-36978,CVE-2024-46800,CVE-2024-53125,CVE-2024-53141,CVE-2024-53197,CVE-2024-56770,CVE-2024-57999,CVE-2025-21700,CVE-2025-21702,CVE-2025-21703,CVE-2025-21756,CVE-2025-23141,CVE-2025-23145,CVE-20 25-37752,CVE-2025-37798,CVE-2025-37823,CVE-2025-37890,CVE-2025-37932,CVE-2025-37948,CVE-2025-37953,CVE-2025-37963,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38014,CVE-2025-38060,CVE-2025-38083 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468). - CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552). - CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821). - CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822). - CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634). - CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820). - CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095). - CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514). - CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827). - CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381). - CVE-2024-53197: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (bsc#1235464). - CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876). - CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183). The following non-security bugs were fixed: - ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes). - Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504) - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431). - kernel-source: Do not use multiple -r in sed parameters - kernel-source: Remove log.sh from sources - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - ovl: fix use inode directly in rcu-walk mode (bsc#1241900). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - kernel-default-base-5.14.21-150500.55.113.1.150500.6.53.1 updated - mozilla-nspr-4.36-150000.3.32.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.183 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:04:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:04:52 +0200 (CEST) Subject: SUSE-IU-2025:1852-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250711070452.EF0C4FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1852-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.352 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.352 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.184 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:06:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:06:07 +0200 (CEST) Subject: SUSE-IU-2025:1853-1: Recommended update of suse/sle-micro/rt-5.5 Message-ID: <20250711070607.D1D9CFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1853-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.424 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.424 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.323 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:06:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:06:08 +0200 (CEST) Subject: SUSE-IU-2025:1854-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250711070608.99B65FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1854-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.427 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.427 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.325 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:07:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:07:21 +0200 (CEST) Subject: SUSE-IU-2025:1855-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250711070721.373B5FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1855-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.323 , suse/sle-micro/5.5:latest Image Release : 5.5.323 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.183 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:07:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:07:21 +0200 (CEST) Subject: SUSE-IU-2025:1856-1: Security update of suse/sle-micro/5.5 Message-ID: <20250711070721.E9DB0FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1856-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.325 , suse/sle-micro/5.5:latest Image Release : 5.5.325 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.184 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:13:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:13:40 +0200 (CEST) Subject: SUSE-CU-2025:5206-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250711071340.B2C14F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5206-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.153 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.153 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:15:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:15:58 +0200 (CEST) Subject: SUSE-CU-2025:5207-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250711071558.1A416F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5207-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.17 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.17 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:15:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:15:58 +0200 (CEST) Subject: SUSE-CU-2025:5208-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250711071558.F08C9F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5208-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.18 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.18 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:17:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:17:29 +0200 (CEST) Subject: SUSE-CU-2025:5209-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250711071729.369C8F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5209-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.153 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.153 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:18:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:18:38 +0200 (CEST) Subject: SUSE-CU-2025:5210-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250711071838.98A5DF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5210-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.57 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.57 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:19:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:19:16 +0200 (CEST) Subject: SUSE-IU-2025:1857-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250711071916.AB542F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1857-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.53 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.53 Severity : important Type : security References : 1245274 1245275 CVE-2025-32462 CVE-2025-32463 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 378 Released: Thu Jul 10 14:49:58 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fix a possible local privilege escalation via the --host option (bsc#1245274) - CVE-2025-32463: Fix a possible local privilege Escalation via chroot option (bsc#1245275) The following package changes have been done: - sudo-1.9.15p5-2.1 updated - container:SL-Micro-base-container-2.1.3-7.21 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:20:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:20:06 +0200 (CEST) Subject: SUSE-CU-2025:5211-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250711072006.33140F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5211-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.12 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.12 Severity : important Type : security References : 1245274 1245275 CVE-2025-32462 CVE-2025-32463 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 378 Released: Thu Jul 10 14:49:58 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fix a possible local privilege escalation via the --host option (bsc#1245274) - CVE-2025-32463: Fix a possible local privilege Escalation via chroot option (bsc#1245275) The following package changes have been done: - sudo-1.9.15p5-2.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:21:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:21:19 +0200 (CEST) Subject: SUSE-CU-2025:5213-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250711072119.9D204F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5213-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.103 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.103 , suse/ltss/sle15.3/sle15:latest Container Release : 2.103 Severity : important Type : security References : 1244554 1244557 1244590 1244700 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49796 CVE-2025-5318 CVE-2025-5372 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2275-1 Released: Thu Jul 10 16:34:02 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2279-1 Released: Thu Jul 10 18:03:13 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150200.13.9.1 updated - libssh4-0.9.8-150200.13.9.1 updated - libxml2-2-2.9.7-150000.3.82.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:22:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:22:33 +0200 (CEST) Subject: SUSE-CU-2025:5215-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250711072233.3FA57F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5215-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.51 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.51 , suse/ltss/sle15.4/sle15:latest Container Release : 2.51 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:25:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:25:00 +0200 (CEST) Subject: SUSE-CU-2025:5216-1: Security update of suse/ltss/sle15.5/sle15 Message-ID: <20250711072500.5D877F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5216-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.8 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.8 , suse/ltss/sle15.5/sle15:latest Container Release : 5.8 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:25:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:25:56 +0200 (CEST) Subject: SUSE-CU-2025:5217-1: Recommended update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250711072556.2F333F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5217-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.73 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.73 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:27:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:27:56 +0200 (CEST) Subject: SUSE-CU-2025:5218-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250711072756.DE700F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5218-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.18 Container Release : 44.18 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Fri Jul 11 07:28:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 11 Jul 2025 09:28:03 +0200 (CEST) Subject: SUSE-CU-2025:5219-1: Recommended update of suse/389-ds Message-ID: <20250711072803.61B1DF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5219-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.19 , suse/389-ds:latest Container Release : 61.19 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:06:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:06:40 +0200 (CEST) Subject: SUSE-IU-2025:1859-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250712070640.A22BAFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1859-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.56 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.56 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-2.1 updated - SL-Micro-release-6.0-25.35 updated - container:SL-Micro-base-container-2.1.3-7.25 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:07:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:07:19 +0200 (CEST) Subject: SUSE-IU-2025:1860-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250712070719.8A99FFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1860-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.24 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.24 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-2.1 updated - SL-Micro-release-6.0-25.35 updated - container:suse-toolbox-image-1.0.0-9.13 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:07:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:07:20 +0200 (CEST) Subject: SUSE-IU-2025:1861-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250712070720.81F41FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1861-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.25 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.25 Severity : important Type : security References : 1210025 1211226 1215199 1218184 1223008 1235490 1236208 1237312 1237913 1238859 1238982 1240577 1240610 1240686 1240814 1241166 1241278 1241414 1241544 1241572 1241592 1242504 1242515 1242521 1242556 1242725 1242907 1243051 1243060 1243342 1243467 1243480 1243506 1243523 1243538 1243544 1243551 1243620 1243698 1243774 1243823 1243827 1243832 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2024-26831 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21959 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22120 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37811 CVE-2025-37859 CVE-2025-37884 CVE-2025-37909 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37973 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-50 Released: Fri Jul 11 17:14:18 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1210025,1211226,1215199,1218184,1223008,1235490,1236208,1237312,1237913,1238859,1238982,1240577,1240610,1240686,1240814,1241166,1241278,1241414,1241544,1241572,1241592,1242504,1242515,1242521,1242556,1242725,1242907,1243051,1243060,1243342,1243467,1243480,1243506,1243523,1243538,1243544,1243551,1243620,1243698,1243774,1243823,1243827,1243832,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2024-26831,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21959,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111 ,CVE-2025-22120,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37811,CVE-2025-37859,CVE-2025-37884,CVE-2025-37909,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37973,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The following package changes have been done: - kernel-default-6.4.0-31.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:08:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:08:01 +0200 (CEST) Subject: SUSE-IU-2025:1862-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250712070801.10269FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1862-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.49 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.49 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-2.1 updated - SL-Micro-release-6.0-25.35 updated - container:SL-Micro-base-container-2.1.3-7.24 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:08:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:08:01 +0200 (CEST) Subject: SUSE-IU-2025:1863-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250712070801.E3D4BFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1863-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.50 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.50 Severity : important Type : security References : 1210025 1211226 1215199 1218184 1223008 1235490 1236208 1237312 1237913 1238859 1238982 1240577 1240610 1240686 1240814 1241166 1241278 1241414 1241544 1241572 1241592 1242504 1242515 1242521 1242556 1242725 1242907 1243051 1243060 1243342 1243467 1243480 1243506 1243523 1243538 1243544 1243551 1243620 1243698 1243774 1243823 1243827 1243832 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2024-26831 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21959 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22120 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37811 CVE-2025-37859 CVE-2025-37884 CVE-2025-37909 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37973 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-50 Released: Fri Jul 11 17:14:18 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1210025,1211226,1215199,1218184,1223008,1235490,1236208,1237312,1237913,1238859,1238982,1240577,1240610,1240686,1240814,1241166,1241278,1241414,1241544,1241572,1241592,1242504,1242515,1242521,1242556,1242725,1242907,1243051,1243060,1243342,1243467,1243480,1243506,1243523,1243538,1243544,1243551,1243620,1243698,1243774,1243823,1243827,1243832,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2024-26831,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21959,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111 ,CVE-2025-22120,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37811,CVE-2025-37859,CVE-2025-37884,CVE-2025-37909,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37973,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The following package changes have been done: - kernel-default-base-6.4.0-31.1.21.9 updated - container:SL-Micro-base-container-2.1.3-7.25 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:08:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:08:48 +0200 (CEST) Subject: SUSE-IU-2025:1864-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250712070848.4DD4DFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1864-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.58 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.58 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-2.1 updated - SL-Micro-release-6.0-25.35 updated - container:SL-Micro-container-2.1.3-6.56 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:09:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:09:22 +0200 (CEST) Subject: SUSE-IU-2025:1865-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250712070922.B6BE6FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1865-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.7 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.7 Severity : important Type : security References : 1210025 1211226 1215199 1218184 1223008 1235490 1236208 1237312 1237913 1238859 1238982 1240577 1240610 1240686 1240814 1241166 1241278 1241414 1241544 1241572 1241592 1242504 1242515 1242521 1242556 1242725 1242907 1243051 1243060 1243342 1243467 1243480 1243506 1243523 1243538 1243544 1243551 1243620 1243698 1243774 1243823 1243827 1243832 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2024-26831 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21959 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22120 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37811 CVE-2025-37859 CVE-2025-37884 CVE-2025-37909 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37973 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-50 Released: Fri Jul 11 17:14:18 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1210025,1211226,1215199,1218184,1223008,1235490,1236208,1237312,1237913,1238859,1238982,1240577,1240610,1240686,1240814,1241166,1241278,1241414,1241544,1241572,1241592,1242504,1242515,1242521,1242556,1242725,1242907,1243051,1243060,1243342,1243467,1243480,1243506,1243523,1243538,1243544,1243551,1243620,1243698,1243774,1243823,1243827,1243832,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2024-26831,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21959,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111 ,CVE-2025-22120,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37811,CVE-2025-37859,CVE-2025-37884,CVE-2025-37909,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37973,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The following package changes have been done: - kernel-default-6.4.0-31.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:09:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:09:58 +0200 (CEST) Subject: SUSE-IU-2025:1866-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250712070958.9AE43FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1866-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.7 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.7 Severity : important Type : security References : 1210025 1211226 1215199 1218184 1223008 1235490 1236208 1237312 1237913 1238859 1238982 1240577 1240610 1240686 1240814 1241166 1241278 1241414 1241544 1241572 1241592 1242504 1242515 1242521 1242556 1242725 1242907 1243051 1243060 1243342 1243467 1243480 1243506 1243523 1243538 1243544 1243551 1243620 1243698 1243774 1243823 1243827 1243832 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2024-26831 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21959 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22120 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37811 CVE-2025-37859 CVE-2025-37884 CVE-2025-37909 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37973 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-50 Released: Fri Jul 11 17:14:18 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1210025,1211226,1215199,1218184,1223008,1235490,1236208,1237312,1237913,1238859,1238982,1240577,1240610,1240686,1240814,1241166,1241278,1241414,1241544,1241572,1241592,1242504,1242515,1242521,1242556,1242725,1242907,1243051,1243060,1243342,1243467,1243480,1243506,1243523,1243538,1243544,1243551,1243620,1243698,1243774,1243823,1243827,1243832,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2024-26831,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21959,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111 ,CVE-2025-22120,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37811,CVE-2025-37859,CVE-2025-37884,CVE-2025-37909,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37973,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The following package changes have been done: - kernel-default-base-6.4.0-31.1.21.9 updated - container:SL-Micro-base-container-2.2.1-5.7 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:10:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:10:35 +0200 (CEST) Subject: SUSE-IU-2025:1867-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250712071035.440DCFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1867-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.1 , suse/sl-micro/6.1/rt-os-container:2.2.1-5.7 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 5.7 Severity : important Type : security References : 1231463 1240897 1242844 1242987 CVE-2025-3360 CVE-2025-4373 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 168 Released: Fri Jul 4 10:41:41 2025 Summary: Recommended update for elemental-operator Type: recommended Severity: moderate References: This update for elemental-operator fixes the following issues: - [v1.7.x] Label Templates: improve Random family processing - Dockerfile: bump golang container to 1.24 - operator: update RBAC for upgrade plans ----------------------------------------------------------------- Advisory ID: 170 Released: Fri Jul 4 16:31:25 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: important References: 1242987 This update for gptfdisk fixes the following issues: - Fix boot failure with qcow and vmdk images (bsc#1242987) ----------------------------------------------------------------- Advisory ID: 172 Released: Mon Jul 7 13:11:11 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1231463,1240897,1242844,CVE-2025-3360,CVE-2025-4373 This update for glib2 fixes the following issues: Security issues: - CVE-2025-4373: Fixed handling gssize parameters (bsc#1242844). - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601 (bsc#1240897) Non security issues: - Trigger glib2-tools postun trigger exit normally if glib2-compile-schemas can't be run. Fixes error when uninstalling if libgio is uninstalled first (bsc#1231463). The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.42 updated - libglib-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgobject-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgmodule-2_0-0-2.78.6-slfo.1.1_3.1 updated - libgio-2_0-0-2.78.6-slfo.1.1_3.1 updated - glib2-tools-2.78.6-slfo.1.1_3.1 updated - elemental-register-1.7.3-slfo.1.1_1.1 updated - elemental-support-1.7.3-slfo.1.1_1.1 updated - gptfdisk-1.0.9-slfo.1.1_2.1 updated - container:SL-Micro-container-2.2.1-6.7 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:14:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:14:50 +0200 (CEST) Subject: SUSE-CU-2025:5219-1: Recommended update of suse/389-ds Message-ID: <20250712071450.631CEF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5219-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.19 , suse/389-ds:latest Container Release : 61.19 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:21 +0200 (CEST) Subject: SUSE-CU-2025:5228-1: Security update of bci/golang Message-ID: <20250712071521.C27C4F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5228-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.11 , bci/golang:1.23.11-2.71.19 , bci/golang:oldstable , bci/golang:oldstable-2.71.19 Container Release : 71.19 Severity : important Type : security References : 1229122 1246118 CVE-2025-4674 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2296-1 Released: Fri Jul 11 17:20:02 2025 Summary: Security update for go1.23 Type: security Severity: important References: 1229122,1246118,CVE-2025-4674 This update for go1.23 fixes the following issues: - Update to version go1.23.11 - CVE-2025-4674: Fixed potential command execution in untrusted VCS repositories. (bsc#1246118) The following package changes have been done: - go1.23-doc-1.23.11-150000.1.37.1 updated - go1.23-1.23.11-150000.1.37.1 updated - go1.23-race-1.23.11-150000.1.37.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:27 +0200 (CEST) Subject: SUSE-CU-2025:5229-1: Security update of bci/golang Message-ID: <20250712071527.ED358F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5229-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.5 , bci/golang:1.24.5-1.71.19 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.19 Container Release : 71.19 Severity : important Type : security References : 1236217 1246118 CVE-2025-4674 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2295-1 Released: Fri Jul 11 17:18:47 2025 Summary: Security update for go1.24 Type: security Severity: important References: 1236217,1246118,CVE-2025-4674 This update for go1.24 fixes the following issues: - Update to version go1.24.5 - CVE-2025-4674: Fixed potential command execution in untrusted VCS repositories. (bsc#1246118) The following package changes have been done: - go1.24-doc-1.24.5-150000.1.29.1 updated - go1.24-1.24.5-150000.1.29.1 updated - go1.24-race-1.24.5-150000.1.29.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:29 +0200 (CEST) Subject: SUSE-CU-2025:5230-1: Security update of suse/kea Message-ID: <20250712071529.A56CAF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5230-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-61.17 , suse/kea:latest Container Release : 61.17 Severity : moderate Type : security References : 1240366 CVE-2025-27587 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2236-1 Released: Mon Jul 7 14:58:53 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1240366,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366). - Backport mdless cms signing support [jsc#PED-12895] The following package changes have been done: - libopenssl3-3.2.3-150700.5.10.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.10.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:38 +0200 (CEST) Subject: SUSE-CU-2025:5231-1: Recommended update of bci/kiwi Message-ID: <20250712071538.04826F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5231-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.28 , bci/kiwi:latest Container Release : 16.28 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:43 +0200 (CEST) Subject: SUSE-CU-2025:5232-1: Recommended update of bci/openjdk-devel Message-ID: <20250712071543.65F32F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5232-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.26 Container Release : 7.26 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated - container:bci-openjdk-17-15.7.17-7.25 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:49 +0200 (CEST) Subject: SUSE-CU-2025:5233-1: Recommended update of bci/openjdk Message-ID: <20250712071549.03ABDF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5233-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.25 Container Release : 7.25 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:15:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:15:55 +0200 (CEST) Subject: SUSE-CU-2025:5234-1: Recommended update of bci/openjdk-devel Message-ID: <20250712071555.043C2F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5234-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.25 , bci/openjdk-devel:latest Container Release : 10.25 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated - container:bci-openjdk-21-15.7.21-10.24 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:16:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:16:00 +0200 (CEST) Subject: SUSE-CU-2025:5235-1: Recommended update of bci/openjdk Message-ID: <20250712071600.92AD5F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5235-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.24 , bci/openjdk:latest Container Release : 10.24 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:16:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:16:30 +0200 (CEST) Subject: SUSE-CU-2025:5241-1: Recommended update of suse/kiosk/pulseaudio Message-ID: <20250712071630.95355F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5241-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.19 , suse/kiosk/pulseaudio:latest Container Release : 61.19 Severity : important Type : recommended References : 1241701 1245034 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2287-1 Released: Fri Jul 11 11:26:25 2025 Summary: Recommended update for Mesa Type: recommended Severity: important References: 1241701,1245034 This update for Mesa fixes the following issues: - Fixes Wayland session when using SP7 as vmware guest (bsc#1245034) - Fixes crash in libgallium on virtualbox (bsc#1241701) The following package changes have been done: - Mesa-libglapi0-24.3.3-150700.93.5.1 updated - libgbm1-24.3.3-150700.93.5.1 updated - Mesa-dri-24.3.3-150700.93.5.1 updated - Mesa-libEGL1-24.3.3-150700.93.5.1 updated - Mesa-gallium-24.3.3-150700.93.5.1 updated - Mesa-24.3.3-150700.93.5.1 updated - Mesa-libGL1-24.3.3-150700.93.5.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:16:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:16:56 +0200 (CEST) Subject: SUSE-CU-2025:5245-1: Security update of suse/rmt-server Message-ID: <20250712071656.E5DFCF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5245-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.22 , suse/rmt-server:2.22-72.1 , suse/rmt-server:latest Container Release : 72.1 Severity : important Type : security References : 1236931 1239119 1239817 1244554 1244555 1244557 1244590 1244700 CVE-2025-30258 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2260-1 Released: Wed Jul 9 19:04:24 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.12.10-150700.4.3.1 updated - gpg2-2.4.4-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Sat Jul 12 07:17:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 09:17:20 +0200 (CEST) Subject: SUSE-CU-2025:5249-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250712071720.5DDF6F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5249-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.20 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.20 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:28:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:28:00 +0200 (CEST) Subject: SUSE-CU-2025:5249-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250712092800.525ECFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5249-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.20 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.20 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:28:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:28:11 +0200 (CEST) Subject: SUSE-CU-2025:5251-1: Recommended update of suse/kiosk/xorg Message-ID: <20250712092811.C716FFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5251-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.10 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.10 Severity : important Type : recommended References : 1241701 1245034 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2287-1 Released: Fri Jul 11 11:26:25 2025 Summary: Recommended update for Mesa Type: recommended Severity: important References: 1241701,1245034 This update for Mesa fixes the following issues: - Fixes Wayland session when using SP7 as vmware guest (bsc#1245034) - Fixes crash in libgallium on virtualbox (bsc#1241701) The following package changes have been done: - Mesa-libglapi0-24.3.3-150700.93.5.1 updated - libgbm1-24.3.3-150700.93.5.1 updated - Mesa-dri-24.3.3-150700.93.5.1 updated - Mesa-libEGL1-24.3.3-150700.93.5.1 updated - Mesa-gallium-24.3.3-150700.93.5.1 updated - Mesa-24.3.3-150700.93.5.1 updated - Mesa-libGL1-24.3.3-150700.93.5.1 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:30:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:30:20 +0200 (CEST) Subject: SUSE-CU-2025:5258-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250712093020.EAEE1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5258-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.42 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.42 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - container:sles15-ltss-image-15.4.0-2.51 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:31:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:31:06 +0200 (CEST) Subject: SUSE-CU-2025:5259-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250712093106.F1439FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5259-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.52 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.52 Severity : important Type : security References : 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - container:sles15-ltss-image-15.4.0-2.51 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:35:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:35:27 +0200 (CEST) Subject: SUSE-CU-2025:5263-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250712093527.E5C3EFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5263-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.147 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.147 Severity : important Type : security References : 1244554 1244557 1244590 1244700 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49796 CVE-2025-5318 CVE-2025-5372 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2275-1 Released: Thu Jul 10 16:34:02 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2279-1 Released: Thu Jul 10 18:03:13 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150200.13.9.1 updated - libssh4-0.9.8-150200.13.9.1 updated - libxml2-2-2.9.7-150000.3.82.1 updated From sle-container-updates at lists.suse.com Sat Jul 12 09:40:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 12 Jul 2025 11:40:01 +0200 (CEST) Subject: SUSE-CU-2025:5266-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250712094001.35485FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5266-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.149 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.149 Severity : important Type : security References : 1244554 1244557 1244590 1244700 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49796 CVE-2025-5318 CVE-2025-5372 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2275-1 Released: Thu Jul 10 16:34:02 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2279-1 Released: Thu Jul 10 18:03:13 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). The following package changes have been done: - libssh-config-0.9.8-150200.13.9.1 updated - libssh4-0.9.8-150200.13.9.1 updated - libxml2-2-2.9.7-150000.3.82.1 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:24 +0200 (CEST) Subject: SUSE-CU-2025:5267-1: Recommended update of suse/sle15 Message-ID: <20250714133324.84522F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5267-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.11 , suse/sle15:15.6 , suse/sle15:15.6.47.23.11 Container Release : 47.23.11 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:33 +0200 (CEST) Subject: SUSE-CU-2025:5268-1: Recommended update of suse/389-ds Message-ID: <20250714133333.15CC4F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5268-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.20 , suse/389-ds:latest Container Release : 61.20 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - cyrus-sasl-2.1.28-150600.7.6.2 updated - cyrus-sasl-plain-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:41 +0200 (CEST) Subject: SUSE-CU-2025:5270-1: Recommended update of suse/kiosk/firefox-esr Message-ID: <20250714133341.98DD3FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5270-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.11 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.11 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - mozilla-nspr-4.36-150000.3.32.1 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:44 +0200 (CEST) Subject: SUSE-CU-2025:5271-1: Recommended update of suse/kiosk/firefox-esr Message-ID: <20250714133344.92790FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5271-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.12 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.12 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:53 +0200 (CEST) Subject: SUSE-CU-2025:5272-1: Recommended update of suse/pcp Message-ID: <20250714133353.36895FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5272-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.30 , suse/pcp:latest Container Release : 61.30 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - cyrus-sasl-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:06 +0200 (CEST) Subject: SUSE-CU-2025:5274-1: Recommended update of suse/postgres Message-ID: <20250714133406.B93E5FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5274-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-62.2 , suse/postgres:latest Container Release : 62.2 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:18 +0200 (CEST) Subject: SUSE-CU-2025:5276-1: Recommended update of suse/samba-client Message-ID: <20250714133418.99474FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5276-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.15 , suse/samba-client:latest Container Release : 62.15 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:23 +0200 (CEST) Subject: SUSE-CU-2025:5277-1: Recommended update of suse/samba-server Message-ID: <20250714133423.25FA2FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5277-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.15 , suse/samba-server:latest Container Release : 62.15 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:27 +0200 (CEST) Subject: SUSE-CU-2025:5278-1: Recommended update of suse/samba-toolbox Message-ID: <20250714133427.A9AAFFD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5278-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.15 , suse/samba-toolbox:latest Container Release : 62.15 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:37 +0200 (CEST) Subject: SUSE-CU-2025:5279-1: Recommended update of suse/sle15 Message-ID: <20250714133437.60EC1FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5279-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.13 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.13 , suse/sle15:latest Container Release : 5.8.13 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:42 +0200 (CEST) Subject: SUSE-CU-2025:5280-1: Recommended update of suse/kiosk/xorg Message-ID: <20250714133442.E4AB8FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5280-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.11 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.11 Severity : important Type : recommended References : 1243695 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2300-1 Released: Mon Jul 14 07:54:54 2025 Summary: Recommended update for alsa-ucm-conf Type: recommended Severity: important References: 1243695 This update for alsa-ucm-conf fixes the following issues: - Correct / update the previous backported patches - Improved HD-audio Mic LED handling (bsc#1243695): The following package changes have been done: - alsa-ucm-conf-1.2.10-150600.3.5.1 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:33:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:33:36 +0200 (CEST) Subject: SUSE-CU-2025:5269-1: Recommended update of suse/registry Message-ID: <20250714133336.32220F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5269-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.10 , suse/registry:latest Container Release : 5.10 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Mon Jul 14 13:34:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 14 Jul 2025 15:34:00 +0200 (CEST) Subject: SUSE-CU-2025:5273-1: Recommended update of suse/postgres Message-ID: <20250714133400.6DB95FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5273-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-72.2 Container Release : 72.2 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:03:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:03:25 +0200 (CEST) Subject: SUSE-CU-2025:5284-1: Recommended update of containers/milvus Message-ID: <20250715070325.37F9CFCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5284-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.147 Container Release : 7.147 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:04:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:04:58 +0200 (CEST) Subject: SUSE-CU-2025:5285-1: Security update of containers/open-webui Message-ID: <20250715070458.490CEFCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5285-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.33 Container Release : 10.33 Severity : moderate Type : security References : 1229655 1244403 1244404 1244407 CVE-2025-47806 CVE-2025-47807 CVE-2025-47808 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2302-1 Released: Mon Jul 14 12:50:21 2025 Summary: Security update for gstreamer-plugins-base Type: security Severity: moderate References: 1244403,1244404,1244407,CVE-2025-47806,CVE-2025-47807,CVE-2025-47808 This update for gstreamer-plugins-base fixes the following issues: - CVE-2025-47808: Fixed NULL-pointer dereference in TMPlayer subtitle parser (bsc#1244404). - CVE-2025-47807: Fixed NULL-pointer dereference in SubRip subtitle parser (bsc#1244403). - CVE-2025-47806: Fixed stack buffer overflow in SubRip subtitle parser (bsc#1244407). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - python311-pandas-2.2.3-150600.1.52 updated - gstreamer-plugins-base-1.24.0-150600.3.11.1 updated - libgstvideo-1_0-0-1.24.0-150600.3.11.1 updated - libgsttag-1_0-0-1.24.0-150600.3.11.1 updated - libgstaudio-1_0-0-1.24.0-150600.3.11.1 updated - libgstapp-1_0-0-1.24.0-150600.3.11.1 updated - libgstpbutils-1_0-0-1.24.0-150600.3.11.1 updated - libgstallocators-1_0-0-1.24.0-150600.3.11.1 updated - libgstgl-1_0-0-1.24.0-150600.3.11.1 updated - libgstriff-1_0-0-1.24.0-150600.3.11.1 updated - python311-open-webui-0.6.9-150600.2.10 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:05:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:05:03 +0200 (CEST) Subject: SUSE-CU-2025:5286-1: Recommended update of containers/open-webui-pipelines Message-ID: <20250715070503.C3644FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5286-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.16 Container Release : 5.16 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - python-open-webui-pipelines-0.20250329.151219-150600.3.11 updated - container:registry.suse.com-bci-bci-micro-15.6-9d07d1df486b233daea750f258d1e2674468ae6260c5a168546bc421f8045708-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:05:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:05:15 +0200 (CEST) Subject: SUSE-CU-2025:5287-1: Recommended update of containers/pytorch Message-ID: <20250715070515.9EB55FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5287-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.31 Container Release : 2.31 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - python311-torch-cuda-2.7.0-150600.2.16 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:06:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:06:51 +0200 (CEST) Subject: SUSE-CU-2025:5288-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250715070651.7E445FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5288-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.107 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.107 Severity : important Type : security References : 1244554 1244557 1244590 1244700 1245309 1245310 1245311 1245314 CVE-2025-4877 CVE-2025-4878 CVE-2025-49794 CVE-2025-49796 CVE-2025-5318 CVE-2025-5372 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2281-1 Released: Thu Jul 10 18:05:32 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2294-1 Released: Fri Jul 11 16:47:42 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libssh-config-0.9.8-3.15.1 updated - libssh4-0.9.8-3.15.1 updated - libxml2-2-2.9.4-46.87.1 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:10:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:10:28 +0200 (CEST) Subject: SUSE-CU-2025:5289-1: Recommended update of bci/nodejs Message-ID: <20250715071028.03E49FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5289-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.17 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.17 Container Release : 54.17 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:11:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:11:25 +0200 (CEST) Subject: SUSE-CU-2025:5290-1: Recommended update of bci/python Message-ID: <20250715071125.BFBFCFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5290-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.18 Container Release : 69.18 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:12:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:12:57 +0200 (CEST) Subject: SUSE-CU-2025:5292-1: Recommended update of suse/git Message-ID: <20250715071257.409D3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5292-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.23 , suse/git:latest Container Release : 61.23 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:suse-sle15-15.7-cfc2f2fd66efaa6058f3f88b16760a1de5ba1364b9bd73c61bea37a37a6fc8e6-0 updated - container:registry.suse.com-bci-bci-micro-15.7-41cc47eee6293a3d0e22a28860735271035596a7640eabad0930777dce1a528d-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:12:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:12:59 +0200 (CEST) Subject: SUSE-CU-2025:5293-1: Recommended update of suse/kea Message-ID: <20250715071259.A648BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5293-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-61.19 , suse/kea:latest Container Release : 61.19 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:13:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:13:06 +0200 (CEST) Subject: SUSE-CU-2025:5294-1: Recommended update of suse/nginx Message-ID: <20250715071306.A9AB0F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5294-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.18 , suse/nginx:latest Container Release : 61.18 Severity : moderate Type : recommended References : 1243502 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2305-1 Released: Mon Jul 14 13:04:21 2025 Summary: Recommended update for nginx Type: recommended Severity: moderate References: 1243502 This update for nginx fixes the following issues: - Changed service to prevent 'timed out. Killing' messages on service stopping (bsc#1243502) The following package changes have been done: - nginx-1.21.5-150600.10.6.1 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:13:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:13:13 +0200 (CEST) Subject: SUSE-CU-2025:5296-1: Recommended update of bci/openjdk Message-ID: <20250715071313.CB32BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5296-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.27 Container Release : 7.27 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Tue Jul 15 07:13:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 15 Jul 2025 09:13:19 +0200 (CEST) Subject: SUSE-CU-2025:5297-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250715071319.68F16F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5297-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.20 , suse/kiosk/pulseaudio:latest Container Release : 61.20 Severity : moderate Type : security References : 1244403 1244404 1244407 CVE-2025-47806 CVE-2025-47807 CVE-2025-47808 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2302-1 Released: Mon Jul 14 12:50:21 2025 Summary: Security update for gstreamer-plugins-base Type: security Severity: moderate References: 1244403,1244404,1244407,CVE-2025-47806,CVE-2025-47807,CVE-2025-47808 This update for gstreamer-plugins-base fixes the following issues: - CVE-2025-47808: Fixed NULL-pointer dereference in TMPlayer subtitle parser (bsc#1244404). - CVE-2025-47807: Fixed NULL-pointer dereference in SubRip subtitle parser (bsc#1244403). - CVE-2025-47806: Fixed stack buffer overflow in SubRip subtitle parser (bsc#1244407). The following package changes have been done: - gstreamer-plugins-base-1.24.0-150600.3.11.1 updated - libgsttag-1_0-0-1.24.0-150600.3.11.1 updated - libgstaudio-1_0-0-1.24.0-150600.3.11.1 updated - libgstvideo-1_0-0-1.24.0-150600.3.11.1 updated - libgstallocators-1_0-0-1.24.0-150600.3.11.1 updated - libgstgl-1_0-0-1.24.0-150600.3.11.1 updated - libgstapp-1_0-0-1.24.0-150600.3.11.1 updated - libgstpbutils-1_0-0-1.24.0-150600.3.11.1 updated - libgstriff-1_0-0-1.24.0-150600.3.11.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:03:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:03:31 +0200 (CEST) Subject: SUSE-CU-2025:5300-1: Security update of containers/milvus Message-ID: <20250716070331.710EEFCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5300-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.148 Container Release : 7.148 Severity : moderate Type : security References : 1244663 CVE-2025-4565 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2311-1 Released: Tue Jul 15 11:15:48 2025 Summary: Security update for protobuf Type: security Severity: moderate References: 1244663,CVE-2025-4565 This update for protobuf fixes the following issues: - CVE-2025-4565: Fix parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages that can lead to crash due to RecursionError (bsc#1244663). The following package changes have been done: - libprotobuf25_1_0-25.1-150600.16.13.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:05:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:05:18 +0200 (CEST) Subject: SUSE-CU-2025:5301-1: Security update of containers/open-webui Message-ID: <20250716070518.4AF16FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5301-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.34 Container Release : 10.34 Severity : moderate Type : security References : 1244663 CVE-2025-4565 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2311-1 Released: Tue Jul 15 11:15:48 2025 Summary: Security update for protobuf Type: security Severity: moderate References: 1244663,CVE-2025-4565 This update for protobuf fixes the following issues: - CVE-2025-4565: Fix parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages that can lead to crash due to RecursionError (bsc#1244663). The following package changes have been done: - libprotobuf25_1_0-25.1-150600.16.13.1 updated - python311-open-webui-0.6.9-150600.2.11 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:05:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:05:19 +0200 (CEST) Subject: SUSE-CU-2025:5302-1: Security update of containers/open-webui Message-ID: <20250716070519.3F587FD12@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5302-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.36 Container Release : 10.36 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - python311-open-webui-0.6.9-150600.2.12 updated - container:registry.suse.com-bci-bci-base-15.6-f74bb08cb3cd67848838c173455a95de3e95dff460de317fd4bee839a5e05618-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:05:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:05:33 +0200 (CEST) Subject: SUSE-CU-2025:5304-1: Security update of containers/pytorch Message-ID: <20250716070533.871B0FCF8@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5304-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.33 Container Release : 2.33 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - python311-torch-cuda-2.7.0-150600.2.18 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:07:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:07:22 +0200 (CEST) Subject: SUSE-IU-2025:1949-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250716070722.C4DB5FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1949-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.185 , suse/sle-micro/base-5.5:latest Image Release : 5.8.185 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:08:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:08:20 +0200 (CEST) Subject: SUSE-IU-2025:1950-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250716070820.7674AFCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1950-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.354 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.354 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.185 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:09:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:09:46 +0200 (CEST) Subject: SUSE-IU-2025:1951-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250716070946.E3491FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1951-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.430 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.430 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.327 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:09:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:09:48 +0200 (CEST) Subject: SUSE-IU-2025:1952-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250716070948.143A8FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1952-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.431 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.431 Severity : important Type : security References : 1065729 1156395 1193629 1194869 1198410 1199356 1199487 1201160 1201956 1202094 1202095 1202564 1202716 1202823 1202860 1203197 1203361 1205220 1205514 1205701 1206451 1206664 1206878 1206880 1207361 1207638 1211226 1212051 1213090 1218184 1218234 1218470 1222634 1223675 1224095 1224597 1225468 1225820 1226514 1226552 1228659 1230827 1231293 1232504 1234156 1234381 1234454 1235464 1235637 1236821 1236822 1237159 1237312 1237313 1238303 1238526 1238570 1238876 1239986 1240785 1241038 1241640 1241900 1242006 1242221 1242414 1242504 1242596 1242778 1242782 1242924 1243330 1243543 1243627 1243649 1243660 1243832 1244114 1244179 1244180 1244234 1244241 1244277 1244309 1244337 1244732 1244764 1244765 1244767 1244770 1244771 1244772 1244773 1244774 1244776 1244779 1244780 1244781 1244782 1244783 1244784 1244786 1244787 1244788 1244790 1244791 1244793 1244794 1244796 1244797 1244798 1244800 1244802 1244804 1244805 1244806 1244807 1244808 1244811 1244813 1244814 1244815 1244816 1244819 1244820 1244823 1244824 1244825 1244826 1244827 1244830 1244831 1244832 1244834 1244836 1244838 1244839 1244840 1244841 1244842 1244843 1244845 1244846 1244848 1244849 1244851 1244853 1244854 1244856 1244858 1244860 1244861 1244866 1244867 1244868 1244869 1244870 1244871 1244872 1244873 1244875 1244876 1244878 1244879 1244881 1244883 1244884 1244886 1244887 1244888 1244890 1244892 1244893 1244895 1244898 1244899 1244900 1244901 1244902 1244903 1244904 1244905 1244908 1244911 1244912 1244914 1244915 1244928 1244936 1244940 1244941 1244942 1244943 1244944 1244945 1244948 1244949 1244950 1244953 1244955 1244956 1244957 1244958 1244959 1244960 1244961 1244965 1244966 1244967 1244968 1244969 1244970 1244973 1244974 1244976 1244977 1244978 1244979 1244983 1244984 1244985 1244986 1244987 1244991 1244992 1244993 1245006 1245007 1245009 1245011 1245012 1245015 1245018 1245019 1245023 1245024 1245028 1245031 1245032 1245033 1245038 1245039 1245040 1245041 1245047 1245048 1245051 1245052 1245057 1245058 1245060 1245062 1245063 1245064 1245069 1245070 1245072 1245073 1245088 1245089 1245092 1245093 1245094 1245098 1245103 1245116 1245117 1245118 1245119 1245121 1245122 1245125 1245129 1245131 1245133 1245134 1245135 1245136 1245138 1245139 1245140 1245142 1245146 1245147 1245149 1245152 1245154 1245155 1245180 1245183 1245189 1245191 1245195 1245197 1245265 1245340 1245348 1245431 1245455 CVE-2021-47557 CVE-2021-47595 CVE-2022-1679 CVE-2022-2585 CVE-2022-2586 CVE-2022-2905 CVE-2022-3903 CVE-2022-4095 CVE-2022-4662 CVE-2022-49934 CVE-2022-49935 CVE-2022-49936 CVE-2022-49937 CVE-2022-49938 CVE-2022-49940 CVE-2022-49942 CVE-2022-49943 CVE-2022-49944 CVE-2022-49945 CVE-2022-49946 CVE-2022-49948 CVE-2022-49949 CVE-2022-49950 CVE-2022-49951 CVE-2022-49952 CVE-2022-49954 CVE-2022-49956 CVE-2022-49957 CVE-2022-49958 CVE-2022-49960 CVE-2022-49962 CVE-2022-49963 CVE-2022-49964 CVE-2022-49965 CVE-2022-49966 CVE-2022-49968 CVE-2022-49969 CVE-2022-49971 CVE-2022-49972 CVE-2022-49977 CVE-2022-49978 CVE-2022-49980 CVE-2022-49981 CVE-2022-49982 CVE-2022-49983 CVE-2022-49984 CVE-2022-49985 CVE-2022-49986 CVE-2022-49987 CVE-2022-49989 CVE-2022-49990 CVE-2022-49993 CVE-2022-49995 CVE-2022-49999 CVE-2022-50002 CVE-2022-50003 CVE-2022-50005 CVE-2022-50006 CVE-2022-50008 CVE-2022-50010 CVE-2022-50011 CVE-2022-50012 CVE-2022-50015 CVE-2022-50016 CVE-2022-50019 CVE-2022-50020 CVE-2022-50021 CVE-2022-50022 CVE-2022-50023 CVE-2022-50024 CVE-2022-50026 CVE-2022-50027 CVE-2022-50028 CVE-2022-50029 CVE-2022-50030 CVE-2022-50031 CVE-2022-50032 CVE-2022-50033 CVE-2022-50034 CVE-2022-50035 CVE-2022-50036 CVE-2022-50037 CVE-2022-50038 CVE-2022-50039 CVE-2022-50040 CVE-2022-50041 CVE-2022-50044 CVE-2022-50045 CVE-2022-50046 CVE-2022-50047 CVE-2022-50049 CVE-2022-50050 CVE-2022-50051 CVE-2022-50052 CVE-2022-50053 CVE-2022-50054 CVE-2022-50055 CVE-2022-50059 CVE-2022-50060 CVE-2022-50061 CVE-2022-50062 CVE-2022-50065 CVE-2022-50066 CVE-2022-50067 CVE-2022-50068 CVE-2022-50072 CVE-2022-50073 CVE-2022-50074 CVE-2022-50076 CVE-2022-50077 CVE-2022-50079 CVE-2022-50083 CVE-2022-50084 CVE-2022-50085 CVE-2022-50086 CVE-2022-50087 CVE-2022-50092 CVE-2022-50093 CVE-2022-50094 CVE-2022-50095 CVE-2022-50097 CVE-2022-50098 CVE-2022-50099 CVE-2022-50100 CVE-2022-50101 CVE-2022-50102 CVE-2022-50103 CVE-2022-50104 CVE-2022-50108 CVE-2022-50109 CVE-2022-50110 CVE-2022-50111 CVE-2022-50112 CVE-2022-50115 CVE-2022-50116 CVE-2022-50117 CVE-2022-50118 CVE-2022-50120 CVE-2022-50121 CVE-2022-50124 CVE-2022-50125 CVE-2022-50126 CVE-2022-50127 CVE-2022-50129 CVE-2022-50131 CVE-2022-50132 CVE-2022-50133 CVE-2022-50134 CVE-2022-50135 CVE-2022-50136 CVE-2022-50137 CVE-2022-50138 CVE-2022-50139 CVE-2022-50140 CVE-2022-50141 CVE-2022-50142 CVE-2022-50143 CVE-2022-50144 CVE-2022-50145 CVE-2022-50146 CVE-2022-50149 CVE-2022-50151 CVE-2022-50152 CVE-2022-50153 CVE-2022-50154 CVE-2022-50155 CVE-2022-50156 CVE-2022-50157 CVE-2022-50158 CVE-2022-50160 CVE-2022-50161 CVE-2022-50162 CVE-2022-50164 CVE-2022-50165 CVE-2022-50166 CVE-2022-50169 CVE-2022-50171 CVE-2022-50172 CVE-2022-50173 CVE-2022-50175 CVE-2022-50176 CVE-2022-50178 CVE-2022-50179 CVE-2022-50181 CVE-2022-50183 CVE-2022-50184 CVE-2022-50185 CVE-2022-50186 CVE-2022-50187 CVE-2022-50188 CVE-2022-50190 CVE-2022-50191 CVE-2022-50192 CVE-2022-50194 CVE-2022-50196 CVE-2022-50197 CVE-2022-50198 CVE-2022-50199 CVE-2022-50200 CVE-2022-50201 CVE-2022-50202 CVE-2022-50203 CVE-2022-50204 CVE-2022-50206 CVE-2022-50207 CVE-2022-50208 CVE-2022-50209 CVE-2022-50211 CVE-2022-50212 CVE-2022-50213 CVE-2022-50215 CVE-2022-50218 CVE-2022-50220 CVE-2022-50221 CVE-2022-50222 CVE-2022-50226 CVE-2022-50228 CVE-2022-50229 CVE-2022-50231 CVE-2023-3111 CVE-2023-52924 CVE-2023-52925 CVE-2023-53046 CVE-2023-53048 CVE-2023-53076 CVE-2023-53097 CVE-2024-26808 CVE-2024-26924 CVE-2024-26935 CVE-2024-27397 CVE-2024-28956 CVE-2024-35840 CVE-2024-36978 CVE-2024-46800 CVE-2024-53125 CVE-2024-53141 CVE-2024-53197 CVE-2024-56770 CVE-2024-57999 CVE-2025-21700 CVE-2025-21702 CVE-2025-21703 CVE-2025-21756 CVE-2025-23141 CVE-2025-23145 CVE-2025-37752 CVE-2025-37785 CVE-2025-37798 CVE-2025-37823 CVE-2025-37890 CVE-2025-37932 CVE-2025-37948 CVE-2025-37953 CVE-2025-37963 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38014 CVE-2025-38060 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2321-1 Released: Tue Jul 15 16:31:34 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1156395,1193629,1194869,1198410,1199356,1199487,1201160,1201956,1202094,1202095,1202564,1202716,1202823,1202860,1203197,1203361,1205220,1205514,1205701,1206451,1206664,1206878,1206880,1207361,1207638,1211226,1212051,1213090,1218184,1218234,1218470,1222634,1223675,1224095,1224597,1225468,1225820,1226514,1226552,1228659,1230827,1231293,1232504,1234156,1234381,1234454,1235464,1235637,1236821,1236822,1237159,1237312,1237313,1238303,1238526,1238570,1238876,1239986,1240785,1241038,1241640,1241900,1242006,1242221,1242414,1242504,1242596,1242778,1242782,1242924,1243330,1243543,1243627,1243649,1243660,1243832,1244114,1244179,1244180,1244234,1244241,1244277,1244309,1244337,1244732,1244764,1244765,1244767,1244770,1244771,1244772,1244773,1244774,1244776,1244779,1244780,1244781,1244782,1244783,1244784,1244786,1244787,1244788,1244790,1244791,1244793,1244794,1244796,1244797,1244798,1244800,1244802,1244804,1244805,1244806,1244807,1244808,1244811,1244813,1244814,1244815,1244816,1 244819,1244820,1244823,1244824,1244825,1244826,1244827,1244830,1244831,1244832,1244834,1244836,1244838,1244839,1244840,1244841,1244842,1244843,1244845,1244846,1244848,1244849,1244851,1244853,1244854,1244856,1244858,1244860,1244861,1244866,1244867,1244868,1244869,1244870,1244871,1244872,1244873,1244875,1244876,1244878,1244879,1244881,1244883,1244884,1244886,1244887,1244888,1244890,1244892,1244893,1244895,1244898,1244899,1244900,1244901,1244902,1244903,1244904,1244905,1244908,1244911,1244912,1244914,1244915,1244928,1244936,1244940,1244941,1244942,1244943,1244944,1244945,1244948,1244949,1244950,1244953,1244955,1244956,1244957,1244958,1244959,1244960,1244961,1244965,1244966,1244967,1244968,1244969,1244970,1244973,1244974,1244976,1244977,1244978,1244979,1244983,1244984,1244985,1244986,1244987,1244991,1244992,1244993,1245006,1245007,1245009,1245011,1245012,1245015,1245018,1245019,1245023,1245024,1245028,1245031,1245032,1245033,1245038,1245039,1245040,1245041,1245047,1245048,1245051,124505 2,1245057,1245058,1245060,1245062,1245063,1245064,1245069,1245070,1245072,1245073,1245088,1245089,1245092,1245093,1245094,1245098,1245103,1245116,1245117,1245118,1245119,1245121,1245122,1245125,1245129,1245131,1245133,1245134,1245135,1245136,1245138,1245139,1245140,1245142,1245146,1245147,1245149,1245152,1245154,1245155,1245180,1245183,1245189,1245191,1245195,1245197,1245265,1245340,1245348,1245431,1245455,CVE-2021-47557,CVE-2021-47595,CVE-2022-1679,CVE-2022-2585,CVE-2022-2586,CVE-2022-2905,CVE-2022-3903,CVE-2022-4095,CVE-2022-4662,CVE-2022-49934,CVE-2022-49935,CVE-2022-49936,CVE-2022-49937,CVE-2022-49938,CVE-2022-49940,CVE-2022-49942,CVE-2022-49943,CVE-2022-49944,CVE-2022-49945,CVE-2022-49946,CVE-2022-49948,CVE-2022-49949,CVE-2022-49950,CVE-2022-49951,CVE-2022-49952,CVE-2022-49954,CVE-2022-49956,CVE-2022-49957,CVE-2022-49958,CVE-2022-49960,CVE-2022-49962,CVE-2022-49963,CVE-2022-49964,CVE-2022-49965,CVE-2022-49966,CVE-2022-49968,CVE-2022-49969,CVE-2022-49971,CVE-2022-49972,CVE-2022- 49977,CVE-2022-49978,CVE-2022-49980,CVE-2022-49981,CVE-2022-49982,CVE-2022-49983,CVE-2022-49984,CVE-2022-49985,CVE-2022-49986,CVE-2022-49987,CVE-2022-49989,CVE-2022-49990,CVE-2022-49993,CVE-2022-49995,CVE-2022-49999,CVE-2022-50002,CVE-2022-50003,CVE-2022-50005,CVE-2022-50006,CVE-2022-50008,CVE-2022-50010,CVE-2022-50011,CVE-2022-50012,CVE-2022-50015,CVE-2022-50016,CVE-2022-50019,CVE-2022-50020,CVE-2022-50021,CVE-2022-50022,CVE-2022-50023,CVE-2022-50024,CVE-2022-50026,CVE-2022-50027,CVE-2022-50028,CVE-2022-50029,CVE-2022-50030,CVE-2022-50031,CVE-2022-50032,CVE-2022-50033,CVE-2022-50034,CVE-2022-50035,CVE-2022-50036,CVE-2022-50037,CVE-2022-50038,CVE-2022-50039,CVE-2022-50040,CVE-2022-50041,CVE-2022-50044,CVE-2022-50045,CVE-2022-50046,CVE-2022-50047,CVE-2022-50049,CVE-2022-50050,CVE-2022-50051,CVE-2022-50052,CVE-2022-50053,CVE-2022-50054,CVE-2022-50055,CVE-2022-50059,CVE-2022-50060,CVE-2022-50061,CVE-2022-50062,CVE-2022-50065,CVE-2022-50066,CVE-2022-50067,CVE-2022-50068,CVE-2022-50072,C VE-2022-50073,CVE-2022-50074,CVE-2022-50076,CVE-2022-50077,CVE-2022-50079,CVE-2022-50083,CVE-2022-50084,CVE-2022-50085,CVE-2022-50086,CVE-2022-50087,CVE-2022-50092,CVE-2022-50093,CVE-2022-50094,CVE-2022-50095,CVE-2022-50097,CVE-2022-50098,CVE-2022-50099,CVE-2022-50100,CVE-2022-50101,CVE-2022-50102,CVE-2022-50103,CVE-2022-50104,CVE-2022-50108,CVE-2022-50109,CVE-2022-50110,CVE-2022-50111,CVE-2022-50112,CVE-2022-50115,CVE-2022-50116,CVE-2022-50117,CVE-2022-50118,CVE-2022-50120,CVE-2022-50121,CVE-2022-50124,CVE-2022-50125,CVE-2022-50126,CVE-2022-50127,CVE-2022-50129,CVE-2022-50131,CVE-2022-50132,CVE-2022-50133,CVE-2022-50134,CVE-2022-50135,CVE-2022-50136,CVE-2022-50137,CVE-2022-50138,CVE-2022-50139,CVE-2022-50140,CVE-2022-50141,CVE-2022-50142,CVE-2022-50143,CVE-2022-50144,CVE-2022-50145,CVE-2022-50146,CVE-2022-50149,CVE-2022-50151,CVE-2022-50152,CVE-2022-50153,CVE-2022-50154,CVE-2022-50155,CVE-2022-50156,CVE-2022-50157,CVE-2022-50158,CVE-2022-50160,CVE-2022-50161,CVE-2022-50162,CVE-2022 -50164,CVE-2022-50165,CVE-2022-50166,CVE-2022-50169,CVE-2022-50171,CVE-2022-50172,CVE-2022-50173,CVE-2022-50175,CVE-2022-50176,CVE-2022-50178,CVE-2022-50179,CVE-2022-50181,CVE-2022-50183,CVE-2022-50184,CVE-2022-50185,CVE-2022-50186,CVE-2022-50187,CVE-2022-50188,CVE-2022-50190,CVE-2022-50191,CVE-2022-50192,CVE-2022-50194,CVE-2022-50196,CVE-2022-50197,CVE-2022-50198,CVE-2022-50199,CVE-2022-50200,CVE-2022-50201,CVE-2022-50202,CVE-2022-50203,CVE-2022-50204,CVE-2022-50206,CVE-2022-50207,CVE-2022-50208,CVE-2022-50209,CVE-2022-50211,CVE-2022-50212,CVE-2022-50213,CVE-2022-50215,CVE-2022-50218,CVE-2022-50220,CVE-2022-50221,CVE-2022-50222,CVE-2022-50226,CVE-2022-50228,CVE-2022-50229,CVE-2022-50231,CVE-2023-3111,CVE-2023-52924,CVE-2023-52925,CVE-2023-53046,CVE-2023-53048,CVE-2023-53076,CVE-2023-53097,CVE-2024-26808,CVE-2024-26924,CVE-2024-26935,CVE-2024-27397,CVE-2024-28956,CVE-2024-35840,CVE-2024-36978,CVE-2024-46800,CVE-2024-53125,CVE-2024-53141,CVE-2024-53197,CVE-2024-56770,CVE-2024-57999,C VE-2025-21700,CVE-2025-21702,CVE-2025-21703,CVE-2025-21756,CVE-2025-23141,CVE-2025-23145,CVE-2025-37752,CVE-2025-37785,CVE-2025-37798,CVE-2025-37823,CVE-2025-37890,CVE-2025-37932,CVE-2025-37948,CVE-2025-37953,CVE-2025-37963,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38014,CVE-2025-38060,CVE-2025-38083 The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468). - CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552). - CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821). - CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822). - CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634). - CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820). - CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095). - CVE-2024-28956: x86/its: Add support for ITS-safe indirect thunk (bsc#1242006). - CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514). - CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827). - CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381). - CVE-2024-53197: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (bsc#1235464). - CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876). - CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183). The following non-security bugs were fixed: - ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes). - Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).') - Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504) - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - Use gcc-13 for build on SLE16 (jsc#PED-10028). - add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE. - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - check-for-config-changes: Fix flag name typo - doc/README.SUSE: Point to the updated version of LKMPG - hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431). - kernel-obs-qa: Use srchash for dependency as well - kernel-source: Also replace bin/env - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env' - kernel-source: Remove log.sh from sources - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - ovl: fix use inode directly in rcu-walk mode (bsc#1241900). - packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).') - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN Both spellings are actually used - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE - rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang. - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sle_version was obsoleted for SLE16. It has to be combined with suse_version check. - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454) - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - rpm/package-descriptions: Add rt and rt_debug descriptions - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - rpm: Stop using is_kotd_qa macro - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). The following package changes have been done: - kernel-rt-5.14.21-150500.13.100.2 updated - dracut-055+suse.396.g701c6212-150500.3.29.2 removed - elfutils-0.185-150400.5.3.1 removed - file-5.32-7.14.1 removed - libasm1-0.185-150400.5.3.1 removed - perl-Bootloader-0.947-150400.3.12.1 removed - pigz-2.3.3-1.28 removed - systemd-sysvinit-249.17-150400.8.46.1 removed - zstd-1.5.0-150400.3.3.1 removed From sle-container-updates at lists.suse.com Wed Jul 16 07:11:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:11:45 +0200 (CEST) Subject: SUSE-CU-2025:5305-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250716071145.9847AFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5305-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.59 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.59 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:15:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:15:47 +0200 (CEST) Subject: SUSE-CU-2025:5306-1: Security update of suse/ltss/sle15.5/sle15 Message-ID: <20250716071547.BD822F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5306-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.9 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.9 , suse/ltss/sle15.5/sle15:latest Container Release : 5.9 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:18:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:18:02 +0200 (CEST) Subject: SUSE-CU-2025:5309-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250716071802.4B866F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5309-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.76 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.76 Severity : important Type : security References : 1081723 1224113 1229655 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - libsasl2-3-2.1.28-150600.7.6.2 updated - libsoftokn3-3.112-150400.3.57.1 updated - libxml2-2-2.10.3-150500.5.29.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:21:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:21:57 +0200 (CEST) Subject: SUSE-CU-2025:5315-1: Security update of suse/mariadb Message-ID: <20250716072157.4F9D7F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5315-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.18 Container Release : 68.18 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - container:suse-sle15-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9d07d1df486b233daea750f258d1e2674468ae6260c5a168546bc421f8045708-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:24:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:24:43 +0200 (CEST) Subject: SUSE-CU-2025:5316-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250716072443.CEFB8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5316-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.21 Container Release : 44.21 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:24:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:24:44 +0200 (CEST) Subject: SUSE-CU-2025:5317-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250716072444.CEA3EF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5317-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.23 Container Release : 44.23 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - container:registry.suse.com-bci-bci-base-15.6-f74bb08cb3cd67848838c173455a95de3e95dff460de317fd4bee839a5e05618-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:24:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:24:47 +0200 (CEST) Subject: SUSE-CU-2025:5318-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250716072447.58BD9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5318-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.24 Container Release : 44.24 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - mozilla-nss-tools-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:25:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:25:34 +0200 (CEST) Subject: SUSE-CU-2025:5319-1: Security update of suse/sle15 Message-ID: <20250716072534.64E26F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5319-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.12 , suse/sle15:15.6 , suse/sle15:15.6.47.23.12 Container Release : 47.23.12 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:26:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:26:39 +0200 (CEST) Subject: SUSE-CU-2025:5320-1: Recommended update of bci/spack Message-ID: <20250716072640.00D6AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5320-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.18 Container Release : 11.18 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.6-8eeeceaa5112b1ed4a1366daca1c5c30b0fb89b0ea28b2a90b41e1aa01aeef21-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:26:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:26:40 +0200 (CEST) Subject: SUSE-CU-2025:5321-1: Security update of bci/spack Message-ID: <20250716072640.E72AAFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5321-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.20 Container Release : 11.20 Severity : important Type : security References : 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - container:registry.suse.com-bci-bci-base-15.6-f74bb08cb3cd67848838c173455a95de3e95dff460de317fd4bee839a5e05618-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:26:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:26:49 +0200 (CEST) Subject: SUSE-CU-2025:5322-1: Recommended update of suse/389-ds Message-ID: <20250716072649.EADB3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5322-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.22 , suse/389-ds:latest Container Release : 61.22 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - mozilla-nss-tools-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:27:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:27:38 +0200 (CEST) Subject: SUSE-CU-2025:5330-1: Recommended update of bci/gcc Message-ID: <20250716072738.B5DEBF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5330-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.20 , bci/gcc:latest Container Release : 10.20 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 07:27:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 09:27:46 +0200 (CEST) Subject: SUSE-CU-2025:5331-1: Recommended update of bci/golang Message-ID: <20250716072746.5F3C0F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5331-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.11 , bci/golang:1.23.11-2.71.21 , bci/golang:oldstable , bci/golang:oldstable-2.71.21 Container Release : 71.21 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:25:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:25:30 +0200 (CEST) Subject: SUSE-IU-2025:1953-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250716082531.012CBF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1953-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.186 , suse/sle-micro/base-5.5:latest Image Release : 5.8.186 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:26:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:26:22 +0200 (CEST) Subject: SUSE-IU-2025:1954-1: Recommended update of suse/sle-micro/kvm-5.5 Message-ID: <20250716082622.DB89BF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1954-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.356 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.356 Severity : moderate Type : recommended References : 1081723 1209998 1209998 1224113 1233499 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3577-1 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: low References: 1209998 This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4065-1 Released: Tue Nov 26 11:10:58 2024 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1233499 This update for crypto-policies ships the missing crypto-policies scripts to SUSE Linux Enterprise Micro, which allows configuration of the policies. (bsc#1233499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.8.1 added - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.186 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:27:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:27:41 +0200 (CEST) Subject: SUSE-IU-2025:1955-1: Recommended update of suse/sle-micro/rt-5.5 Message-ID: <20250716082741.13730F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1955-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.434 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.434 Severity : moderate Type : recommended References : 1081723 1209998 1209998 1224113 1233499 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3577-1 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: low References: 1209998 This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4065-1 Released: Tue Nov 26 11:10:58 2024 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1233499 This update for crypto-policies ships the missing crypto-policies scripts to SUSE Linux Enterprise Micro, which allows configuration of the policies. (bsc#1233499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.8.1 added - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.329 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:28:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:28:59 +0200 (CEST) Subject: SUSE-IU-2025:1956-1: Security update of suse/sle-micro/5.5 Message-ID: <20250716082859.D0EB8F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1956-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.329 , suse/sle-micro/5.5:latest Image Release : 5.5.329 Severity : important Type : security References : 1081723 1224113 1244554 1244555 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libxml2-2-2.10.3-150500.5.29.1 updated - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.186 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:35:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:35:29 +0200 (CEST) Subject: SUSE-CU-2025:5333-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250716083529.342BDFCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5333-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.20 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.20 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:39:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:39:40 +0200 (CEST) Subject: SUSE-CU-2025:5331-1: Recommended update of bci/golang Message-ID: <20250716083940.87544FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5331-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.11 , bci/golang:1.23.11-2.71.21 , bci/golang:oldstable , bci/golang:oldstable-2.71.21 Container Release : 71.21 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:39:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:39:47 +0200 (CEST) Subject: SUSE-CU-2025:5334-1: Recommended update of bci/golang Message-ID: <20250716083947.29B87FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5334-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.20 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.20 Container Release : 71.20 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:39:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:39:54 +0200 (CEST) Subject: SUSE-CU-2025:5335-1: Recommended update of bci/golang Message-ID: <20250716083954.50C4AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5335-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.5 , bci/golang:1.24.5-1.71.21 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.21 Container Release : 71.21 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:01 +0200 (CEST) Subject: SUSE-CU-2025:5336-1: Recommended update of bci/golang Message-ID: <20250716084001.24AEFFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5336-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.20 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.20 Container Release : 71.20 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:15 +0200 (CEST) Subject: SUSE-CU-2025:5338-1: Recommended update of suse/kiosk/firefox-esr Message-ID: <20250716084015.ECBD1FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5338-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.14 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.14 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:25 +0200 (CEST) Subject: SUSE-CU-2025:5339-1: Recommended update of bci/kiwi Message-ID: <20250716084025.C9014FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5339-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.30 , bci/kiwi:latest Container Release : 16.30 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:26 +0200 (CEST) Subject: SUSE-CU-2025:5340-1: Recommended update of bci/kiwi Message-ID: <20250716084026.B952CFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5340-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.31 , bci/kiwi:latest Container Release : 16.31 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:32 +0200 (CEST) Subject: SUSE-CU-2025:5341-1: Recommended update of bci/nodejs Message-ID: <20250716084032.C1B49FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5341-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.20 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.20 , bci/nodejs:latest Container Release : 9.20 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:39 +0200 (CEST) Subject: SUSE-CU-2025:5343-1: Recommended update of bci/openjdk-devel Message-ID: <20250716084039.9217AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5343-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.29 Container Release : 7.29 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:bci-openjdk-17-15.7.17-7.28 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:47 +0200 (CEST) Subject: SUSE-CU-2025:5345-1: Recommended update of bci/openjdk-devel Message-ID: <20250716084047.4C4FAFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5345-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.28 , bci/openjdk-devel:latest Container Release : 10.28 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - container:bci-openjdk-21-15.7.21-10.27 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:40:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:40:53 +0200 (CEST) Subject: SUSE-CU-2025:5346-1: Recommended update of bci/openjdk Message-ID: <20250716084053.C1F4AFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5346-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.26 , bci/openjdk:latest Container Release : 10.26 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:41:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:41:08 +0200 (CEST) Subject: SUSE-CU-2025:5348-1: Recommended update of bci/php-apache Message-ID: <20250716084108.9810BFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5348-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-11.3 , bci/php-apache:latest Container Release : 11.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:41:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:41:14 +0200 (CEST) Subject: SUSE-CU-2025:5349-1: Recommended update of bci/php-fpm Message-ID: <20250716084114.54C11FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5349-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-11.3 , bci/php-fpm:latest Container Release : 11.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:41:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:41:20 +0200 (CEST) Subject: SUSE-CU-2025:5350-1: Recommended update of bci/php Message-ID: <20250716084120.33B87FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5350-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-11.3 , bci/php:latest Container Release : 11.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:41:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:41:32 +0200 (CEST) Subject: SUSE-CU-2025:5352-1: Recommended update of bci/python Message-ID: <20250716084132.CDDE8FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5352-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-72.3 Container Release : 72.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 08:41:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 10:41:40 +0200 (CEST) Subject: SUSE-CU-2025:5353-1: Recommended update of bci/python Message-ID: <20250716084140.9807CFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5353-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-73.2 , bci/python:latest Container Release : 73.2 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:05:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:05:52 +0200 (CEST) Subject: SUSE-CU-2025:5353-1: Recommended update of bci/python Message-ID: <20250716090552.6ED4BFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5353-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-73.2 , bci/python:latest Container Release : 73.2 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:05:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:05:59 +0200 (CEST) Subject: SUSE-CU-2025:5354-1: Recommended update of bci/python Message-ID: <20250716090559.E0CC8FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5354-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-72.3 Container Release : 72.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:07 +0200 (CEST) Subject: SUSE-CU-2025:5355-1: Recommended update of bci/ruby Message-ID: <20250716090607.746AFFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5355-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-12.3 Container Release : 12.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:14 +0200 (CEST) Subject: SUSE-CU-2025:5356-1: Recommended update of bci/ruby Message-ID: <20250716090614.DFC10FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5356-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-11.3 , bci/ruby:latest Container Release : 11.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:20 +0200 (CEST) Subject: SUSE-CU-2025:5357-1: Recommended update of bci/rust Message-ID: <20250716090620.91590FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5357-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.3.3 , bci/rust:oldstable , bci/rust:oldstable-2.3.3 Container Release : 3.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:27 +0200 (CEST) Subject: SUSE-CU-2025:5358-1: Recommended update of bci/rust Message-ID: <20250716090627.2A4A8FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5358-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.4.3 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.4.3 Container Release : 4.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:37 +0200 (CEST) Subject: SUSE-CU-2025:5360-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250716090637.B82B7FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5360-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.24 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.24 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - mozilla-nss-tools-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 09:06:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:47 +0200 (CEST) Subject: SUSE-CU-2025:5361-1: Recommended update of bci/spack Message-ID: <20250716090647.A39C9FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5361-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-14.3 , bci/spack:latest Container Release : 14.3 Severity : moderate Type : recommended References : 1229655 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Wed Jul 16 11:49:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 13:49:39 +0200 (CEST) Subject: SUSE-IU-2025:1963-1: Recommended update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250716114939.621D3FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1963-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.57 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.57 Severity : important Type : recommended References : 1239776 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 382 Released: Tue Jul 15 10:04:16 2025 Summary: Recommended update for podman Type: recommended Severity: important References: 1239776 This update for podman fixes the following issues: - Added patch to remove using rw as a default mount option (bsc#1239776) The following package changes have been done: - podman-4.9.5-6.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 11:57:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 13:57:12 +0200 (CEST) Subject: SUSE-CU-2025:5362-1: Recommended update of bci/openjdk Message-ID: <20250716115712.D369EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5362-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.28 Container Release : 7.28 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Wed Jul 16 11:57:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 13:57:20 +0200 (CEST) Subject: SUSE-CU-2025:5363-1: Recommended update of bci/openjdk Message-ID: <20250716115720.4185EFCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5363-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.27 , bci/openjdk:latest Container Release : 10.27 Severity : moderate Type : recommended References : 1081723 1224113 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted The following package changes have been done: - libfreebl3-3.112-150400.3.57.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated From sle-container-updates at lists.suse.com Thu Jul 17 07:05:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 17 Jul 2025 09:05:31 +0200 (CEST) Subject: SUSE-IU-2025:1969-1: Recommended update of suse/sle-micro/5.5 Message-ID: <20250717070531.1D942FCF8@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1969-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.330 , suse/sle-micro/5.5:latest Image Release : 5.5.330 Severity : important Type : recommended References : 1244553 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2327-1 Released: Wed Jul 16 09:05:37 2025 Summary: Recommended update for sysstat Type: recommended Severity: important References: 1244553 This update for sysstat fixes the following issues: - Find command option -H added in /usr/lib64/sa/sa2. - Automatically enable systemd timers upon installation (bsc#1244553). - Determine whether the current readahead window tuning is appropriate for contemporary hardware(PED#12914). The following package changes have been done: - sysstat-12.0.2-150000.3.45.3 updated From sle-container-updates at lists.suse.com Thu Jul 17 07:11:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 17 Jul 2025 09:11:17 +0200 (CEST) Subject: SUSE-CU-2025:5365-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250717071118.01961FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5365-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.21 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.21 Severity : important Type : recommended References : 1244553 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2327-1 Released: Wed Jul 16 09:05:37 2025 Summary: Recommended update for sysstat Type: recommended Severity: important References: 1244553 This update for sysstat fixes the following issues: - Find command option -H added in /usr/lib64/sa/sa2. - Automatically enable systemd timers upon installation (bsc#1244553). - Determine whether the current readahead window tuning is appropriate for contemporary hardware(PED#12914). The following package changes have been done: - sysstat-12.0.2-150000.3.45.3 updated From sle-container-updates at lists.suse.com Thu Jul 17 07:14:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 17 Jul 2025 09:14:54 +0200 (CEST) Subject: SUSE-CU-2025:5366-1: Security update of suse/rmt-server Message-ID: <20250717071454.73914F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5366-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.23 , suse/rmt-server:2.23-72.3 , suse/rmt-server:latest Container Release : 72.3 Severity : important Type : security References : 1242893 1242898 1244166 CVE-2025-32441 CVE-2025-46727 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2330-1 Released: Wed Jul 16 13:10:05 2025 Summary: Security update for rmt-server Type: security Severity: important References: 1242893,1242898,1244166,CVE-2025-32441,CVE-2025-46727 This update for rmt-server fixes the following issues: - Update to version 2.23 - CVE-2025-46727: Fixed Unbounded-Parameter DoS in Rack:QueryParser. (bsc#1242893) - CVE-2025-32441: Fixed a bug where simultaneous rack requests can restore a deleted rack session. (bsc#1242898) The following package changes have been done: - rmt-server-config-2.23-150700.3.6.1 updated - rmt-server-2.23-150700.3.6.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:12:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:12:33 +0200 (CEST) Subject: SUSE-CU-2025:5379-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250718071233.59BC2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5379-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.155 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.155 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:15:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:15:19 +0200 (CEST) Subject: SUSE-CU-2025:5380-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250718071519.ED246F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5380-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.22 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.22 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:17:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:17:14 +0200 (CEST) Subject: SUSE-CU-2025:5381-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250718071714.5EAF6F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5381-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.155 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.155 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:19:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:19:06 +0200 (CEST) Subject: SUSE-CU-2025:5382-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250718071906.B3DC4FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5382-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.108 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.108 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2353-1 Released: Thu Jul 17 14:35:44 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.25-13.19.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:19:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:19:43 +0200 (CEST) Subject: SUSE-CU-2025:5383-1: Security update of suse/ltss/sle15.3/bci-base-fips Message-ID: <20250718071943.14372FCF8@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5383-1 Container Tags : suse/ltss/sle15.3/bci-base-fips:15.3 , suse/ltss/sle15.3/bci-base-fips:15.3-9.49 , suse/ltss/sle15.3/bci-base-fips:latest Container Release : 9.49 Severity : moderate Type : security References : 1219321 1221632 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle15.3/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2354-1 Released: Thu Jul 17 14:36:03 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1219321,1221632,1243767,CVE-2025-5278 This update for coreutils fixes the following issues: Security fixes: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) Other fixes: - ls: avoid triggering automounts (bsc#1221632) - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) The following package changes have been done: - coreutils-8.32-150300.3.11.1 updated - container:sles15-ltss-image-15.3.0-2.105 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:20:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:20:43 +0200 (CEST) Subject: SUSE-CU-2025:5384-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250718072043.CA4B8FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5384-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.105 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.105 , suse/ltss/sle15.3/sle15:latest Container Release : 2.105 Severity : moderate Type : security References : 1219321 1221632 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2354-1 Released: Thu Jul 17 14:36:03 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1219321,1221632,1243767,CVE-2025-5278 This update for coreutils fixes the following issues: Security fixes: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) Other fixes: - ls: avoid triggering automounts (bsc#1221632) - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) The following package changes have been done: - coreutils-8.32-150300.3.11.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:22:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:22:28 +0200 (CEST) Subject: SUSE-CU-2025:5386-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250718072228.018D9FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5386-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.52 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.52 , suse/ltss/sle15.4/sle15:latest Container Release : 2.52 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:17:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:17:57 +0200 (CEST) Subject: SUSE-IU-2025:1970-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250718071757.5DDEBF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1970-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.10 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.10 Severity : moderate Type : recommended References : 1245220 1246149 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 185 Released: Thu Jul 17 10:20:03 2025 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1245220,1246149 This update for libzypp fixes the following issues: Updated to version 17.37.11: - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for bsc#1245220 and some other filesize related tests. The following package changes have been done: - libzypp-17.37.11-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.53 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:27:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:27:24 +0200 (CEST) Subject: SUSE-CU-2025:5387-1: Security update of suse/bind Message-ID: <20250718072724.1DCCDF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5387-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.11 , suse/bind:9.20.11-63.3 , suse/bind:latest Container Release : 63.3 Severity : important Type : security References : 1246548 CVE-2025-40777 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2349-1 Released: Thu Jul 17 13:47:16 2025 Summary: Security update for bind Type: security Severity: important References: 1246548,CVE-2025-40777 This update for bind fixes the following issues: - Upgrade to release 9.20.11 - CVE-2025-40777: Fixed a possible assertion failure when stale-answer-client-timeout is set to 0. (bsc#1246548) The following package changes have been done: - bind-utils-9.20.11-150700.3.6.1 updated - bind-9.20.11-150700.3.6.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated - libgcrypt20-1.11.0-150700.3.5 removed - libgpg-error0-1.50-150700.1.8 removed - liblz4-1-1.9.4-150600.1.4 removed - libsystemd0-254.25-150600.4.40.1 removed - libzstd1-1.5.7-150700.1.2 removed From sle-container-updates at lists.suse.com Fri Jul 18 07:27:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:27:28 +0200 (CEST) Subject: SUSE-CU-2025:5388-1: Recommended update of suse/samba-client Message-ID: <20250718072728.549BEF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5388-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.17 , suse/samba-client:latest Container Release : 62.17 Severity : moderate Type : recommended References : 1246431 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2343-1 Released: Thu Jul 17 13:07:58 2025 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1246431 This update for samba fixes the following issues: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName (bsc#1246431); - Trust domains are not created; - Startup messages of rpc deamons fills /var/log/messages; The following package changes have been done: - libldb2-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-libs-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:27:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:27:33 +0200 (CEST) Subject: SUSE-CU-2025:5389-1: Recommended update of suse/samba-server Message-ID: <20250718072733.32C92F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5389-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.17 , suse/samba-server:latest Container Release : 62.17 Severity : moderate Type : recommended References : 1246431 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2343-1 Released: Thu Jul 17 13:07:58 2025 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1246431 This update for samba fixes the following issues: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName (bsc#1246431); - Trust domains are not created; - Startup messages of rpc deamons fills /var/log/messages; The following package changes have been done: - libldb2-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-libs-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-libs-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-dcerpc-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:27:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:27:38 +0200 (CEST) Subject: SUSE-CU-2025:5390-1: Recommended update of suse/samba-toolbox Message-ID: <20250718072738.0A00FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5390-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.17 , suse/samba-toolbox:latest Container Release : 62.17 Severity : moderate Type : recommended References : 1246431 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2343-1 Released: Thu Jul 17 13:07:58 2025 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1246431 This update for samba fixes the following issues: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName (bsc#1246431); - Trust domains are not created; - Startup messages of rpc deamons fills /var/log/messages; The following package changes have been done: - libldb2-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-libs-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - samba-client-4.21.6+git.493.f39e13aba14-150700.3.6.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:30:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:30:37 +0200 (CEST) Subject: SUSE-CU-2025:5398-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250718073037.D9B60F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5398-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.43 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.43 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - python3-libxml2-2.9.14-150400.5.44.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:31:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:31:55 +0200 (CEST) Subject: SUSE-CU-2025:5400-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250718073155.04141F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5400-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.54 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.54 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated - container:sles15-ltss-image-15.4.0-2.52 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:33:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:33:04 +0200 (CEST) Subject: SUSE-CU-2025:5401-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250718073304.1E01AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5401-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.31 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.31 Severity : important Type : security References : 1244554 1244557 1244590 1244700 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) The following package changes have been done: - libxml2-2-2.9.14-150400.5.44.1 updated - container:sles15-ltss-image-15.4.0-2.52 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:37:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:37:28 +0200 (CEST) Subject: SUSE-CU-2025:5404-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250718073728.41E37F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5404-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.149 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.149 Severity : moderate Type : security References : 1219321 1221632 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2354-1 Released: Thu Jul 17 14:36:03 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1219321,1221632,1243767,CVE-2025-5278 This update for coreutils fixes the following issues: Security fixes: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) Other fixes: - ls: avoid triggering automounts (bsc#1221632) - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) The following package changes have been done: - coreutils-8.32-150300.3.11.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 07:43:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 09:43:35 +0200 (CEST) Subject: SUSE-CU-2025:5406-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250718074335.2453AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5406-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.151 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.151 Severity : moderate Type : security References : 1219321 1221632 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2354-1 Released: Thu Jul 17 14:36:03 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1219321,1221632,1243767,CVE-2025-5278 This update for coreutils fixes the following issues: Security fixes: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) Other fixes: - ls: avoid triggering automounts (bsc#1221632) - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) The following package changes have been done: - coreutils-8.32-150300.3.11.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 12:59:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 14:59:18 +0200 (CEST) Subject: SUSE-CU-2025:5408-1: Security update of bci/python Message-ID: <20250718125918.29145F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5408-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-70.4 Container Release : 70.4 Severity : moderate Type : security References : 1244705 CVE-2025-6069 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2359-1 Released: Fri Jul 18 09:15:43 2025 Summary: Security update for python312 Type: security Severity: moderate References: 1244705,CVE-2025-6069 This update for python312 fixes the following issues: - CVE-2025-6069: Avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705). The following package changes have been done: - libpython3_12-1_0-3.12.11-150600.3.33.1 updated - python312-base-3.12.11-150600.3.33.1 updated - python312-3.12.11-150600.3.33.1 updated - python312-devel-3.12.11-150600.3.33.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:15:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:15:38 +0200 (CEST) Subject: SUSE-IU-2025:1972-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250718161538.7BD1DF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1972-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.60 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.60 Severity : important Type : security References : 1210025 1211226 1215199 1218184 1223008 1235490 1236208 1237312 1237913 1238859 1238982 1240577 1240610 1240686 1240814 1241166 1241278 1241414 1241544 1241572 1241592 1242504 1242515 1242521 1242556 1242725 1242907 1243051 1243060 1243342 1243467 1243480 1243506 1243523 1243538 1243544 1243551 1243620 1243698 1243774 1243823 1243827 1243832 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2024-26831 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21959 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22120 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37811 CVE-2025-37859 CVE-2025-37884 CVE-2025-37909 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37973 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-52 Released: Fri Jul 18 14:21:16 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1210025,1211226,1215199,1218184,1223008,1235490,1236208,1237312,1237913,1238859,1238982,1240577,1240610,1240686,1240814,1241166,1241278,1241414,1241544,1241572,1241592,1242504,1242515,1242521,1242556,1242725,1242907,1243051,1243060,1243342,1243467,1243480,1243506,1243523,1243538,1243544,1243551,1243620,1243698,1243774,1243823,1243827,1243832,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2024-26831,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21959,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111 ,CVE-2025-22120,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37811,CVE-2025-37859,CVE-2025-37884,CVE-2025-37909,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37973,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The following package changes have been done: - kernel-rt-6.4.0-34.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:16:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:16:14 +0200 (CEST) Subject: SUSE-IU-2025:1973-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250718161614.4C533F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1973-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.11 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.11 Severity : important Type : recommended References : 1216091 1218459 1235849 1241052 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 187 Released: Fri Jul 18 11:07:15 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1235849,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] The following package changes have been done: - rpm-4.18.0-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.43 updated - container:suse-toolbox-image-1.0.0-4.54 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:16:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:16:49 +0200 (CEST) Subject: SUSE-IU-2025:1974-1: Recommended update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250718161649.C5899F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1974-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.11 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.11 Severity : important Type : recommended References : 1216091 1218459 1235849 1241052 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 187 Released: Fri Jul 18 11:07:15 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1235849,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] The following package changes have been done: - rpm-4.18.0-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.43 updated - container:SL-Micro-base-container-2.2.1-5.11 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:21:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:21:38 +0200 (CEST) Subject: SUSE-CU-2025:5412-1: Security update of bci/bci-base-fips Message-ID: <20250718162138.3B183F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5412-1 Container Tags : bci/bci-base-fips:15.6 , bci/bci-base-fips:15.6.31.13 Container Release : 31.13 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:21:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:21:41 +0200 (CEST) Subject: SUSE-CU-2025:5413-1: Security update of bci/bci-micro-fips Message-ID: <20250718162141.BF613F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5413-1 Container Tags : bci/bci-micro-fips:15.6 , bci/bci-micro-fips:15.6.4.17 Container Release : 4.17 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-base-15.6-f74bb08cb3cd67848838c173455a95de3e95dff460de317fd4bee839a5e05618-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:22:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:22:04 +0200 (CEST) Subject: SUSE-CU-2025:5414-1: Security update of bci/bci-micro Message-ID: <20250718162204.CD765F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5414-1 Container Tags : bci/bci-micro:15.6 , bci/bci-micro:15.6.47.7 Container Release : 47.7 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-base-15.6-f74bb08cb3cd67848838c173455a95de3e95dff460de317fd4bee839a5e05618-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:22:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:22:29 +0200 (CEST) Subject: SUSE-CU-2025:5415-1: Security update of bci/bci-minimal Message-ID: <20250718162229.EDA60F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5415-1 Container Tags : bci/bci-minimal:15.6 , bci/bci-minimal:15.6.39.2 Container Release : 39.2 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:24:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:24:30 +0200 (CEST) Subject: SUSE-CU-2025:5416-1: Security update of suse/sle15 Message-ID: <20250718162430.9EAEDF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5416-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.13 , suse/sle15:15.6 , suse/sle15:15.6.47.23.13 Container Release : 47.23.13 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:24:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:24:40 +0200 (CEST) Subject: SUSE-CU-2025:5417-1: Security update of bci/dotnet-aspnet Message-ID: <20250718162440.A991CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5417-1 Container Tags : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0.18 , bci/dotnet-aspnet:8.0.18-64.3 Container Release : 64.3 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:24:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:24:47 +0200 (CEST) Subject: SUSE-CU-2025:5418-1: Security update of bci/dotnet-aspnet Message-ID: <20250718162447.5BAF3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5418-1 Container Tags : bci/dotnet-aspnet:9.0 , bci/dotnet-aspnet:9.0.7 , bci/dotnet-aspnet:9.0.7-23.4 , bci/dotnet-aspnet:latest Container Release : 23.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:24:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:24:55 +0200 (CEST) Subject: SUSE-CU-2025:5419-1: Security update of bci/bci-base-fips Message-ID: <20250718162455.CF64BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5419-1 Container Tags : bci/bci-base-fips:15.7 , bci/bci-base-fips:15.7-5.19 , bci/bci-base-fips:latest Container Release : 5.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:04 +0200 (CEST) Subject: SUSE-CU-2025:5420-1: Security update of bci/dotnet-sdk Message-ID: <20250718162504.15346F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5420-1 Container Tags : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0.18 , bci/dotnet-sdk:8.0.18-64.3 Container Release : 64.3 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:11 +0200 (CEST) Subject: SUSE-CU-2025:5421-1: Security update of bci/dotnet-sdk Message-ID: <20250718162511.6AB9CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5421-1 Container Tags : bci/dotnet-sdk:9.0 , bci/dotnet-sdk:9.0.7 , bci/dotnet-sdk:9.0.7-23.4 , bci/dotnet-sdk:latest Container Release : 23.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:21 +0200 (CEST) Subject: SUSE-CU-2025:5422-1: Security update of bci/dotnet-runtime Message-ID: <20250718162521.16996F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5422-1 Container Tags : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0.18 , bci/dotnet-runtime:8.0.18-64.3 Container Release : 64.3 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:28 +0200 (CEST) Subject: SUSE-CU-2025:5423-1: Security update of bci/dotnet-runtime Message-ID: <20250718162528.2801DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5423-1 Container Tags : bci/dotnet-runtime:9.0 , bci/dotnet-runtime:9.0.7 , bci/dotnet-runtime:9.0.7-23.4 , bci/dotnet-runtime:latest Container Release : 23.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:31 +0200 (CEST) Subject: SUSE-CU-2025:5424-1: Security update of bci/bci-micro-fips Message-ID: <20250718162531.D4724F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5424-1 Container Tags : bci/bci-micro-fips:15.7 , bci/bci-micro-fips:15.7-5.19 , bci/bci-micro-fips:latest Container Release : 5.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:36 +0200 (CEST) Subject: SUSE-CU-2025:5425-1: Security update of bci/bci-micro Message-ID: <20250718162536.43479F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5425-1 Container Tags : bci/bci-micro:15.7 , bci/bci-micro:15.7-44.5 , bci/bci-micro:latest Container Release : 44.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:40 +0200 (CEST) Subject: SUSE-CU-2025:5426-1: Security update of bci/bci-minimal Message-ID: <20250718162540.5943CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5426-1 Container Tags : bci/bci-minimal:15.7 , bci/bci-minimal:15.7-11.2 , bci/bci-minimal:latest Container Release : 11.2 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:47 +0200 (CEST) Subject: SUSE-CU-2025:5427-1: Security update of suse/postgres Message-ID: <20250718162547.546B8F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5427-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-72.4 Container Release : 72.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:25:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:25:56 +0200 (CEST) Subject: SUSE-CU-2025:5428-1: Security update of suse/postgres Message-ID: <20250718162556.0DF9DF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5428-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-62.4 , suse/postgres:latest Container Release : 62.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Fri Jul 18 16:26:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 18 Jul 2025 18:26:02 +0200 (CEST) Subject: SUSE-CU-2025:5429-1: Security update of suse/mariadb Message-ID: <20250718162602.6239BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5429-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.22 , suse/mariadb:latest Container Release : 61.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:02:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:02:52 +0200 (CEST) Subject: SUSE-CU-2025:5430-1: Security update of containers/open-webui-pipelines Message-ID: <20250719070252.7189AFCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5430-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.19 Container Release : 5.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:04:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:04:12 +0200 (CEST) Subject: SUSE-IU-2025:1975-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250719070412.6B645FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1975-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.187 , suse/sle-micro/base-5.5:latest Image Release : 5.8.187 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:05:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:05:01 +0200 (CEST) Subject: SUSE-IU-2025:1976-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250719070501.76ABEFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1976-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.358 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.358 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.187 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:06:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:06:15 +0200 (CEST) Subject: SUSE-IU-2025:1977-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250719070615.B85B3FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1977-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.438 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.438 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.332 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:07:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:07:28 +0200 (CEST) Subject: SUSE-IU-2025:1979-1: Security update of suse/sle-micro/5.5 Message-ID: <20250719070728.ECD82FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1979-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.332 , suse/sle-micro/5.5:latest Image Release : 5.5.332 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.187 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:07:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:07:29 +0200 (CEST) Subject: SUSE-IU-2025:1980-1: Security update of suse/sle-micro/5.5 Message-ID: <20250719070729.C2C02FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1980-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.333 , suse/sle-micro/5.5:latest Image Release : 5.5.333 Severity : moderate Type : security References : 1243450 CVE-2024-23337 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). The following package changes have been done: - libjq1-1.6-150000.3.6.1 updated - jq-1.6-150000.3.6.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:12:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:12:54 +0200 (CEST) Subject: SUSE-CU-2025:5433-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250719071254.0B296F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5433-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.157 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.157 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:15:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:15:26 +0200 (CEST) Subject: SUSE-CU-2025:5434-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250719071526.2EC0FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5434-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.24 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.24 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:15:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:15:27 +0200 (CEST) Subject: SUSE-CU-2025:5435-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250719071527.1306BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5435-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.25 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.25 Severity : moderate Type : security References : 1243450 CVE-2024-23337 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). The following package changes have been done: - jq-1.6-150000.3.6.1 updated - libjq1-1.6-150000.3.6.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:17:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:17:03 +0200 (CEST) Subject: SUSE-CU-2025:5436-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250719071703.ABB7FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5436-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.157 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.157 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:18:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:18:25 +0200 (CEST) Subject: SUSE-CU-2025:5437-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250719071825.06575F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5437-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.61 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.61 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:19:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:19:03 +0200 (CEST) Subject: SUSE-CU-2025:5438-1: Security update of suse/ltss/sle15.4/bci-base-fips Message-ID: <20250719071903.48377F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5438-1 Container Tags : suse/ltss/sle15.4/bci-base-fips:15.4 , suse/ltss/sle15.4/bci-base-fips:15.4.2.13 , suse/ltss/sle15.4/bci-base-fips:latest Container Release : 2.13 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle15.4/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:19:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:19:53 +0200 (CEST) Subject: SUSE-CU-2025:5439-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250719071953.BB7B7F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5439-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.54 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.54 , suse/ltss/sle15.4/sle15:latest Container Release : 2.54 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:23:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:23:07 +0200 (CEST) Subject: SUSE-CU-2025:5440-1: Security update of bci/bci-init Message-ID: <20250719072307.10FE5F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5440-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.23 Container Release : 44.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:23:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:23:54 +0200 (CEST) Subject: SUSE-CU-2025:5441-1: Security update of bci/nodejs Message-ID: <20250719072354.CFA86F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5441-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.21 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.21 Container Release : 54.21 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:24:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:24:51 +0200 (CEST) Subject: SUSE-CU-2025:5442-1: Security update of bci/python Message-ID: <20250719072451.DFF67F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5442-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-70.6 Container Release : 70.6 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:25:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:25:22 +0200 (CEST) Subject: SUSE-CU-2025:5443-1: Security update of suse/mariadb-client Message-ID: <20250719072522.52AD3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5443-1 Container Tags : suse/mariadb-client:10.11 , suse/mariadb-client:10.11.11 , suse/mariadb-client:10.11.11-61.21 Container Release : 61.21 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:25:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:25:58 +0200 (CEST) Subject: SUSE-CU-2025:5444-1: Security update of suse/mariadb Message-ID: <20250719072558.158D1F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5444-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.23 Container Release : 68.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:28:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:28:25 +0200 (CEST) Subject: SUSE-CU-2025:5445-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250719072825.A8889F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5445-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.26 Container Release : 44.26 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:29:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:29:24 +0200 (CEST) Subject: SUSE-CU-2025:5446-1: Security update of bci/spack Message-ID: <20250719072924.D0ADDF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5446-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.22 Container Release : 11.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 07:29:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 09:29:34 +0200 (CEST) Subject: SUSE-CU-2025:5447-1: Security update of suse/389-ds Message-ID: <20250719072934.91084F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5447-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.24 , suse/389-ds:latest Container Release : 61.24 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 09:52:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 11:52:38 +0200 (CEST) Subject: SUSE-CU-2025:5448-1: Security update of containers/milvus Message-ID: <20250719095238.7D428FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5448-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.152 Container Release : 7.152 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 09:54:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 11:54:19 +0200 (CEST) Subject: SUSE-CU-2025:5449-1: Security update of containers/ollama Message-ID: <20250719095419.F1B7DFCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/ollama ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5449-1 Container Tags : containers/ollama:0 , containers/ollama:0.6.8 , containers/ollama:0.6.8-10.39 Container Release : 10.39 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container containers/ollama was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 09:56:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 11:56:09 +0200 (CEST) Subject: SUSE-CU-2025:5450-1: Security update of containers/open-webui Message-ID: <20250719095609.D44B4FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5450-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.41 Container Release : 10.41 Severity : moderate Type : security References : 1234018 1234019 1234020 1243767 CVE-2024-36616 CVE-2024-36617 CVE-2024-36618 CVE-2025-5278 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2381-1 Released: Fri Jul 18 16:58:38 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1234018,1234019,1234020,CVE-2024-36616,CVE-2024-36617,CVE-2024-36618 This update for ffmpeg-4 fixes the following issues: - CVE-2024-36618: Fixed integer overflow iff ULONG_MAX < INT64_MAX (bsc#1234020). New CVE references, fixed in previous release: - CVE-2024-36617: avformat/cafdec: dont seek beyond 64bit (bsc#1234019). - CVE-2024-36616: avformat/westwood_vqa: Fix 2g packets (bsc#1234018). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libavutil56_70-4.4.6-150600.13.27.1 updated - libswscale5_9-4.4.6-150600.13.27.1 updated - libswresample3_9-4.4.6-150600.13.27.1 updated - libpostproc55_9-4.4.6-150600.13.27.1 updated - libavresample4_0-4.4.6-150600.13.27.1 updated - libavcodec58_134-4.4.6-150600.13.27.1 updated - libavformat58_76-4.4.6-150600.13.27.1 updated - libavfilter7_110-4.4.6-150600.13.27.1 updated - libavdevice58_13-4.4.6-150600.13.27.1 updated - ffmpeg-4-4.4.6-150600.13.27.1 updated - python311-open-webui-0.6.9-150600.2.14 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 09:56:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 11:56:24 +0200 (CEST) Subject: SUSE-CU-2025:5452-1: Security update of containers/suse-ai-observability-extension-setup Message-ID: <20250719095624.5BFA4FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/suse-ai-observability-extension-setup ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5452-1 Container Tags : containers/suse-ai-observability-extension-setup:1 , containers/suse-ai-observability-extension-setup:1.0.3 , containers/suse-ai-observability-extension-setup:1.0.3-3.41 Container Release : 3.41 Severity : moderate Type : security References : 1243450 CVE-2024-23337 ----------------------------------------------------------------- The container containers/suse-ai-observability-extension-setup was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). The following package changes have been done: - libjq1-1.6-150000.3.6.1 updated - jq-1.6-150000.3.6.1 updated - container:registry.suse.com-bci-bci-base-15.6-92ffb62e2965d56d2a210b9aa94d6684f092405e7032f2d4b48bc86f1952d0eb-0 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:01:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:01:37 +0200 (CEST) Subject: SUSE-CU-2025:5447-1: Security update of suse/389-ds Message-ID: <20250719100137.2D5DEFD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5447-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.24 , suse/389-ds:latest Container Release : 61.24 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:01:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:01:43 +0200 (CEST) Subject: SUSE-CU-2025:5453-1: Security update of suse/bind Message-ID: <20250719100143.9FC88FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5453-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.11 , suse/bind:9.20.11-63.5 , suse/bind:latest Container Release : 63.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:01:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:01:46 +0200 (CEST) Subject: SUSE-CU-2025:5454-1: Security update of suse/cosign Message-ID: <20250719100146.19F6BFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/cosign ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5454-1 Container Tags : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.0 , suse/cosign:2.5.0-11.20 , suse/cosign:latest Container Release : 11.20 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/cosign was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:01:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:01:48 +0200 (CEST) Subject: SUSE-CU-2025:5455-1: Security update of suse/registry Message-ID: <20250719100148.CD451FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5455-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.12 , suse/registry:latest Container Release : 5.12 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:01:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:01:53 +0200 (CEST) Subject: SUSE-CU-2025:5456-1: Security update of bci/gcc Message-ID: <20250719100153.4CDF3FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5456-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.22 , bci/gcc:latest Container Release : 10.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:06 +0200 (CEST) Subject: SUSE-CU-2025:5458-1: Security update of bci/golang Message-ID: <20250719100206.6B9DAFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5458-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.11 , bci/golang:1.23.11-2.71.23 , bci/golang:oldstable , bci/golang:oldstable-2.71.23 Container Release : 71.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:13 +0200 (CEST) Subject: SUSE-CU-2025:5459-1: Security update of bci/golang Message-ID: <20250719100213.7883CFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5459-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.22 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.22 Container Release : 71.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:20 +0200 (CEST) Subject: SUSE-CU-2025:5460-1: Security update of bci/golang Message-ID: <20250719100220.72C28FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5460-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.5 , bci/golang:1.24.5-1.71.23 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.23 Container Release : 71.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:27 +0200 (CEST) Subject: SUSE-CU-2025:5461-1: Security update of bci/golang Message-ID: <20250719100227.641A0FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5461-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.22 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.22 Container Release : 71.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:30 +0200 (CEST) Subject: SUSE-CU-2025:5462-1: Security update of suse/helm Message-ID: <20250719100230.A8FAFFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5462-1 Container Tags : suse/helm:3 , suse/helm:3.18 , suse/helm:3.18.3 , suse/helm:3.18.3-61.14 , suse/helm:latest Container Release : 61.14 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:37 +0200 (CEST) Subject: SUSE-CU-2025:5463-1: Security update of bci/bci-init Message-ID: <20250719100237.8A3CBFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5463-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.24 , bci/bci-init:latest Container Release : 41.24 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:40 +0200 (CEST) Subject: SUSE-CU-2025:5464-1: Security update of suse/kea Message-ID: <20250719100240.19E50FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5464-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-61.21 , suse/kea:latest Container Release : 61.21 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:46 +0200 (CEST) Subject: SUSE-CU-2025:5465-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250719100246.BC350FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5465-1 Container Tags : suse/kiosk/firefox-esr:128.12 , suse/kiosk/firefox-esr:128.12-62.17 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 62.17 Severity : moderate Type : security References : 1234018 1234019 1234020 1243767 CVE-2024-36616 CVE-2024-36617 CVE-2024-36618 CVE-2025-5278 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2381-1 Released: Fri Jul 18 16:58:38 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1234018,1234019,1234020,CVE-2024-36616,CVE-2024-36617,CVE-2024-36618 This update for ffmpeg-4 fixes the following issues: - CVE-2024-36618: Fixed integer overflow iff ULONG_MAX < INT64_MAX (bsc#1234020). New CVE references, fixed in previous release: - CVE-2024-36617: avformat/cafdec: dont seek beyond 64bit (bsc#1234019). - CVE-2024-36616: avformat/westwood_vqa: Fix 2g packets (bsc#1234018). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libavutil56_70-4.4.6-150600.13.27.1 updated - libswresample3_9-4.4.6-150600.13.27.1 updated - libavcodec58_134-4.4.6-150600.13.27.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:02:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:02:55 +0200 (CEST) Subject: SUSE-CU-2025:5466-1: Security update of bci/kiwi Message-ID: <20250719100255.D9317FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5466-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.33 , bci/kiwi:latest Container Release : 16.33 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:03:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:03:06 +0200 (CEST) Subject: SUSE-CU-2025:5469-1: Security update of suse/nginx Message-ID: <20250719100306.541E0FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5469-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.21 , suse/nginx:latest Container Release : 61.21 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:03:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:03:11 +0200 (CEST) Subject: SUSE-CU-2025:5470-1: Security update of bci/nodejs Message-ID: <20250719100311.72D78FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5470-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.22 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.22 , bci/nodejs:latest Container Release : 9.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:03:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:03:17 +0200 (CEST) Subject: SUSE-CU-2025:5471-1: Security update of bci/openjdk-devel Message-ID: <20250719100317.DBC10FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5471-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.31 Container Release : 7.31 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-openjdk-17-15.7.17-7.30 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:13:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:13:31 +0200 (CEST) Subject: SUSE-CU-2025:5471-1: Security update of bci/openjdk-devel Message-ID: <20250719101331.3040CFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5471-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.31 Container Release : 7.31 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-openjdk-17-15.7.17-7.30 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:13:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:13:38 +0200 (CEST) Subject: SUSE-CU-2025:5472-1: Security update of bci/openjdk Message-ID: <20250719101338.70DE0FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5472-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.30 Container Release : 7.30 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:13:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:13:45 +0200 (CEST) Subject: SUSE-CU-2025:5473-1: Security update of bci/openjdk-devel Message-ID: <20250719101345.C9AB1FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5473-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.30 , bci/openjdk-devel:latest Container Release : 10.30 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-openjdk-21-15.7.21-10.29 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:13:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:13:52 +0200 (CEST) Subject: SUSE-CU-2025:5474-1: Security update of bci/openjdk Message-ID: <20250719101352.9B8F1FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5474-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.29 , bci/openjdk:latest Container Release : 10.29 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:13:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:13:59 +0200 (CEST) Subject: SUSE-CU-2025:5475-1: Security update of bci/php-apache Message-ID: <20250719101359.5943DFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5475-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-11.5 , bci/php-apache:latest Container Release : 11.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:05 +0200 (CEST) Subject: SUSE-CU-2025:5476-1: Security update of bci/php-fpm Message-ID: <20250719101405.69B39FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5476-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-11.5 , bci/php-fpm:latest Container Release : 11.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:17 +0200 (CEST) Subject: SUSE-CU-2025:5478-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250719101417.A07E0FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5478-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.23 , suse/kiosk/pulseaudio:latest Container Release : 61.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:25 +0200 (CEST) Subject: SUSE-CU-2025:5479-1: Security update of bci/python Message-ID: <20250719101425.EAD1BFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5479-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-72.5 Container Release : 72.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:34 +0200 (CEST) Subject: SUSE-CU-2025:5480-1: Security update of bci/python Message-ID: <20250719101434.9F9B1FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5480-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-73.4 , bci/python:latest Container Release : 73.4 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:42 +0200 (CEST) Subject: SUSE-CU-2025:5481-1: Security update of bci/python Message-ID: <20250719101442.CDD9FFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5481-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-72.5 Container Release : 72.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:46 +0200 (CEST) Subject: SUSE-CU-2025:5482-1: Security update of suse/mariadb-client Message-ID: <20250719101446.6CD18FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5482-1 Container Tags : suse/mariadb-client:11.4 , suse/mariadb-client:11.4.5 , suse/mariadb-client:11.4.5-61.21 , suse/mariadb-client:latest Container Release : 61.21 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:14:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:14:51 +0200 (CEST) Subject: SUSE-CU-2025:5429-1: Security update of suse/mariadb Message-ID: <20250719101451.4CB44FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5429-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.22 , suse/mariadb:latest Container Release : 61.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:00 +0200 (CEST) Subject: SUSE-CU-2025:5483-1: Security update of suse/rmt-server Message-ID: <20250719101500.05C63FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5483-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.23 , suse/rmt-server:2.23-72.5 , suse/rmt-server:latest Container Release : 72.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:08 +0200 (CEST) Subject: SUSE-CU-2025:5484-1: Security update of bci/ruby Message-ID: <20250719101508.48543FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5484-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-12.5 Container Release : 12.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:16 +0200 (CEST) Subject: SUSE-CU-2025:5485-1: Security update of bci/ruby Message-ID: <20250719101516.6C064FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5485-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-11.5 , bci/ruby:latest Container Release : 11.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:23 +0200 (CEST) Subject: SUSE-CU-2025:5486-1: Security update of bci/rust Message-ID: <20250719101523.7FA53FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5486-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.4.5 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.4.5 Container Release : 4.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:28 +0200 (CEST) Subject: SUSE-CU-2025:5487-1: Security update of suse/samba-client Message-ID: <20250719101528.AA229FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5487-1 Container Tags : suse/samba-client:4.21 , suse/samba-client:4.21 , suse/samba-client:4.21-62.19 , suse/samba-client:latest Container Release : 62.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/samba-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:34 +0200 (CEST) Subject: SUSE-CU-2025:5488-1: Security update of suse/samba-server Message-ID: <20250719101534.18738FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5488-1 Container Tags : suse/samba-server:4.21 , suse/samba-server:4.21 , suse/samba-server:4.21-62.19 , suse/samba-server:latest Container Release : 62.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/samba-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:39 +0200 (CEST) Subject: SUSE-CU-2025:5489-1: Security update of suse/samba-toolbox Message-ID: <20250719101539.3CC04FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/samba-toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5489-1 Container Tags : suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21 , suse/samba-toolbox:4.21-62.19 , suse/samba-toolbox:latest Container Release : 62.19 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/samba-toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:49 +0200 (CEST) Subject: SUSE-CU-2025:5490-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250719101549.11CF7FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5490-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.26 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.26 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:15:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:15:56 +0200 (CEST) Subject: SUSE-CU-2025:5491-1: Security update of suse/sle15 Message-ID: <20250719101556.937DFFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5491-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.14 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.14 , suse/sle15:latest Container Release : 5.8.14 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:24:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:24:00 +0200 (CEST) Subject: SUSE-CU-2025:5491-1: Security update of suse/sle15 Message-ID: <20250719102400.E4F94FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5491-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.14 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.14 , suse/sle15:latest Container Release : 5.8.14 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:24:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:24:10 +0200 (CEST) Subject: SUSE-CU-2025:5492-1: Security update of bci/spack Message-ID: <20250719102410.EED38FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5492-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-14.5 , bci/spack:latest Container Release : 14.5 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:24:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:24:14 +0200 (CEST) Subject: SUSE-CU-2025:5493-1: Security update of suse/stunnel Message-ID: <20250719102414.60510FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5493-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-61.22 , suse/stunnel:latest Container Release : 61.22 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:24:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:24:15 +0200 (CEST) Subject: SUSE-CU-2025:5494-1: Security update of suse/kiosk/xorg-client Message-ID: <20250719102415.D0E11FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5494-1 Container Tags : suse/kiosk/xorg-client:21 , suse/kiosk/xorg-client:21-62.11 , suse/kiosk/xorg-client:latest Container Release : 62.11 Severity : moderate Type : security References : 1234018 1234019 1234020 1243767 CVE-2024-36616 CVE-2024-36617 CVE-2024-36618 CVE-2025-5278 ----------------------------------------------------------------- The container suse/kiosk/xorg-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2381-1 Released: Fri Jul 18 16:58:38 2025 Summary: Security update for ffmpeg-4 Type: security Severity: moderate References: 1234018,1234019,1234020,CVE-2024-36616,CVE-2024-36617,CVE-2024-36618 This update for ffmpeg-4 fixes the following issues: - CVE-2024-36618: Fixed integer overflow iff ULONG_MAX < INT64_MAX (bsc#1234020). New CVE references, fixed in previous release: - CVE-2024-36617: avformat/cafdec: dont seek beyond 64bit (bsc#1234019). - CVE-2024-36616: avformat/westwood_vqa: Fix 2g packets (bsc#1234018). The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libavutil56_70-4.4.6-150600.13.27.1 updated - libswresample3_9-4.4.6-150600.13.27.1 updated - libavcodec58_134-4.4.6-150600.13.27.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:24:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:24:20 +0200 (CEST) Subject: SUSE-CU-2025:5495-1: Security update of suse/kiosk/xorg Message-ID: <20250719102420.A7E3FFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5495-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.14 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.14 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:26:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:26:41 +0200 (CEST) Subject: SUSE-CU-2025:5501-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250719102641.C4BD5FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5501-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.45 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.45 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.70.5-150400.3.23.1 updated - coreutils-8.32-150400.9.9.1 updated - libgmodule-2_0-0-2.70.5-150400.3.23.1 updated - libgobject-2_0-0-2.70.5-150400.3.23.1 updated - libgio-2_0-0-2.70.5-150400.3.23.1 updated - glib2-tools-2.70.5-150400.3.23.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:27:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:27:40 +0200 (CEST) Subject: SUSE-CU-2025:5502-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250719102740.197B8FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5502-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.55 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.55 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.70.5-150400.3.23.1 updated - coreutils-8.32-150400.9.9.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:28:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:28:40 +0200 (CEST) Subject: SUSE-CU-2025:5503-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250719102840.AD863FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5503-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.32 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.32 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:29:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:29:40 +0200 (CEST) Subject: SUSE-CU-2025:5504-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20250719102940.DDE11FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5504-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.15 , suse/manager/4.3/proxy-ssh:4.3.15.9.53.30 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.53.30 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sat Jul 19 10:30:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 19 Jul 2025 12:30:37 +0200 (CEST) Subject: SUSE-CU-2025:5505-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20250719103037.B313CFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5505-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.15 , suse/manager/4.3/proxy-tftpd:4.3.15.9.53.32 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.53.32 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:sles15-ltss-image-15.4.0-2.54 updated From sle-container-updates at lists.suse.com Sun Jul 20 07:07:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 20 Jul 2025 09:07:39 +0200 (CEST) Subject: SUSE-CU-2025:5507-1: Security update of suse/pcp Message-ID: <20250720070739.A48C5FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5507-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.35 , suse/pcp:latest Container Release : 61.35 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:bci-bci-init-15.7-2329bb8ffd5e1c5aed0a36d9b272c4b83d4b23e133e6543e44c7d72fe145d5ad-0 updated From sle-container-updates at lists.suse.com Mon Jul 21 15:49:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 21 Jul 2025 17:49:10 +0200 (CEST) Subject: SUSE-CU-2025:5520-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250721154910.97028F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5520-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.62 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.62 Severity : moderate Type : security References : 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2430-1 Released: Mon Jul 21 13:23:17 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - iputils-20221126-150500.3.14.1 updated From sle-container-updates at lists.suse.com Mon Jul 21 15:50:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 21 Jul 2025 17:50:03 +0200 (CEST) Subject: SUSE-IU-2025:2010-1: Recommended update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250721155003.58DEBF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2010-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.52 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.52 Severity : important Type : recommended References : 1216091 1218459 1241052 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] The following package changes have been done: - rpm-4.18.0-7.1 updated - SL-Micro-release-6.0-25.36 updated - container:SL-Micro-base-container-2.1.3-7.27 updated From sle-container-updates at lists.suse.com Mon Jul 21 15:57:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 21 Jul 2025 17:57:41 +0200 (CEST) Subject: SUSE-CU-2025:5527-1: Recommended update of bci/rust Message-ID: <20250721155741.9D101FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5527-1 Container Tags : bci/rust:1.88 , bci/rust:1.88.0 , bci/rust:1.88.0-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 39484 Released: Wed Jul 2 17:33:15 2025 Summary: Recommended update for rust, rust1.88 Type: recommended Severity: moderate References: This update for rust fixes the following issues: - Update to version 1.88.0 - for details see the rust1.88 package Version 1.88.0 (2025-06-26) ========================== Language: - Stabilize `#![feature(let_chains)]` in the 2024 edition. This feature allows `&&`-chaining `let` statements inside `if` and `while`, allowing intermixture with boolean expressions. The patterns inside the `let` sub-expressions can be irrefutable or refutable. - Stabilize `#![feature(naked_functions)]`. Naked functions allow writing functions with no compiler-generated epilogue and prologue, allowing full control over the generated assembly for a particular function. - Stabilize `#![feature(cfg_boolean_literals)]`. This allows using boolean literals as `cfg` predicates, e.g. `#[cfg(true)]` and `#[cfg(false)]`. - Fully de-stabilize the `#[bench]` attribute. Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - Add warn-by-default `dangerous_implicit_autorefs` lint against implicit autoref of raw pointer dereference. The lint will be bumped to deny-by-default in the next version of Rust. - Add `invalid_null_arguments` lint to prevent invalid usage of null pointers. This lint is uplifted from `clippy::invalid_null_ptr_usage`. - Change trait impl candidate preference for builtin impls and trivial where-clauses. - Check types of generic const parameter defaults Compiler: - Stabilize `-Cdwarf-version` for selecting the version of DWARF debug information to generate. Platform Support: - Demote `i686-pc-windows-gnu` to Tier 2. Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html Libraries: - Remove backticks from `#[should_panic]` test failure message. - Guarantee that `[T; N]::from_fn` is generated in order of increasing indices, for those passing it a stateful closure. - The libtest flag `--nocapture` is deprecated in favor of the more consistent `--no-capture` flag. - Guarantee that `{float}::NAN` is a quiet NaN. Stabilized APIs: - `Cell::update` https://doc.rust-lang.org/stable/std/cell/struct.Cell.html#method.update - `impl Default for *const T` https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*const+T - `impl Default for *mut T` https://doc.rust-lang.org/nightly/std/primitive.pointer.html#impl-Default-for-*mut+T - `HashMap::extract_if` https://doc.rust-lang.org/stable/std/collections/struct.HashMap.html#method.extract_if - `HashSet::extract_if` https://doc.rust-lang.org/stable/std/collections/struct.HashSet.html#method.extract_if - `proc_macro::Span::line` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.line - `proc_macro::Span::column` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.column - `proc_macro::Span::start` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.start - `proc_macro::Span::end` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.end - `proc_macro::Span::file` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.file - `proc_macro::Span::local_file` https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.local_file These previously stable APIs are now stable in const contexts: - `NonNull::replace` https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.replace - `<*mut T>::replace` https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.replace - `std::ptr::swap_nonoverlapping` - `Cell::{replace, get, get_mut, from_mut, as_slice_of_cells}` Cargo: - Stabilize automatic garbage collection. - use `zlib-rs` for gzip compression in rust code Rustdoc: - Doctests can be ignored based on target names using `ignore-*` attributes. - Stabilize the `--test-runtool` and `--test-runtool-arg` CLI options to specify a program (like qemu) and its arguments to run a doctest. Compatibility Notes: - Finish changing the internal representation of pasted tokens. Certain invalid declarative macros that were previously accepted in obscure circumstances are now correctly rejected by the compiler. Use of a `tt` fragment specifier can often fix these macros. - Fully de-stabilize the `#[bench]` attribute. Usage of `#[bench]` without `#![feature(custom_test_frameworks)]` already triggered a deny-by-default future-incompatibility lint since Rust 1.77, but will now become a hard error. - Fix borrow checking some always-true patterns. The borrow checker was overly permissive in some cases, allowing programs that shouldn't have compiled. - Update the minimum external LLVM to 19. - Make it a hard error to use a vector type with a non-Rust ABI without enabling the required target feature. The following package changes have been done: - rust1.88-1.88.0-150300.7.3.2 added - cargo1.88-1.88.0-150300.7.3.2 added - cargo1.87-1.87.0-150300.7.3.1 removed - rust1.87-1.87.0-150300.7.3.1 removed From sle-container-updates at lists.suse.com Mon Jul 21 15:57:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 21 Jul 2025 17:57:33 +0200 (CEST) Subject: SUSE-CU-2025:5526-1: Security update of bci/rust Message-ID: <20250721155733.4620EF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5526-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1789-1 Released: Sun Jun 1 22:50:21 2025 Summary: Recommended update for rust, rust1.87 Type: recommended Severity: moderate References: This update for rust, rust1.87 fixes the following issues: Version 1.87.0 (2025-05-15) ========================== Language -------- - Stabilize asm_goto feature - Allow parsing open beginning ranges (..EXPR) after unary operators !, -, and *. - Don't require method impls for methods with Self: Sized bounds in impls for unsized types - Stabilize feature(precise_capturing_in_traits) allowing use<...> bounds on return position impl Trait in traits Compiler -------- - x86: make SSE2 required for i686 targets and use it to pass SIMD types Libraries --------- - Stabilize the anonymous pipe API - Add support for unbounded left/right shift operations - Print pointer metadata in Debug impl of raw pointers - Vec::with_capacity guarantees it allocates with the amount requested, even if Vec::capacity returns a different number. - Most std::arch intrinsics which don't take pointer arguments can now be called from safe code if the caller has the appropriate target features already enabled - Undeprecate env::home_dir - Denote ControlFlow as #[must_use] - Macros such as assert_eq! and vec! now support const {...} expressions Stabilized APIs - Vec::extract_if https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.extract_if - vec::ExtractIf https://doc.rust-lang.org/stable/std/vec/struct.ExtractIf.html) - LinkedList::extract_if https://doc.rust-lang.org/stable/std/collections/struct.LinkedList.html#method.extract_if - linked_list::ExtractIf https://doc.rust-lang.org/stable/std/collections/linked_list/struct.ExtractIf.html - <[T]>::split_off https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off - <[T]>::split_off_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_mut - <[T]>::split_off_first https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_first - <[T]>::split_off_first_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_first_mut - <[T]>::split_off_last https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_last - <[T]>::split_off_last_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_last_mut - String::extend_from_within https://doc.rust-lang.org/stable/alloc/string/struct.String.html#method.extend_from_within - os_str::Display https://doc.rust-lang.org/stable/std/ffi/os_str/struct.Display.html - OsString::display https://doc.rust-lang.org/stable/std/ffi/struct.OsString.html#method.display - OsStr::display https://doc.rust-lang.org/stable/std/ffi/struct.OsStr.html#method.display - io::pipe https://doc.rust-lang.org/stable/std/io/fn.pipe.html - io::PipeReader https://doc.rust-lang.org/stable/std/io/struct.PipeReader.html - io::PipeWriter https://doc.rust-lang.org/stable/std/io/struct.PipeWriter.html - impl From for OwnedHandle https://doc.rust-lang.org/stable/std/os/windows/io/struct.OwnedHandle.html#impl-From%3CPipeReader%3E-for-OwnedHandle - impl From for OwnedHandle https://doc.rust-lang.org/stable/std/os/windows/io/struct.OwnedHandle.html#impl-From%3CPipeWriter%3E-for-OwnedHandle - impl From for Stdio https://doc.rust-lang.org/stable/std/process/struct.Stdio.html - impl From for Stdio https://doc.rust-lang.org/stable/std/process/struct.Stdio.html#impl-From%3CPipeWriter%3E-for-Stdio - impl From for OwnedFd https://doc.rust-lang.org/stable/std/os/fd/struct.OwnedFd.html#impl-From%3CPipeReader%3E-for-OwnedFd - impl From for OwnedFd https://doc.rust-lang.org/stable/std/os/fd/struct.OwnedFd.html#impl-From%3CPipeWriter%3E-for-OwnedFd - Box>::write https://doc.rust-lang.org/stable/std/boxed/struct.Box.html#method.write - impl TryFrom> for String https://doc.rust-lang.org/stable/std/string/struct.String.html#impl-TryFrom%3CVec%3Cu8%3E%3E-for-String - <*const T>::offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset_from_unsigned - <*const T>::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.byte_offset_from_unsigned - <*mut T>::offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset_from_unsigned-1 - <*mut T>::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.byte_offset_from_unsigned-1 - NonNull::offset_from_unsigned https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.offset_from_unsigned - NonNull::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.byte_offset_from_unsigned - ::cast_signed https://doc.rust-lang.org/stable/std/primitive.usize.html#method.cast_signed - NonZero::::cast_signed https://doc.rust-lang.org/stable/std/num/struct.NonZero.html#method.cast_signed-5). - ::cast_unsigned https://doc.rust-lang.org/stable/std/primitive.isize.html#method.cast_unsigned). - NonZero::::cast_unsigned https://doc.rust-lang.org/stable/std/num/struct.NonZero.html#method.cast_unsigned-5). - ::is_multiple_of https://doc.rust-lang.org/stable/std/primitive.usize.html#method.is_multiple_of - ::unbounded_shl https://doc.rust-lang.org/stable/std/primitive.usize.html#method.unbounded_shl - ::unbounded_shr https://doc.rust-lang.org/stable/std/primitive.usize.html#method.unbounded_shr - ::unbounded_shl https://doc.rust-lang.org/stable/std/primitive.isize.html#method.unbounded_shl - ::unbounded_shr https://doc.rust-lang.org/stable/std/primitive.isize.html#method.unbounded_shr - ::midpoint https://doc.rust-lang.org/stable/std/primitive.isize.html#method.midpoint - ::from_utf8 https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8 - ::from_utf8_mut https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_mut - ::from_utf8_unchecked https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_unchecked - ::from_utf8_unchecked_mut https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_unchecked_mut These previously stable APIs are now stable in const contexts: - core::str::from_utf8_mut https://doc.rust-lang.org/stable/std/str/fn.from_utf8_mut.html - <[T]>::copy_from_slice https://doc.rust-lang.org/stable/std/primitive.slice.html#method.copy_from_slice - SocketAddr::set_ip https://doc.rust-lang.org/stable/std/net/enum.SocketAddr.html#method.set_ip - SocketAddr::set_port https://doc.rust-lang.org/stable/std/net/enum.SocketAddr.html#method.set_port - SocketAddrV4::set_ip https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV4.html#method.set_ip - SocketAddrV4::set_port https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV4.html#method.set_port - SocketAddrV6::set_ip https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_ip - SocketAddrV6::set_port https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_port - SocketAddrV6::set_flowinfo https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_flowinfo - SocketAddrV6::set_scope_id https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_scope_id - char::is_digit https://doc.rust-lang.org/stable/std/primitive.char.html#method.is_digit - char::is_whitespace https://doc.rust-lang.org/stable/std/primitive.char.html#method.is_whitespace) - <[[T; N]]>::as_flattened https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_flattened - <[[T; N]]>::as_flattened_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_flattened_mut - String::into_bytes https://doc.rust-lang.org/stable/std/string/struct.String.html#method.into_bytes - String::as_str https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_str - String::capacity https://doc.rust-lang.org/stable/std/string/struct.String.html#method.capacity - String::as_bytes https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_bytes - String::len https://doc.rust-lang.org/stable/std/string/struct.String.html#method.len - String::is_empty https://doc.rust-lang.org/stable/std/string/struct.String.html#method.is_empty - String::as_mut_str https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_mut_str - String::as_mut_vec https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_mut_vec - Vec::as_ptr https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_ptr - Vec::as_slice https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_slice - Vec::capacity https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.capacity - Vec::len https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.len - Vec::is_empty https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.is_empty - Vec::as_mut_slice https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_mut_slice - Vec::as_mut_ptr https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_mut_ptr Cargo ----- - Add terminal integration via ANSI OSC 9;4 sequences - chore: bump openssl to v3 - feat(package): add --exclude-lockfile flag Compatibility Notes - Rust now raises an error for macro invocations inside the #![crate_name] attribute - Unstable fields are now always considered to be inhabited - Macro arguments of unary operators followed by open beginning ranges may now be matched differently - Make Debug impl of raw pointers print metadata if present - Warn against function pointers using unsupported ABI strings in dependencies - Associated types on dyn types are no longer deduplicated - Forbid attributes on .. inside of struct patterns (let Struct { #[attribute] .. }) = - Make ptr_cast_add_auto_to_object lint into hard error - Many std::arch intrinsics are now safe to call in some contexts, there may now be new unused_unsafe warnings in existing codebases. - Limit width and precision formatting options to 16 bits on all targets - Turn order dependent trait objects future incompat warning into a hard error - Denote ControlFlow as #[must_use - Windows: The standard library no longer links advapi32, except on win7. Code such as C libraries that were relying on this assumption may need to explicitly link advapi32. - Proc macros can no longer observe expanded cfg(true) attributes. - Start changing the internal representation of pasted tokens. Certain invalid declarative macros that were previously accepted in obscure circumstances are now correctly rejected by the compiler. Use of a tt fragment specifier can often fix these macros. - Don't allow flattened format_args in const. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - rust1.87-1.87.0-150300.7.3.1 added - cargo1.87-1.87.0-150300.7.3.1 added - container:registry.suse.com-bci-bci-base-15.7-dde0e654ff7210b2ec2a12a2c047df8fc61e112cd702d19129b98a5885bf0e40-0 updated - cargo1.86-1.86.0-150300.7.5.1 removed - rust1.86-1.86.0-150300.7.5.1 removed From sle-container-updates at lists.suse.com Tue Jul 22 07:03:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:03:32 +0200 (CEST) Subject: SUSE-CU-2025:5528-1: Security update of containers/milvus Message-ID: <20250722070332.10532FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5528-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.153 Container Release : 7.153 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:03:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:03:45 +0200 (CEST) Subject: SUSE-CU-2025:5529-1: Security update of containers/pytorch Message-ID: <20250722070345.94AD0FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5529-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.37 Container Release : 2.37 Severity : moderate Type : security References : 1221107 1243767 CVE-2024-2236 CVE-2025-5278 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - libgcrypt20-1.10.3-150600.3.9.1 updated - python311-torch-cuda-2.7.0-150600.2.19 updated - container:registry.suse.com-bci-bci-micro-15.6-9a549e748c45d9a51df94e66c3908ba83233c4796f5f345b7e793229bb6fdea3-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:05:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:05:17 +0200 (CEST) Subject: SUSE-IU-2025:2011-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250722070517.12794FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2011-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.188 , suse/sle-micro/base-5.5:latest Image Release : 5.8.188 Severity : moderate Type : security References : 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2430-1 Released: Mon Jul 21 13:23:17 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - iputils-20221126-150500.3.14.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:13:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:13:10 +0200 (CEST) Subject: SUSE-CU-2025:5531-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250722071310.2A8FFF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5531-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.158 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.158 Severity : moderate Type : security References : 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2431-1 Released: Mon Jul 21 13:23:37 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - iputils-20211215-150400.3.22.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:15:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:15:50 +0200 (CEST) Subject: SUSE-CU-2025:5532-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250722071550.80D73F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5532-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.26 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.26 Severity : moderate Type : security References : 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2431-1 Released: Mon Jul 21 13:23:37 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - iputils-20211215-150400.3.22.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:17:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:17:21 +0200 (CEST) Subject: SUSE-CU-2025:5534-1: Recommended update of suse/ltss/sle15.3/sle15 Message-ID: <20250722071721.1491BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5534-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.106 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.106 , suse/ltss/sle15.3/sle15:latest Container Release : 2.106 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:18:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:18:43 +0200 (CEST) Subject: SUSE-CU-2025:5536-1: Recommended update of suse/ltss/sle15.4/sle15 Message-ID: <20250722071843.E2230F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5536-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.55 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.55 , suse/ltss/sle15.4/sle15:latest Container Release : 2.55 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:21:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:21:27 +0200 (CEST) Subject: SUSE-CU-2025:5537-1: Security update of suse/ltss/sle15.5/sle15 Message-ID: <20250722072127.3C344F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5537-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.12 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.12 , suse/ltss/sle15.5/sle15:latest Container Release : 5.12 Severity : moderate Type : security References : 1242844 1243767 CVE-2025-4373 CVE-2025-5278 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated - coreutils-8.32-150400.9.9.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:22:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:22:28 +0200 (CEST) Subject: SUSE-CU-2025:5538-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250722072228.787F9F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5538-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.82 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.82 Severity : important Type : security References : 1221107 1243450 1243767 1243772 1244553 CVE-2024-2236 CVE-2024-23337 CVE-2025-48964 CVE-2025-5278 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2327-1 Released: Wed Jul 16 09:05:37 2025 Summary: Recommended update for sysstat Type: recommended Severity: important References: 1244553 This update for sysstat fixes the following issues: - Find command option -H added in /usr/lib64/sa/sa2. - Automatically enable systemd timers upon installation (bsc#1244553). - Determine whether the current readahead window tuning is appropriate for contemporary hardware(PED#12914). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2430-1 Released: Mon Jul 21 13:23:17 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated - coreutils-8.32-150400.9.9.1 updated - iputils-20221126-150500.3.14.1 updated - jq-1.6-150000.3.6.1 updated - libgcrypt20-1.10.3-150600.3.9.1 updated - libjq1-1.6-150000.3.6.1 updated - sysstat-12.0.2-150000.3.45.3 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:22:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:22:54 +0200 (CEST) Subject: SUSE-CU-2025:5539-1: Security update of bci/bci-minimal Message-ID: <20250722072254.BE537F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5539-1 Container Tags : bci/bci-minimal:15.6 , bci/bci-minimal:15.6.39.3 Container Release : 39.3 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:23:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:23:32 +0200 (CEST) Subject: SUSE-CU-2025:5540-1: Security update of suse/mariadb Message-ID: <20250722072332.6B8F0F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5540-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.24 Container Release : 68.24 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:25:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:25:36 +0200 (CEST) Subject: SUSE-CU-2025:5541-1: Security update of suse/sle15 Message-ID: <20250722072536.BCA74F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5541-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.14 , suse/sle15:15.6 , suse/sle15:15.6.47.23.14 Container Release : 47.23.14 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:25:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:25:37 +0200 (CEST) Subject: SUSE-CU-2025:5542-1: Recommended update of suse/sle15 Message-ID: <20250722072537.935C4F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5542-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.15 , suse/sle15:15.6 , suse/sle15:15.6.47.23.15 Container Release : 47.23.15 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:27:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:27:37 +0200 (CEST) Subject: SUSE-CU-2025:5557-1: Recommended update of suse/sle15 Message-ID: <20250722072737.6216AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5557-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.15 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.15 , suse/sle15:latest Container Release : 5.8.15 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:34:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:34:42 +0200 (CEST) Subject: SUSE-CU-2025:5563-1: Recommended update of suse/sle-micro/5.1/toolbox Message-ID: <20250722073442.75AE2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5563-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.150 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.150 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 07:36:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 09:36:25 +0200 (CEST) Subject: SUSE-CU-2025:5564-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20250722073625.A8365F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5564-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.152 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.152 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:21:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:21:57 +0200 (CEST) Subject: SUSE-CU-2025:5565-1: Security update of containers/open-webui Message-ID: <20250722092157.C7A32FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5565-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.44 Container Release : 10.44 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:24:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:24:44 +0200 (CEST) Subject: SUSE-CU-2025:5566-1: Recommended update of suse/sle-micro/5.3/toolbox Message-ID: <20250722092444.87394FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5566-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.159 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.159 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:26:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:26:24 +0200 (CEST) Subject: SUSE-CU-2025:5567-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250722092624.CDCF0FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5567-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.159 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.159 Severity : moderate Type : security References : 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2431-1 Released: Mon Jul 21 13:23:37 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated - iputils-20211215-150400.3.22.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:27:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:27:50 +0200 (CEST) Subject: SUSE-CU-2025:5568-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20250722092750.A7CE5FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5568-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.63 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.63 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2453-1 Released: Mon Jul 21 20:04:02 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect fixes the following issues: - Do not log credentials errors - Switch to the go native fips 140-3 module The following package changes have been done: - container-suseconnect-2.5.5-150000.4.67.1 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:31:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:31:40 +0200 (CEST) Subject: SUSE-CU-2025:5570-1: Security update of bci/bci-init Message-ID: <20250722093140.3C80CFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5570-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.27 Container Release : 44.27 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:32:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:32:37 +0200 (CEST) Subject: SUSE-CU-2025:5571-1: Security update of bci/python Message-ID: <20250722093237.1B53AFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5571-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-71.5 Container Release : 71.5 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:35:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:35:02 +0200 (CEST) Subject: SUSE-CU-2025:5572-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250722093502.ABD3CFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5572-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.30 Container Release : 44.30 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:36:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:36:01 +0200 (CEST) Subject: SUSE-CU-2025:5573-1: Security update of bci/spack Message-ID: <20250722093601.817E6FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5573-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.26 Container Release : 11.26 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:38:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:38:44 +0200 (CEST) Subject: SUSE-CU-2025:5595-1: Security update of suse/valkey Message-ID: <20250722093844.97215FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5595-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.23 , suse/valkey:latest Container Release : 61.23 Severity : moderate Type : security References : 1243767 CVE-2025-5278 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) The following package changes have been done: - coreutils-8.32-150400.9.9.1 updated - container:suse-sle15-15.7-bbfaca64229cf417cbfc693ecc395e192fde8d7dccdf5e724bb196e22ca6e174-0 updated - container:registry.suse.com-bci-bci-micro-15.7-83a881a41ea31cd0e8edae1e3893c1e645ad112da30e2e9489718b11f43c4c4f-0 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:08:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:08:37 +0200 (CEST) Subject: SUSE-CU-2025:5597-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250723070837.4B942FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5597-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.161 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.161 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - libgcrypt20-1.9.4-150400.6.11.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:11:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:11:04 +0200 (CEST) Subject: SUSE-CU-2025:5598-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250723071104.B24B4FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5598-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.28 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.28 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-1.9.4-150400.6.11.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:12:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:12:37 +0200 (CEST) Subject: SUSE-CU-2025:5599-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250723071237.67278F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5599-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.161 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.161 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - libgcrypt20-1.9.4-150400.6.11.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:13:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:13:35 +0200 (CEST) Subject: SUSE-CU-2025:5600-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250723071335.47005F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5600-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.56 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.56 , suse/ltss/sle15.4/sle15:latest Container Release : 2.56 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - libgcrypt20-1.9.4-150400.6.11.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:17:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:17:16 +0200 (CEST) Subject: SUSE-CU-2025:5602-1: Recommended update of suse/kiosk/pulseaudio Message-ID: <20250723071716.9554DF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5602-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.26 , suse/kiosk/pulseaudio:latest Container Release : 61.26 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2465-1 Released: Tue Jul 22 13:55:21 2025 Summary: Recommended update for llvm19 Type: recommended Severity: moderate References: This update for llvm19 fixes the following issues: - Enable build of libc++ for ppc64le - Enable build of libc++ and openmp for riscv64 The following package changes have been done: - libLLVM19-19.1.7-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:17:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:17:21 +0200 (CEST) Subject: SUSE-CU-2025:5603-1: Recommended update of suse/kiosk/xorg Message-ID: <20250723071721.AB325F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5603-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-63.17 , suse/kiosk/xorg:latest , suse/kiosk/xorg:notaskbar Container Release : 63.17 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2465-1 Released: Tue Jul 22 13:55:21 2025 Summary: Recommended update for llvm19 Type: recommended Severity: moderate References: This update for llvm19 fixes the following issues: - Enable build of libc++ for ppc64le - Enable build of libc++ and openmp for riscv64 The following package changes have been done: - libLLVM19-19.1.7-150700.3.3.1 updated - container:suse-sle15-15.7-bbfaca64229cf417cbfc693ecc395e192fde8d7dccdf5e724bb196e22ca6e174-0 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:18:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:18:42 +0200 (CEST) Subject: SUSE-CU-2025:5604-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250723071842.310BDF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5604-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.48 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.48 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-1.9.4-150400.6.11.1 updated - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - container:sles15-ltss-image-15.4.0-2.56 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:19:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:19:35 +0200 (CEST) Subject: SUSE-CU-2025:5605-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250723071935.CB8B0F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5605-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.59 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.59 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-1.9.4-150400.6.11.1 updated - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - container:sles15-ltss-image-15.4.0-2.56 updated From sle-container-updates at lists.suse.com Wed Jul 23 07:21:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 09:21:18 +0200 (CEST) Subject: SUSE-CU-2025:5607-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20250723072118.EFA19F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5607-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.15 , suse/manager/4.3/proxy-ssh:4.3.15.9.53.33 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.53.33 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2464-1 Released: Tue Jul 22 13:40:15 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: timing-based side-channel flaw in RSA implementation can lead to decryption of RSA ciphertexts (bsc#1221107). The following package changes have been done: - libgcrypt20-1.9.4-150400.6.11.1 updated - libgcrypt20-hmac-1.9.4-150400.6.11.1 updated - container:sles15-ltss-image-15.4.0-2.56 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:08:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:08:32 +0200 (CEST) Subject: SUSE-IU-2025:2023-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250723200832.26809FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2023-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.27 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.27 Severity : important Type : security References : 1216091 1218459 1241052 1243772 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 390 Released: Mon Jul 21 12:04:01 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772) The following package changes have been done: - rpm-4.18.0-7.1 updated - iputils-20221126-6.1 updated - SL-Micro-release-6.0-25.36 updated - libzypp-17.37.12-1.1 updated - container:suse-toolbox-image-1.0.0-9.15 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:11:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:11:31 +0200 (CEST) Subject: SUSE-CU-2025:5609-1: Security update of bci/nodejs Message-ID: <20250723201131.2302DFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5609-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.25 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.25 Container Release : 54.25 Severity : moderate Type : security References : 1221107 CVE-2024-2236 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libgcrypt20-1.10.3-150600.3.9.1 updated - container:registry.suse.com-bci-bci-base-15.6-718af526cd89ac1ef3accb86454e25aecf5d13c19f2431820cdf47dd755783f0-0 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:12:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:12:52 +0200 (CEST) Subject: SUSE-CU-2025:5611-1: Security update of bci/php-apache Message-ID: <20250723201252.8FF76FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5611-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.23 , bci/php-apache:8.3.23-11.8 , bci/php-apache:latest Container Release : 11.8 Severity : important Type : security References : 1246146 1246148 1246167 CVE-2025-1220 CVE-2025-1735 CVE-2025-6491 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2462-1 Released: Tue Jul 22 10:40:57 2025 Summary: Security update for php8 Type: security Severity: important References: 1246146,1246148,1246167,CVE-2025-1220,CVE-2025-1735,CVE-2025-6491 This update for php8 fixes the following issues: Version update to 8.3.23: - CVE-2025-1220: Fixed null byte termination in hostnames (bsc#1246167) - CVE-2025-1735: Fixed pgsql extension does not check for errors during escaping (bsc#1246146) - CVE-2025-6491: Fixed NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix (bsc#1246148) The following package changes have been done: - php8-cli-8.3.23-150700.3.3.1 updated - php8-8.3.23-150700.3.3.1 updated - apache2-mod_php8-8.3.23-150700.3.3.1 updated - php8-openssl-8.3.23-150700.3.3.1 updated - php8-mbstring-8.3.23-150700.3.3.1 updated - php8-zlib-8.3.23-150700.3.3.1 updated - php8-zip-8.3.23-150700.3.3.1 updated - php8-curl-8.3.23-150700.3.3.1 updated - php8-phar-8.3.23-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:12:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:12:59 +0200 (CEST) Subject: SUSE-CU-2025:5612-1: Security update of bci/php-fpm Message-ID: <20250723201259.06C3EFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5612-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.23 , bci/php-fpm:8.3.23-11.8 , bci/php-fpm:latest Container Release : 11.8 Severity : important Type : security References : 1246146 1246148 1246167 CVE-2025-1220 CVE-2025-1735 CVE-2025-6491 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2462-1 Released: Tue Jul 22 10:40:57 2025 Summary: Security update for php8 Type: security Severity: important References: 1246146,1246148,1246167,CVE-2025-1220,CVE-2025-1735,CVE-2025-6491 This update for php8 fixes the following issues: Version update to 8.3.23: - CVE-2025-1220: Fixed null byte termination in hostnames (bsc#1246167) - CVE-2025-1735: Fixed pgsql extension does not check for errors during escaping (bsc#1246146) - CVE-2025-6491: Fixed NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix (bsc#1246148) The following package changes have been done: - php8-cli-8.3.23-150700.3.3.1 updated - php8-8.3.23-150700.3.3.1 updated - php8-fpm-8.3.23-150700.3.3.1 updated - php8-openssl-8.3.23-150700.3.3.1 updated - php8-mbstring-8.3.23-150700.3.3.1 updated - php8-zlib-8.3.23-150700.3.3.1 updated - php8-zip-8.3.23-150700.3.3.1 updated - php8-curl-8.3.23-150700.3.3.1 updated - php8-phar-8.3.23-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:13:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:13:05 +0200 (CEST) Subject: SUSE-CU-2025:5613-1: Security update of bci/php Message-ID: <20250723201305.67C16FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5613-1 Container Tags : bci/php:8 , bci/php:8.3.23 , bci/php:8.3.23-11.7 , bci/php:latest Container Release : 11.7 Severity : important Type : security References : 1246146 1246148 1246167 CVE-2025-1220 CVE-2025-1735 CVE-2025-6491 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2462-1 Released: Tue Jul 22 10:40:57 2025 Summary: Security update for php8 Type: security Severity: important References: 1246146,1246148,1246167,CVE-2025-1220,CVE-2025-1735,CVE-2025-6491 This update for php8 fixes the following issues: Version update to 8.3.23: - CVE-2025-1220: Fixed null byte termination in hostnames (bsc#1246167) - CVE-2025-1735: Fixed pgsql extension does not check for errors during escaping (bsc#1246146) - CVE-2025-6491: Fixed NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix (bsc#1246148) The following package changes have been done: - php8-cli-8.3.23-150700.3.3.1 updated - php8-8.3.23-150700.3.3.1 updated - php8-openssl-8.3.23-150700.3.3.1 updated - php8-mbstring-8.3.23-150700.3.3.1 updated - php8-zlib-8.3.23-150700.3.3.1 updated - php8-readline-8.3.23-150700.3.3.1 updated - php8-curl-8.3.23-150700.3.3.1 updated - php8-phar-8.3.23-150700.3.3.1 updated - php8-zip-8.3.23-150700.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:14:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:14:31 +0200 (CEST) Subject: SUSE-CU-2025:5615-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250723201431.A0765FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5615-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.1 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.1 Severity : critical Type : security References : 1157520 1157520 1191142 1191142 1209060 1209060 1211373 1211373 1213952 1213952 1216187 1216187 1221031 1221031 1225740 1225740 1230403 1230403 1230908 1230908 1233371 1233371 1234608 1234608 1236601 1236601 1236635 1236635 1236779 1236779 1236810 1236810 1236877 1236877 1236910 1236910 1237060 1237060 1237082 1237082 1237294 1237294 1237403 1237403 1237581 1237581 1237694 1237694 1237770 1237770 1238922 1238922 1238924 1238924 1239102 1239102 1239154 1239154 1239604 1239604 1239743 1239743 1239826 1239826 1239868 1239868 1239907 1239907 1240038 1240038 1240386 1240386 1240666 1240666 1240842 1240842 1241239 1241239 1241286 1241286 1241455 1241455 1241490 1241490 1242004 1242004 1242030 1242030 1242148 1242148 1242554 1242554 1242911 1242911 1243239 1243239 1243460 1243460 1243724 1243724 1243825 1243825 1244065 1244065 1244290 1244290 1245005 1245005 1245027 1245027 1245222 1245222 1245368 1245368 1246119 1246119 1246788 CVE-2024-38822 CVE-2024-38823 CVE-2024-38824 CVE-2024-38825 CVE-2025-22236 CVE-2025-22237 CVE-2025-22238 CVE-2025-22239 CVE-2025-22240 CVE-2025-22241 CVE-2025-22242 CVE-2025-23392 CVE-2025-23392 CVE-2025-23393 CVE-2025-23393 CVE-2025-46809 CVE-2025-46809 CVE-2025-46811 CVE-2025-46811 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2475-1 Released: Wed Jul 23 14:36:39 2025 Summary: Maintenance update for Multi-Linux Manager 4.3: Server, Proxy and Retail Branch Server Type: security Severity: critical References: 1157520,1191142,1209060,1211373,1213952,1216187,1221031,1225740,1230403,1230908,1233371,1234608,1236601,1236635,1236779,1236810,1236877,1236910,1237060,1237082,1237294,1237403,1237581,1237694,1237770,1238922,1238924,1239102,1239154,1239604,1239743,1239826,1239868,1239907,1240038,1240386,1240666,1240842,1241239,1241286,1241455,1241490,1242004,1242030,1242148,1242554,1242911,1243239,1243460,1243724,1243825,1244065,1244290,1245005,1245027,1245222,1245368,1246119,1246788,CVE-2025-23392,CVE-2025-23393,CVE-2025-46809,CVE-2025-46811 Maintenance update for Multi-Linux Manager 4.3: Server, Proxy and Retail Branch Server This is a codestream only update ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2476-1 Released: Wed Jul 23 14:37:06 2025 Summary: Maintenance update for Multi-Linux Manager 4.3 Release Notes Release Notes Type: security Severity: critical References: 1157520,1191142,1209060,1211373,1213952,1216187,1221031,1225740,1230403,1230908,1233371,1234608,1236601,1236635,1236779,1236810,1236877,1236910,1237060,1237082,1237294,1237403,1237581,1237694,1237770,1238922,1238924,1239102,1239154,1239604,1239743,1239826,1239868,1239907,1240038,1240386,1240666,1240842,1241239,1241286,1241455,1241490,1242004,1242030,1242148,1242554,1242911,1243239,1243460,1243724,1243825,1244065,1244290,1245005,1245027,1245222,1245368,1246119,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-23392,CVE-2025-23393,CVE-2025-46809,CVE-2025-46811 Maintenance update for Multi-Linux Manager 4.3 Release Notes Release Notes: This is a codestream only update The following package changes have been done: - release-notes-susemanager-proxy-4.3.16-150400.3.98.1 updated - spacewalk-backend-4.3.33-150400.3.55.2 updated - python3-spacewalk-client-tools-4.3.23-150400.3.39.3 updated - spacewalk-client-tools-4.3.23-150400.3.39.3 updated - susemanager-tftpsync-recv-4.3.10-150400.3.12.2 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:18:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:06 +0200 (CEST) Subject: SUSE-CU-2025:5620-1: Security update of suse/manager/5.0/x86_64/proxy-httpd Message-ID: <20250723201806.2CFEEFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5620-1 Container Tags : suse/manager/5.0/x86_64/proxy-httpd:5.0.5 , suse/manager/5.0/x86_64/proxy-httpd:5.0.5.7.23.1 , suse/manager/5.0/x86_64/proxy-httpd:latest Container Release : 7.23.1 Severity : critical Type : security References : 1157520 1229825 1230282 1230403 1230908 1233371 1234608 1235847 1236565 1236621 1236779 1236877 1236910 1237294 1237710 1237770 1237938 1238173 1238320 1238514 1238827 1238922 1239154 1239558 1239559 1239604 1239621 1239743 1239744 1239747 1239801 1239826 1239868 1239903 1239907 1240010 1240023 1240038 1240050 1240076 1240124 1240131 1240160 1240386 1240604 1240635 1240666 1240901 1240984 1241034 1241094 1241239 1241286 1241455 1241490 1241880 1242004 1242010 1242030 1242135 1242148 1242561 1242827 1242844 1242916 1243226 1243239 1243241 1243268 1243292 1243375 1243460 1243724 1243765 1243821 1243825 1243935 1244554 1244555 1244557 1244561 1244564 1244565 1244566 1244567 1244568 1244570 1244571 1244572 1244574 1244575 1244590 1244596 1244700 1245005 1245222 1245368 1246119 CVE-2024-38822 CVE-2024-38823 CVE-2024-38824 CVE-2024-38825 CVE-2025-22236 CVE-2025-22237 CVE-2025-22238 CVE-2025-22239 CVE-2025-22240 CVE-2025-22241 CVE-2025-22242 CVE-2025-23392 CVE-2025-23393 CVE-2025-4373 CVE-2025-4598 CVE-2025-46809 CVE-2025-46811 CVE-2025-47287 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-6018 CVE-2025-6021 CVE-2025-6052 CVE-2025-6170 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-Manager-5.0-2025-2478 Released: Wed Jul 23 14:39:10 2025 Summary: Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Server Type: security Severity: critical References: 1157520,1229825,1230282,1230403,1230908,1233371,1234608,1235847,1236565,1236621,1236779,1236877,1236910,1237294,1237710,1237770,1237938,1238173,1238320,1238514,1238827,1238922,1239154,1239558,1239559,1239604,1239621,1239743,1239744,1239747,1239801,1239826,1239868,1239903,1239907,1240010,1240023,1240038,1240050,1240076,1240124,1240131,1240160,1240386,1240604,1240635,1240666,1240901,1240984,1241034,1241094,1241239,1241286,1241455,1241490,1241880,1242004,1242010,1242030,1242135,1242148,1242561,1242916,1243239,1243241,1243268,1243292,1243375,1243460,1243724,1243765,1243821,1243825,1244561,1244564,1244565,1244566,1244567,1244568,1244570,1244571,1244572,1244574,1244575,1245005,1245222,1245368,1246119,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-23392,CVE-2025-23393,CVE-2025-46809,CVE-2025-46811,CVE-2025-47287 Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server: This is a codestream only update The following package changes have been done: - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - pam-config-1.1-150600.16.8.1 updated - release-notes-susemanager-proxy-5.0.5-150600.11.28.1 updated - libsystemd0-254.25-150600.4.40.1 updated - python3-uyuni-common-libs-5.0.7-150600.2.9.2 updated - systemd-254.25-150600.4.40.1 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - python3-libxml2-2.10.3-150500.5.29.1 updated - spacewalk-backend-5.0.14-150600.4.17.1 updated - python3-spacewalk-client-tools-5.0.10-150600.4.12.4 updated - spacewalk-client-tools-5.0.10-150600.4.12.4 updated - spacewalk-proxy-package-manager-5.0.6-150600.3.9.2 updated - spacewalk-proxy-common-5.0.6-150600.3.9.2 updated - spacewalk-proxy-broker-5.0.6-150600.3.9.2 updated - spacewalk-proxy-redirect-5.0.6-150600.3.9.2 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:18:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:23 +0200 (CEST) Subject: SUSE-CU-2025:5623-1: Security update of suse/manager/5.0/x86_64/proxy-ssh Message-ID: <20250723201823.824C7FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5623-1 Container Tags : suse/manager/5.0/x86_64/proxy-ssh:5.0.5 , suse/manager/5.0/x86_64/proxy-ssh:5.0.5.7.23.1 , suse/manager/5.0/x86_64/proxy-ssh:latest Container Release : 7.23.1 Severity : moderate Type : security References : 1241667 1242827 1243935 CVE-2025-4598 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - openssh-common-9.6p1-150600.6.29.2 updated - libsystemd0-254.25-150600.4.40.1 updated - openssh-fips-9.6p1-150600.6.29.2 updated - openssh-clients-9.6p1-150600.6.29.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-9.6p1-150600.6.29.2 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:18:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:40 +0200 (CEST) Subject: SUSE-CU-2025:5626-1: Security update of suse/manager/5.0/x86_64/server-hub-xmlrpc-api Message-ID: <20250723201840.260BCFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-hub-xmlrpc-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5626-1 Container Tags : suse/manager/5.0/x86_64/server-hub-xmlrpc-api:5.0.5 , suse/manager/5.0/x86_64/server-hub-xmlrpc-api:5.0.5.6.23.1 , suse/manager/5.0/x86_64/server-hub-xmlrpc-api:latest Container Release : 6.23.1 Severity : important Type : security References : 1242827 1243226 1243935 CVE-2025-4598 CVE-2025-6018 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-hub-xmlrpc-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated From sle-container-updates at lists.suse.com Wed Jul 23 20:18:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:55 +0200 (CEST) Subject: SUSE-CU-2025:5628-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16 Message-ID: <20250723201855.0F5F2FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5628-1 Container Tags : suse/manager/5.0/x86_64/server-migration-14-16:5.0.5 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.5.7.23.1 , suse/manager/5.0/x86_64/server-migration-14-16:latest Container Release : 7.23.1 Severity : important Type : security References : 1161007 1167603 1193951 1242827 1243721 1243935 CVE-2020-21913 CVE-2025-4598 CVE-2025-5222 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - libsystemd0-254.25-150600.4.40.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated - libicu-suse65_1-65.1-150200.4.15.1 updated - container:suse-manager-5.0-init-5.0.5-5.0.5-7.21.12 added - container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 removed From sle-container-updates at lists.suse.com Thu Jul 10 07:05:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 10 Jul 2025 09:05:27 +0200 (CEST) Subject: SUSE-CU-2025:5133-1: Security update of rancher/seedimage-builder Message-ID: <20250710070527.50E89FCF8@maintenance.suse.de> SUSE Container Update Advisory: rancher/seedimage-builder ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5133-1 Container Tags : rancher/seedimage-builder:1.7.3 , rancher/seedimage-builder:1.7.3-3.4 , rancher/seedimage-builder:latest Container Release : 3.4 Severity : critical Type : security References : 1010996 1012628 1027519 1159034 1174091 1189495 1193454 1194818 1194869 1199079 1200528 1205462 1207377 1208783 1211649 1211888 1213123 1214285 1214718 1215199 1215628 1216063 1217070 1217538 1218474 1218609 1218851 1219001 1219080 1219503 1219559 1219561 1219823 1219826 1219885 1220066 1220117 1220252 1220338 1220877 1221164 1221289 1221326 1221332 1221334 1221400 1221630 1221645 1221652 1221665 1221666 1221667 1221668 1221831 1221854 1221857 1221984 1222254 1222302 1222335 1222350 1222364 1222372 1222387 1222433 1222434 1222453 1222584 1222620 1222625 1222633 1222634 1222684 1222808 1222967 1222973 1223053 1223074 1223191 1223234 1223395 1223605 1223635 1223720 1223731 1223742 1223763 1223767 1223777 1223803 1223849 1224105 1224262 1224285 1224323 1224415 1224485 1224496 1224510 1224535 1224631 1224636 1224690 1224694 1224700 1224711 1225070 1225197 1225365 1225475 1225582 1225598 1225607 1225718 1225751 1225771 1225814 1225832 1225838 1225903 1225946 1225953 1226031 1226127 1226419 1226447 1226448 1226492 1226502 1226530 1226588 1226604 1226660 1226743 1226751 1226765 1226798 1226801 1226834 1226874 1226885 1226920 1227106 1227149 1227182 1227316 1227355 1227378 1227383 1227437 1227492 1227493 1227494 1227590 1227593 1227594 1227595 1227618 1227620 1227623 1227627 1227634 1227706 1227722 1227724 1227725 1227728 1227729 1227732 1227733 1227734 1227747 1227750 1227754 1227758 1227760 1227761 1227764 1227766 1227770 1227771 1227772 1227774 1227781 1227784 1227785 1227787 1227790 1227791 1227792 1227796 1227798 1227799 1227802 1227808 1227810 1227811 1227812 1227815 1227816 1227818 1227820 1227823 1227824 1227826 1227828 1227829 1227830 1227832 1227833 1227834 1227839 1227840 1227846 1227849 1227851 1227853 1227863 1227864 1227865 1227867 1227869 1227870 1227883 1227884 1227888 1227891 1227893 1227929 1227950 1227957 1227981 1228020 1228021 1228142 1228192 1228235 1228236 1228247 1228321 1228409 1228410 1228426 1228427 1228429 1228446 1228447 1228449 1228450 1228452 1228456 1228457 1228458 1228459 1228460 1228462 1228463 1228466 1228468 1228469 1228470 1228472 1228479 1228480 1228481 1228482 1228483 1228484 1228485 1228486 1228487 1228489 1228491 1228492 1228493 1228494 1228495 1228496 1228499 1228500 1228501 1228502 1228503 1228505 1228508 1228509 1228510 1228511 1228513 1228515 1228516 1228518 1228520 1228525 1228527 1228530 1228531 1228535 1228539 1228553 1228561 1228563 1228564 1228565 1228567 1228568 1228572 1228574 1228575 1228576 1228579 1228580 1228581 1228582 1228584 1228586 1228588 1228590 1228591 1228599 1228615 1228616 1228617 1228625 1228626 1228633 1228635 1228636 1228640 1228643 1228644 1228646 1228649 1228650 1228654 1228655 1228656 1228658 1228660 1228662 1228665 1228666 1228667 1228672 1228673 1228674 1228677 1228680 1228687 1228705 1228706 1228707 1228708 1228709 1228710 1228718 1228720 1228721 1228722 1228723 1228724 1228726 1228727 1228733 1228737 1228743 1228748 1228754 1228756 1228757 1228758 1228764 1228766 1228779 1228780 1228801 1228849 1228850 1228857 1228959 1228964 1228966 1228967 1228971 1228973 1228977 1228978 1228979 1228986 1228988 1228989 1228991 1228992 1229003 1229005 1229024 1229025 1229042 1229045 1229046 1229054 1229056 1229086 1229134 1229136 1229154 1229156 1229160 1229167 1229168 1229169 1229170 1229171 1229172 1229173 1229174 1229228 1229239 1229240 1229241 1229243 1229244 1229245 1229246 1229247 1229248 1229249 1229250 1229251 1229252 1229253 1229254 1229255 1229256 1229287 1229290 1229291 1229292 1229294 1229296 1229297 1229298 1229299 1229301 1229303 1229304 1229305 1229307 1229309 1229312 1229313 1229314 1229315 1229316 1229317 1229318 1229319 1229320 1229327 1229341 1229342 1229344 1229345 1229346 1229347 1229349 1229350 1229351 1229353 1229354 1229355 1229356 1229357 1229358 1229359 1229360 1229365 1229366 1229369 1229370 1229373 1229374 1229379 1229381 1229382 1229383 1229386 1229388 1229390 1229391 1229392 1229395 1229398 1229399 1229400 1229402 1229403 1229404 1229407 1229409 1229410 1229411 1229413 1229414 1229417 1229444 1229451 1229452 1229455 1229456 1229476 1229480 1229481 1229482 1229484 1229485 1229486 1229487 1229488 1229489 1229490 1229493 1229495 1229496 1229497 1229500 1229503 1229707 1229739 1229743 1229746 1229747 1229752 1229754 1229755 1229756 1229759 1229761 1229767 1229781 1229784 1229785 1229787 1229788 1229789 1229792 1229820 1229827 1229830 1229837 1229930 1229931 1229932 1229940 1229952 1230029 1230056 1230679 1230778 1231208 1231230 1231264 1231265 1231266 1231472 1231499 1231565 1231698 1231698 1232227 1232579 1232579 1232601 1232844 1233078 1233289 1233752 1234015 1234015 1234100 1234101 1234102 1234103 1234104 1234128 1234313 1234665 1234765 1234798 1234812 1234996 1235088 1235475 1236136 1236177 1236878 1236886 1237363 1237370 1237418 1237496 1238700 1238700 1239335 1239335 1239618 1239883 1240009 1240343 1240366 1241190 1241453 1241551 1242938 1242987 1243317 1244509 441356 831629 CVE-2013-0340 CVE-2019-15903 CVE-2019-20907 CVE-2019-9947 CVE-2020-15523 CVE-2020-15801 CVE-2022-1996 CVE-2022-25236 CVE-2022-45748 CVE-2023-28746 CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2023-45142 CVE-2023-45288 CVE-2023-46839 CVE-2023-46840 CVE-2023-46841 CVE-2023-46842 CVE-2023-47108 CVE-2023-50387 CVE-2023-50868 CVE-2023-52425 CVE-2023-52425 CVE-2023-52426 CVE-2023-52489 CVE-2023-52581 CVE-2023-52668 CVE-2023-52688 CVE-2023-52859 CVE-2023-52885 CVE-2023-52886 CVE-2023-52887 CVE-2023-52889 CVE-2024-0397 CVE-2024-0450 CVE-2024-10220 CVE-2024-10389 CVE-2024-10963 CVE-2024-10975 CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12133 CVE-2024-12747 CVE-2024-13176 CVE-2024-1931 CVE-2024-2004 CVE-2024-2193 CVE-2024-2201 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466 CVE-2024-26306 CVE-2024-26590 CVE-2024-26631 CVE-2024-26637 CVE-2024-26668 CVE-2024-26669 CVE-2024-26677 CVE-2024-26682 CVE-2024-26683 CVE-2024-26735 CVE-2024-26808 CVE-2024-26809 CVE-2024-26812 CVE-2024-26835 CVE-2024-26837 CVE-2024-26849 CVE-2024-26851 CVE-2024-26976 CVE-2024-27010 CVE-2024-27011 CVE-2024-27024 CVE-2024-27049 CVE-2024-27050 CVE-2024-27079 CVE-2024-27403 CVE-2024-27433 CVE-2024-27437 CVE-2024-28085 CVE-2024-28397 CVE-2024-28757 CVE-2024-31076 CVE-2024-31142 CVE-2024-31143 CVE-2024-31145 CVE-2024-31146 CVE-2024-31227 CVE-2024-31228 CVE-2024-31449 CVE-2024-32650 CVE-2024-33655 CVE-2024-35235 CVE-2024-35855 CVE-2024-35897 CVE-2024-35902 CVE-2024-35913 CVE-2024-35939 CVE-2024-35949 CVE-2024-36039 CVE-2024-36270 CVE-2024-36286 CVE-2024-36288 CVE-2024-36489 CVE-2024-36620 CVE-2024-36621 CVE-2024-36623 CVE-2024-36881 CVE-2024-36907 CVE-2024-36929 CVE-2024-36933 CVE-2024-36939 CVE-2024-36970 CVE-2024-36979 CVE-2024-37820 CVE-2024-38428 CVE-2024-38563 CVE-2024-38609 CVE-2024-38662 CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39476 CVE-2024-39483 CVE-2024-39484 CVE-2024-39486 CVE-2024-39488 CVE-2024-39489 CVE-2024-39491 CVE-2024-39493 CVE-2024-39497 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501 CVE-2024-39505 CVE-2024-39506 CVE-2024-39508 CVE-2024-39509 CVE-2024-39510 CVE-2024-39614 CVE-2024-4032 CVE-2024-40724 CVE-2024-40896 CVE-2024-40899 CVE-2024-40900 CVE-2024-40902 CVE-2024-40903 CVE-2024-40904 CVE-2024-40905 CVE-2024-40909 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912 CVE-2024-40913 CVE-2024-40916 CVE-2024-40920 CVE-2024-40921 CVE-2024-40922 CVE-2024-40924 CVE-2024-40926 CVE-2024-40927 CVE-2024-40929 CVE-2024-40930 CVE-2024-40932 CVE-2024-40934 CVE-2024-40936 CVE-2024-40938 CVE-2024-40939 CVE-2024-40941 CVE-2024-40942 CVE-2024-40943 CVE-2024-40944 CVE-2024-40945 CVE-2024-40954 CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959 CVE-2024-40962 CVE-2024-40964 CVE-2024-40967 CVE-2024-40976 CVE-2024-40977 CVE-2024-40978 CVE-2024-40981 CVE-2024-40982 CVE-2024-40984 CVE-2024-40987 CVE-2024-40988 CVE-2024-40989 CVE-2024-40990 CVE-2024-40992 CVE-2024-40994 CVE-2024-40995 CVE-2024-40997 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002 CVE-2024-41004 CVE-2024-41007 CVE-2024-41009 CVE-2024-41010 CVE-2024-41012 CVE-2024-41015 CVE-2024-41016 CVE-2024-41020 CVE-2024-41022 CVE-2024-41024 CVE-2024-41025 CVE-2024-41028 CVE-2024-41032 CVE-2024-41035 CVE-2024-41036 CVE-2024-41037 CVE-2024-41038 CVE-2024-41039 CVE-2024-41040 CVE-2024-41041 CVE-2024-41044 CVE-2024-41045 CVE-2024-41048 CVE-2024-41049 CVE-2024-41050 CVE-2024-41051 CVE-2024-41056 CVE-2024-41057 CVE-2024-41058 CVE-2024-41059 CVE-2024-41060 CVE-2024-41061 CVE-2024-41062 CVE-2024-41063 CVE-2024-41064 CVE-2024-41065 CVE-2024-41066 CVE-2024-41068 CVE-2024-41069 CVE-2024-41070 CVE-2024-41071 CVE-2024-41072 CVE-2024-41073 CVE-2024-41074 CVE-2024-41075 CVE-2024-41076 CVE-2024-41078 CVE-2024-41079 CVE-2024-41080 CVE-2024-41081 CVE-2024-41084 CVE-2024-41087 CVE-2024-41088 CVE-2024-41089 CVE-2024-41092 CVE-2024-41093 CVE-2024-41094 CVE-2024-41095 CVE-2024-41096 CVE-2024-41097 CVE-2024-41098 CVE-2024-42064 CVE-2024-42069 CVE-2024-42070 CVE-2024-42073 CVE-2024-42074 CVE-2024-42076 CVE-2024-42077 CVE-2024-42079 CVE-2024-42080 CVE-2024-42082 CVE-2024-42085 CVE-2024-42086 CVE-2024-42087 CVE-2024-42089 CVE-2024-42090 CVE-2024-42092 CVE-2024-42093 CVE-2024-42095 CVE-2024-42096 CVE-2024-42097 CVE-2024-42098 CVE-2024-42101 CVE-2024-42104 CVE-2024-42105 CVE-2024-42106 CVE-2024-42107 CVE-2024-42109 CVE-2024-42110 CVE-2024-42113 CVE-2024-42114 CVE-2024-42115 CVE-2024-42117 CVE-2024-42119 CVE-2024-42120 CVE-2024-42121 CVE-2024-42122 CVE-2024-42124 CVE-2024-42125 CVE-2024-42126 CVE-2024-42127 CVE-2024-42130 CVE-2024-42131 CVE-2024-42132 CVE-2024-42133 CVE-2024-42136 CVE-2024-42137 CVE-2024-42138 CVE-2024-42139 CVE-2024-42141 CVE-2024-42142 CVE-2024-42143 CVE-2024-42144 CVE-2024-42145 CVE-2024-42147 CVE-2024-42148 CVE-2024-42152 CVE-2024-42153 CVE-2024-42155 CVE-2024-42156 CVE-2024-42157 CVE-2024-42158 CVE-2024-42159 CVE-2024-42161 CVE-2024-42162 CVE-2024-42223 CVE-2024-42224 CVE-2024-42225 CVE-2024-42226 CVE-2024-42227 CVE-2024-42228 CVE-2024-42229 CVE-2024-42230 CVE-2024-42232 CVE-2024-42236 CVE-2024-42237 CVE-2024-42238 CVE-2024-42239 CVE-2024-42240 CVE-2024-42241 CVE-2024-42244 CVE-2024-42245 CVE-2024-42246 CVE-2024-42247 CVE-2024-42250 CVE-2024-42253 CVE-2024-42259 CVE-2024-42268 CVE-2024-42269 CVE-2024-42270 CVE-2024-42271 CVE-2024-42274 CVE-2024-42276 CVE-2024-42277 CVE-2024-42278 CVE-2024-42279 CVE-2024-42280 CVE-2024-42281 CVE-2024-42283 CVE-2024-42284 CVE-2024-42285 CVE-2024-42286 CVE-2024-42287 CVE-2024-42288 CVE-2024-42289 CVE-2024-42290 CVE-2024-42291 CVE-2024-42292 CVE-2024-42295 CVE-2024-42298 CVE-2024-42301 CVE-2024-42302 CVE-2024-42303 CVE-2024-42308 CVE-2024-42309 CVE-2024-42310 CVE-2024-42311 CVE-2024-42312 CVE-2024-42313 CVE-2024-42314 CVE-2024-42315 CVE-2024-42316 CVE-2024-42318 CVE-2024-42319 CVE-2024-42320 CVE-2024-42322 CVE-2024-43784 CVE-2024-43806 CVE-2024-43816 CVE-2024-43817 CVE-2024-43818 CVE-2024-43819 CVE-2024-43821 CVE-2024-43823 CVE-2024-43824 CVE-2024-43825 CVE-2024-43826 CVE-2024-43829 CVE-2024-43830 CVE-2024-43831 CVE-2024-43833 CVE-2024-43834 CVE-2024-43837 CVE-2024-43839 CVE-2024-43840 CVE-2024-43841 CVE-2024-43842 CVE-2024-43846 CVE-2024-43847 CVE-2024-43849 CVE-2024-43850 CVE-2024-43851 CVE-2024-43853 CVE-2024-43854 CVE-2024-43855 CVE-2024-43856 CVE-2024-43858 CVE-2024-43860 CVE-2024-43861 CVE-2024-43863 CVE-2024-43864 CVE-2024-43866 CVE-2024-43867 CVE-2024-43871 CVE-2024-43872 CVE-2024-43873 CVE-2024-43874 CVE-2024-43875 CVE-2024-43876 CVE-2024-43877 CVE-2024-43879 CVE-2024-43880 CVE-2024-43881 CVE-2024-43882 CVE-2024-43883 CVE-2024-43884 CVE-2024-43885 CVE-2024-43889 CVE-2024-43892 CVE-2024-43893 CVE-2024-43894 CVE-2024-43895 CVE-2024-43897 CVE-2024-43899 CVE-2024-43900 CVE-2024-43902 CVE-2024-43903 CVE-2024-43905 CVE-2024-43906 CVE-2024-43907 CVE-2024-43908 CVE-2024-43909 CVE-2024-43911 CVE-2024-43912 CVE-2024-4418 CVE-2024-44931 CVE-2024-44938 CVE-2024-44939 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-45679 CVE-2024-45719 CVE-2024-45794 CVE-2024-48057 CVE-2024-50602 CVE-2024-50602 CVE-2024-50948 CVE-2024-51735 CVE-2024-51746 CVE-2024-52003 CVE-2024-52280 CVE-2024-52282 CVE-2024-52309 CVE-2024-52529 CVE-2024-52801 CVE-2024-53259 CVE-2024-53264 CVE-2024-53858 CVE-2024-53862 CVE-2024-54131 CVE-2024-54132 CVE-2024-5564 CVE-2024-56171 CVE-2024-6104 CVE-2024-6156 CVE-2024-6197 CVE-2024-6219 CVE-2024-6538 CVE-2024-6923 CVE-2024-7254 CVE-2024-7264 CVE-2024-8176 CVE-2024-8676 CVE-2024-9341 CVE-2024-9407 CVE-2024-9632 CVE-2024-9675 CVE-2024-9676 CVE-2024-9676 CVE-2025-22869 CVE-2025-22869 CVE-2025-22870 CVE-2025-22870 CVE-2025-24928 CVE-2025-27113 CVE-2025-27587 CVE-2025-32414 CVE-2025-32415 CVE-2025-4598 CVE-2025-4802 CVE-2025-6020 ----------------------------------------------------------------- The container rancher/seedimage-builder was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 11 Released: Mon Feb 3 10:02:51 2025 Summary: Recommended update for iptables Type: recommended Severity: moderate References: 1226419,1234996,1235088,CVE-2024-38428 This update for iptables fixes the following issues: * Fixes checking existence of rules. Fixes issues with rule creation with podman/netavark. (bsc#1235088, bsc#1234996) ----------------------------------------------------------------- Advisory ID: 15 Released: Fri Feb 7 10:57:24 2025 Summary: Security update for rsync Type: security Severity: critical References: 1222620,1225946,1227106,1234100,1234101,1234102,1234103,1234104,1235475,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747 This update for rsync fixes the following issues: - Bump protocol version to 32 - make it easier to show server is patched. - Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED - Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links - Security update, fix multiple vulnerabilities: * CVE-2024-12084, bsc#1234100 - Heap Buffer Overflow in Checksum Parsing * CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR * CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files * CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory using symbolic links * CVE-2024-12088, bsc#1234104 - --safe-links Bypass ----------------------------------------------------------------- Advisory ID: 30 Released: Wed Mar 5 15:53:42 2025 Summary: Security update for pam Type: security Severity: moderate References: 1221665,1221666,1221667,1221668,1227888,1228535,1233078,CVE-2024-10963,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264 This update for pam fixes the following issues: - CVE-2024-10963: Fixed improper hostname interpretation inpam_access that could lead to access control bypass (bsc#1233078) ----------------------------------------------------------------- Advisory ID: 31 Released: Fri Mar 7 17:28:37 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1215628,1219823,1219826,1221164,1236136,CVE-2023-50387,CVE-2023-50868,CVE-2024-13176,CVE-2024-1931,CVE-2024-33655 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation(bsc#1236136). ----------------------------------------------------------------- Advisory ID: 39 Released: Tue Mar 11 15:13:05 2025 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1211649,1211888,1216063,1219001,1220338,1222684,1229228,1232227,1232844,1233752,1234015,1234313,1234765 This update for systemd fixes the following issues: - Fixed agetty fails to open credentials directory (bsc#1229228) - hwdb: comment out the entry for Logitech MX Keys for Mac - test: answer 2nd mdadm --create question for compat with new version - core/unit-serialize: fix serialization of markers - locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged - core: fix assert when AddDependencyUnitFiles is called with invalid parameter - Fix systemd-network recommending libidn2-devel (bsc#1234765) - tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313) - Add a allow/denylist for reading sysfs attributes (bsc#1234015) - udev: add new builtin net_driver - udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard() - udev-builtin-net_id: split-out get_pci_slot_specifiers() - udev-builtin-net_id: introduce get_port_specifier() helper function - udev-builtin-net_id: split out get_dev_port() and make its failure critical - udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address() - udev-builtin-net_id: return earlier when hotplug slot is not found - udev-builtin-net_id: skip non-directory entry earlier - udev-builtin-net_id: make names_xen() self-contained - udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim - udev-builtin-net_id: make names_netdevsim() self-contained - udev-builtin-net_id: make names_platform() self-contained - udev-builtin-net_id: make names_vio() self-contained - udev-builtin-net_id: make names_ccw() self-contained - udev-builtin-net_id: make dev_devicetree_onboard() self-contained - udev-builtin-net_id: make names_mac() self-contained - udev-builtin-net_id: split out get_ifname_prefix() - udev-builtin-net_id: swap arguments for streq() and friends - udev-builtin-net_id: drop unused value from NetNameType - Drop suppor for efivar SystemdOptions (bsc#1220338) Upstream deprecated it and plan to drop it in the future. Let's get ahead and drop it now as this feature is unlikely to be used on SUSE distros and it might be used to gain access to encrypted SLEM systems with unattended disk unlock and with secure boot disabled. - pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) - udev: skipping empty udev rules file while collecting the stats (bsc#1232844) ----------------------------------------------------------------- Advisory ID: 40 Released: Fri Mar 28 14:54:51 2025 Summary: Recommended update for elemental-toolkit Type: recommended Severity: moderate References: 1222584,1223849,1226492,1233289,CVE-2024-4418 This update for elemental-toolkit fixes the following issues: - Update to v2.2.2: * 1fbc11ea Fixes squashfs images creation (#2230) [bsc#1233289] ----------------------------------------------------------------- Advisory ID: 23 Released: Mon Mar 31 16:22:33 2025 Summary: Security update for expat Type: security Severity: moderate References: 1174091,1189495,1221854,1226447,1226448,1227378,1228780,1232579,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2022-25236,CVE-2023-52425,CVE-2024-0397,CVE-2024-0450,CVE-2024-4032,CVE-2024-50602,CVE-2024-6923 This update for expat fixes the following issues: -CVE-2024-50602: Fixed DoS via XML_ResumeParser (bsc#1232579). ----------------------------------------------------------------- Advisory ID: 65 Released: Tue Apr 22 14:11:42 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1223234,1229952,1230029,1237363,1237370,1237418,CVE-2024-32650,CVE-2024-43806,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: Fixed use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c [bsc#1237363] - CVE-2025-24928: Fixed stack-based buffer overflow in xmlSnprintfElements in valid.c [bsc#1237370] - CVE-2025-27113: Fixed NULL Pointer Dereference in libxml2 xmlPatMatch [bsc#1237418] ----------------------------------------------------------------- Advisory ID: 63 Released: Tue Apr 22 15:27:45 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1012628,1193454,1194869,1205462,1208783,1213123,1214285,1215199,1220066,1220252,1220877,1221326,1221630,1221645,1221652,1221857,1222254,1222335,1222350,1222364,1222372,1222387,1222433,1222434,1222625,1222633,1222634,1222808,1222967,1222973,1223053,1223074,1223191,1223395,1223635,1223720,1223731,1223742,1223763,1223767,1223777,1223803,1224105,1224415,1224485,1224496,1224510,1224535,1224631,1224636,1224690,1224694,1224700,1224711,1225475,1225582,1225607,1225718,1225751,1225814,1225832,1225838,1225903,1226031,1226127,1226502,1226530,1226588,1226604,1226743,1226751,1226765,1226798,1226801,1226834,1226874,1226885,1226920,1227149,1227182,1227383,1227437,1227492,1227493,1227494,1227618,1227620,1227623,1227627,1227634,1227706,1227722,1227724,1227725,1227728,1227729,1227732,1227733,1227734,1227747,1227750,1227754,1227758,1227760,1227761,1227764,1227766,1227770,1227771,1227772,1227774,1227781,1227784,1227785,1227787,1227790,1227791,1227792,1227796,1227798,1227799,1227802,1227808,1 227810,1227811,1227812,1227815,1227816,1227818,1227820,1227823,1227824,1227826,1227828,1227829,1227830,1227832,1227833,1227834,1227839,1227840,1227846,1227849,1227851,1227853,1227863,1227864,1227865,1227867,1227869,1227870,1227883,1227884,1227891,1227893,1227929,1227950,1227957,1227981,1228020,1228021,1228192,1228235,1228236,1228247,1228321,1228409,1228410,1228426,1228427,1228429,1228446,1228447,1228449,1228450,1228452,1228456,1228457,1228458,1228459,1228460,1228462,1228463,1228466,1228468,1228469,1228470,1228472,1228479,1228480,1228481,1228482,1228483,1228484,1228485,1228486,1228487,1228489,1228491,1228492,1228493,1228494,1228495,1228496,1228499,1228500,1228501,1228502,1228503,1228505,1228508,1228509,1228510,1228511,1228513,1228515,1228516,1228518,1228520,1228525,1228527,1228530,1228531,1228539,1228561,1228563,1228564,1228565,1228567,1228568,1228572,1228576,1228579,1228580,1228581,1228582,1228584,1228586,1228588,1228590,1228591,1228599,1228615,1228616,1228617,1228625,1228626,122863 3,1228635,1228636,1228640,1228643,1228644,1228646,1228649,1228650,1228654,1228655,1228656,1228658,1228660,1228662,1228665,1228666,1228667,1228672,1228673,1228674,1228677,1228680,1228687,1228705,1228706,1228707,1228708,1228709,1228710,1228718,1228720,1228721,1228722,1228723,1228724,1228726,1228727,1228733,1228737,1228743,1228748,1228754,1228756,1228757,1228758,1228764,1228766,1228779,1228801,1228849,1228850,1228857,1228959,1228964,1228966,1228967,1228971,1228973,1228977,1228978,1228979,1228986,1228988,1228989,1228991,1228992,1229005,1229024,1229025,1229042,1229045,1229046,1229054,1229056,1229086,1229134,1229136,1229154,1229156,1229160,1229167,1229168,1229169,1229170,1229171,1229172,1229173,1229174,1229239,1229240,1229241,1229243,1229244,1229245,1229246,1229247,1229248,1229249,1229250,1229251,1229252,1229253,1229254,1229255,1229256,1229287,1229290,1229291,1229292,1229294,1229296,1229297,1229298,1229299,1229301,1229303,1229304,1229305,1229307,1229309,1229312,1229313,1229314,1229315,122 9316,1229317,1229318,1229319,1229320,1229327,1229341,1229342,1229344,1229345,1229346,1229347,1229349,1229350,1229351,1229353,1229354,1229355,1229356,1229357,1229358,1229359,1229360,1229365,1229366,1229369,1229370,1229373,1229374,1229379,1229381,1229382,1229383,1229386,1229388,1229390,1229391,1229392,1229395,1229398,1229399,1229400,1229402,1229403,1229404,1229407,1229409,1229410,1229411,1229413,1229414,1229417,1229444,1229451,1229452,1229455,1229456,1229480,1229481,1229482,1229484,1229485,1229486,1229487,1229488,1229489,1229490,1229493,1229495,1229496,1229497,1229500,1229503,1229707,1229739,1229743,1229746,1229747,1229752,1229754,1229755,1229756,1229759,1229761,1229767,1229781,1229784,1229785,1229787,1229788,1229789,1229792,1229820,1229827,1229830,1229837,1229940,1230056,1236878,CVE-2023-52489,CVE-2023-52581,CVE-2023-52668,CVE-2023-52688,CVE-2023-52859,CVE-2023-52885,CVE-2023-52886,CVE-2023-52887,CVE-2023-52889,CVE-2024-12133,CVE-2024-26590,CVE-2024-26631,CVE-2024-26637,CVE-2024-2666 8,CVE-2024-26669,CVE-2024-26677,CVE-2024-26682,CVE-2024-26683,CVE-2024-26735,CVE-2024-26808,CVE-2024-26809,CVE-2024-26812,CVE-2024-26835,CVE-2024-26837,CVE-2024-26849,CVE-2024-26851,CVE-2024-26976,CVE-2024-27010,CVE-2024-27011,CVE-2024-27024,CVE-2024-27049,CVE-2024-27050,CVE-2024-27079,CVE-2024-27403,CVE-2024-27433,CVE-2024-27437,CVE-2024-31076,CVE-2024-35855,CVE-2024-35897,CVE-2024-35902,CVE-2024-35913,CVE-2024-35939,CVE-2024-35949,CVE-2024-36270,CVE-2024-36286,CVE-2024-36288,CVE-2024-36489,CVE-2024-36881,CVE-2024-36907,CVE-2024-36929,CVE-2024-36933,CVE-2024-36939,CVE-2024-36970,CVE-2024-36979,CVE-2024-38563,CVE-2024-38609,CVE-2024-38662,CVE-2024-39476,CVE-2024-39483,CVE-2024-39484,CVE-2024-39486,CVE-2024-39488,CVE-2024-39489,CVE-2024-39491,CVE-2024-39493,CVE-2024-39497,CVE-2024-39499,CVE-2024-39500,CVE-2024-39501,CVE-2024-39505,CVE-2024-39506,CVE-2024-39508,CVE-2024-39509,CVE-2024-39510,CVE-2024-40899,CVE-2024-40900,CVE-2024-40902,CVE-2024-40903,CVE-2024-40904,CVE-2024-40905,CVE-2 024-40909,CVE-2024-40910,CVE-2024-40911,CVE-2024-40912,CVE-2024-40913,CVE-2024-40916,CVE-2024-40920,CVE-2024-40921,CVE-2024-40922,CVE-2024-40924,CVE-2024-40926,CVE-2024-40927,CVE-2024-40929,CVE-2024-40930,CVE-2024-40932,CVE-2024-40934,CVE-2024-40936,CVE-2024-40938,CVE-2024-40939,CVE-2024-40941,CVE-2024-40942,CVE-2024-40943,CVE-2024-40944,CVE-2024-40945,CVE-2024-40954,CVE-2024-40956,CVE-2024-40957,CVE-2024-40958,CVE-2024-40959,CVE-2024-40962,CVE-2024-40964,CVE-2024-40967,CVE-2024-40976,CVE-2024-40977,CVE-2024-40978,CVE-2024-40981,CVE-2024-40982,CVE-2024-40984,CVE-2024-40987,CVE-2024-40988,CVE-2024-40989,CVE-2024-40990,CVE-2024-40992,CVE-2024-40994,CVE-2024-40995,CVE-2024-40997,CVE-2024-41000,CVE-2024-41001,CVE-2024-41002,CVE-2024-41004,CVE-2024-41007,CVE-2024-41009,CVE-2024-41010,CVE-2024-41012,CVE-2024-41015,CVE-2024-41016,CVE-2024-41020,CVE-2024-41022,CVE-2024-41024,CVE-2024-41025,CVE-2024-41028,CVE-2024-41032,CVE-2024-41035,CVE-2024-41036,CVE-2024-41037,CVE-2024-41038,CVE-2024-410 39,CVE-2024-41040,CVE-2024-41041,CVE-2024-41044,CVE-2024-41045,CVE-2024-41048,CVE-2024-41049,CVE-2024-41050,CVE-2024-41051,CVE-2024-41056,CVE-2024-41057,CVE-2024-41058,CVE-2024-41059,CVE-2024-41060,CVE-2024-41061,CVE-2024-41062,CVE-2024-41063,CVE-2024-41064,CVE-2024-41065,CVE-2024-41066,CVE-2024-41068,CVE-2024-41069,CVE-2024-41070,CVE-2024-41071,CVE-2024-41072,CVE-2024-41073,CVE-2024-41074,CVE-2024-41075,CVE-2024-41076,CVE-2024-41078,CVE-2024-41079,CVE-2024-41080,CVE-2024-41081,CVE-2024-41084,CVE-2024-41087,CVE-2024-41088,CVE-2024-41089,CVE-2024-41092,CVE-2024-41093,CVE-2024-41094,CVE-2024-41095,CVE-2024-41096,CVE-2024-41097,CVE-2024-41098,CVE-2024-42064,CVE-2024-42069,CVE-2024-42070,CVE-2024-42073,CVE-2024-42074,CVE-2024-42076,CVE-2024-42077,CVE-2024-42079,CVE-2024-42080,CVE-2024-42082,CVE-2024-42085,CVE-2024-42086,CVE-2024-42087,CVE-2024-42089,CVE-2024-42090,CVE-2024-42092,CVE-2024-42093,CVE-2024-42095,CVE-2024-42096,CVE-2024-42097,CVE-2024-42098,CVE-2024-42101,CVE-2024-42104,CVE- 2024-42105,CVE-2024-42106,CVE-2024-42107,CVE-2024-42109,CVE-2024-42110,CVE-2024-42113,CVE-2024-42114,CVE-2024-42115,CVE-2024-42117,CVE-2024-42119,CVE-2024-42120,CVE-2024-42121,CVE-2024-42122,CVE-2024-42124,CVE-2024-42125,CVE-2024-42126,CVE-2024-42127,CVE-2024-42130,CVE-2024-42131,CVE-2024-42132,CVE-2024-42133,CVE-2024-42136,CVE-2024-42137,CVE-2024-42138,CVE-2024-42139,CVE-2024-42141,CVE-2024-42142,CVE-2024-42143,CVE-2024-42144,CVE-2024-42145,CVE-2024-42147,CVE-2024-42148,CVE-2024-42152,CVE-2024-42153,CVE-2024-42155,CVE-2024-42156,CVE-2024-42157,CVE-2024-42158,CVE-2024-42159,CVE-2024-42161,CVE-2024-42162,CVE-2024-42223,CVE-2024-42224,CVE-2024-42225,CVE-2024-42226,CVE-2024-42227,CVE-2024-42228,CVE-2024-42229,CVE-2024-42230,CVE-2024-42232,CVE-2024-42236,CVE-2024-42237,CVE-2024-42238,CVE-2024-42239,CVE-2024-42240,CVE-2024-42241,CVE-2024-42244,CVE-2024-42245,CVE-2024-42246,CVE-2024-42247,CVE-2024-42250,CVE-2024-42253,CVE-2024-42259,CVE-2024-42268,CVE-2024-42269,CVE-2024-42270,CVE-2024-42 271,CVE-2024-42274,CVE-2024-42276,CVE-2024-42277,CVE-2024-42278,CVE-2024-42279,CVE-2024-42280,CVE-2024-42281,CVE-2024-42283,CVE-2024-42284,CVE-2024-42285,CVE-2024-42286,CVE-2024-42287,CVE-2024-42288,CVE-2024-42289,CVE-2024-42290,CVE-2024-42291,CVE-2024-42292,CVE-2024-42295,CVE-2024-42298,CVE-2024-42301,CVE-2024-42302,CVE-2024-42303,CVE-2024-42308,CVE-2024-42309,CVE-2024-42310,CVE-2024-42311,CVE-2024-42312,CVE-2024-42313,CVE-2024-42314,CVE-2024-42315,CVE-2024-42316,CVE-2024-42318,CVE-2024-42319,CVE-2024-42320,CVE-2024-42322,CVE-2024-43816,CVE-2024-43817,CVE-2024-43818,CVE-2024-43819,CVE-2024-43821,CVE-2024-43823,CVE-2024-43824,CVE-2024-43825,CVE-2024-43826,CVE-2024-43829,CVE-2024-43830,CVE-2024-43831,CVE-2024-43833,CVE-2024-43834,CVE-2024-43837,CVE-2024-43839,CVE-2024-43840,CVE-2024-43841,CVE-2024-43842,CVE-2024-43846,CVE-2024-43847,CVE-2024-43849,CVE-2024-43850,CVE-2024-43851,CVE-2024-43853,CVE-2024-43854,CVE-2024-43855,CVE-2024-43856,CVE-2024-43858,CVE-2024-43860,CVE-2024-43861,CVE -2024-43863,CVE-2024-43864,CVE-2024-43866,CVE-2024-43867,CVE-2024-43871,CVE-2024-43872,CVE-2024-43873,CVE-2024-43874,CVE-2024-43875,CVE-2024-43876,CVE-2024-43877,CVE-2024-43879,CVE-2024-43880,CVE-2024-43881,CVE-2024-43882,CVE-2024-43883,CVE-2024-43884,CVE-2024-43885,CVE-2024-43889,CVE-2024-43892,CVE-2024-43893,CVE-2024-43894,CVE-2024-43895,CVE-2024-43897,CVE-2024-43899,CVE-2024-43900,CVE-2024-43902,CVE-2024-43903,CVE-2024-43905,CVE-2024-43906,CVE-2024-43907,CVE-2024-43908,CVE-2024-43909,CVE-2024-43911,CVE-2024-43912,CVE-2024-44931,CVE-2024-44938,CVE-2024-44939 This update for libtasn1 fixes the following issues: - CVE-2024-12133: Fixed potential DoS in handling of numerous SEQUENCE OF or SET OF elements (bsc#1236878) ----------------------------------------------------------------- Advisory ID: 91 Released: Wed May 7 09:09:03 2025 Summary: Recommended update for gettext-runtime Type: recommended Severity: moderate References: 1227316,1230778,CVE-2024-7254 This update for gettext-runtime fixes the following issues: - Fixed handling of po files with malformed header (bsc#1227316) ----------------------------------------------------------------- Advisory ID: 92 Released: Thu May 8 08:35:42 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1224262,1231472,CVE-2024-26306 This update for findutils fixes the following issues: - do not crash when file system loop was encountered (bsc#1231472) - added patches fix https://git.savannah.gnu.org/cgit/findutils.git/commit/?id=e5d6eb919b9 - modified patches ----------------------------------------------------------------- Advisory ID: 95 Released: Thu May 8 14:25:53 2025 Summary: Security update for util-linux Type: security Severity: important References: 1159034,1194818,1218609,1220117,1221831,1223605,1224285,1225197,1225598,1229476,1231208,1231230,1231499,1231698,CVE-2024-28085,CVE-2024-6104,CVE-2024-9341,CVE-2024-9407,CVE-2024-9675,CVE-2024-9676 This update for util-linux fixes the following issues: - Updated to version 2.40.4: * agetty: Prevent cursor escape (bsc#1194818) * chcpu(8): Document CPU deconfiguring behavior * fdisk: SGI fixes * hardlink: fix memory corruption * hardlink.1 directory|file is mandatory * lib/env: fix env_list_setenv() for strings without '=' * libblkid: (exfat) validate fields used by prober (gpt) use blkid_probe_verify_csum() for partition array checksum add FSLASTBLOCK for swaparea bitlocker fix version on big-endian systems * libfdisk: make sure libblkid uses the same sector size * libmount: extract common error handling function propagate first error of multiple filesystem types * logger: correctly format tv_usec * lscpu: Skip aarch64 decode path for rest of the architectures (bsc#1229476) * lsns: ignore ESRCH errors reported when accessing files under /proc * mkswap: set selinux label also when creating file * more: make sure we have data on stderr * nsenter: support empty environ * umount, losetup: Document loop destroy behavior (bsc#1159034). * uuidd: fix /var/lib/libuuid mode uuidd-tmpfiles.conf fix /var/lib/libuuid mode uuidd-tmpfiles.conf - Refresh util-linux.keyring. Key validity was extended. - Update to version 2.40.2: * cfdisk: fix possible integer overflow * libmount: improving robustness in reading kernel messages, add pidfs to pseudo fs list * lscpu: New Arm Cortex part numbers fix hang of lscpu -e (bsc#1225598) * lsfd: Refactor the pidfd logic, support pidfs * mkswap.8.adoc: update note regarding swapfile creation * setpgid: make -f work - Enable kernel mountfd API, as it should be already stable (PED-9752). - Move autoreconf back to %build. - Add devel dependencies. - Remove util-linux-rpmlintrc. It is no more needed with multibuild. - uncomment 'autoreconf --install' to use the new version of automake - disable libmagic in more(1) for binary detection (bsc#1225197) - add support for pidfs in kernel 6.9 (bsc#1224285) - Update to version 2.40.1: * more: clean processes not cleaned up after failed SSH session using up 100% CPU (bsc#1220117) * CVE-2024-28085: Fixed improper neutralization of escape sequences in wall (bsc#1221831) * chcpu: document limitations of -g (bsc#1218609) * lscpu: even more Arm part numbers (bsc#1223605) ----------------------------------------------------------------- Advisory ID: 97 Released: Fri May 9 08:41:53 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1225070,1226660,1227590,1227593,1227594,1227595,1234015,1236886,CVE-2024-28397,CVE-2024-36039,CVE-2024-38875,CVE-2024-39329,CVE-2024-39330,CVE-2024-39614 This update for systemd fixes the following issues: - Maintain the network device naming scheme used on SLE15 (jsc#PED-12317) This shouldn't cause problems as predictable naming schemes are disabled on SLMicro-6.1 (net.ifnames=0 is set on the kernel command line by default). Add patch for the description of these schemes in the relevant man page. - udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b4693652f317dbae80e31b978f51e695a23fa3d0...0d0f2dbfc4c901dca09fdd3d5b744b5339e0e991 - journald: * close runtime journals before their parent directory removed * reset runtime seqnum data when flushing to system journal (bsc#1236886) ----------------------------------------------------------------- Advisory ID: 99 Released: Mon May 12 11:14:56 2025 Summary: Security update for ca-certificates-mozilla Type: security Severity: moderate References: 1010996,1199079,1229003,1234798,1240009,1240343,441356,CVE-2024-10389,CVE-2024-10975,CVE-2024-45794,CVE-2024-48057,CVE-2024-51735,CVE-2024-51746 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): Removed: * SecureSign RootCA11 * Security Communication RootCA3 Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: 107 Released: Tue May 13 15:32:59 2025 Summary: Security update for freetype2 Type: security Severity: important References: 1225771,CVE-2024-5564 This update for freetype2 fixes the following issues: Update to 2.13.2: * Some fields in the `FT_Outline` structure have been changed from signed to unsigned type, which better reflects the actual usage. It is also an additional means to protect against malformed input. * Rare double-free crashes in the cache subsystem have been fixed. * Excessive stack allocation in the autohinter has been fixed. * The B/W rasterizer has received a major upkeep that results in large performance improvements. The rendering speed has increased and even doubled for very complex glyphs. ----------------------------------------------------------------- Advisory ID: 108 Released: Tue May 13 15:37:50 2025 Summary: Security update for expat Type: security Severity: important References: 1027519,1214718,1218851,1219080,1219559,1219561,1219885,1221289,1221332,1221334,1221984,1222302,1222453,1225953,1227355,1228574,1228575,1229930,1229931,1229932,1232579,1232601,1239618,CVE-2013-0340,CVE-2019-15903,CVE-2023-28746,CVE-2023-46839,CVE-2023-46840,CVE-2023-46841,CVE-2023-46842,CVE-2023-52425,CVE-2023-52426,CVE-2024-2193,CVE-2024-2201,CVE-2024-28757,CVE-2024-31142,CVE-2024-31143,CVE-2024-31145,CVE-2024-31146,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-50602,CVE-2024-8176 This update for expat fixes the following issues: Version update to 2.7.1: Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]): * Security fixes: #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: #935 #937 Autotools: Make generated CMake files look for libexpat. at SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - no source changes, just adding jira reference: jsc#SLE-21253 Version update to 2.6.4 * Security fixes: [bsc#1232601][bsc#1232579] #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754 * Other changes: #903 CMake: Add alias target 'expat::expat' #905 docs: Document use via CMake >=3.18 with FetchContent and SOURCE_SUBDIR and its consequences #902 tests: Reduce use of global parser instance #904 tests: Resolve duplicate handler #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) #914 Fix signedness of format strings #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do Update to 2.6.3: * Security fixes: - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. Update to 2.6.2: * CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (bsc#1221289) * Reject direct parameter entity recursion and avoid the related undefined behavior Update to 2.6.1: * Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0 * Make tests independent of CPU speed, and thus more robust Update to 2.6.0: * Security fixes: - CVE-2023-52425 (bsc#1219559) -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. - CVE-2023-52426 (bsc#1219561) -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). * Bug fixes: - Fix parse-size-dependent 'invalid token' error for external entities that start with a byte order mark - Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined - Protect against closing entities out of order * Other changes: - Improve support for arc4random/arc4random_buf - Improve buffer growth in XML_GetBuffer and XML_Parse - xmlwf: Support --help and --version - xmlwf: Support custom buffer size for XML_GetBuffer and read - xmlwf: Improve language and URL clickability in help output - examples: Add new example 'element_declarations.c' - Be stricter about macro XML_CONTEXT_BYTES at build time - Make inclusion to expat_config.h consistent - Autotools: configure.ac: Support --disable-maintainer-mode - Autotools: Sync CMake templates with CMake 3.26 - Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section 'Cflags.private' in order to fix compilation against static libexpat using pkg-config on Windows - Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) - Autotools|CMake: Fix PACKAGE_BUGREPORT variable - Autotools|CMake: Make test suite require a C++11 compiler - CMake: Require CMake >=3.5.0 - CMake: Lowercase off_t and size_t to help a bug in Meson - CMake: Sort xmlwf sources alphabetically - CMake|Windows: Fix generation of DLL file version info - CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON - docs: Document the importance of isFinal + adjust tests accordingly - docs: Improve use of 'NULL' and 'null' - docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) - docs: reference.html: Promote function XML_ParseBuffer more - docs: reference.html: Add HTML anchors to XML_* macros - docs: reference.html: Upgrade to OK.css 1.2.0 - docs: Fix typos - docs|CI: Use HTTPS URLs instead of HTTP at various places - Address compiler warnings - Address clang-tidy warnings - Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: 111 Released: Thu May 15 19:45:43 2025 Summary: Security update for elemental-operator Type: security Severity: important References: 1231264,1231265,1231266,1238700,1239335,CVE-2024-31227,CVE-2024-31228,CVE-2024-31449,CVE-2025-22869,CVE-2025-22870 This update for elemental-operator fixes the following issues: - Updated to v1.7.2: * Updated header year * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) * Label Templates: add IP addresses to the Network variables (#885, #894) * Fixed generation of already present resources (#892, #893) ----------------------------------------------------------------- Advisory ID: 122 Released: Tue May 27 11:28:57 2025 Summary: Security update for glibc Type: security Severity: critical References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Linux: Switch back to assembly syscall wrapper for prctl (bsc#1234665, BZ #29770) ----------------------------------------------------------------- Advisory ID: 126 Released: Wed May 28 11:00:31 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1207377,1218474,1228142,1230679,1241453,1241551,CVE-2022-45748,CVE-2024-40724,CVE-2024-45679,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551). - CVE-2025-32415: Fixed heap-based buffer under-read via crafted XML documents (bsc#1241453). ----------------------------------------------------------------- Advisory ID: 130 Released: Tue Jun 3 11:03:45 2025 Summary: Security update for elemental-toolkit Type: security Severity: important References: 1231565,1238700,1239335,CVE-2024-9632,CVE-2025-22869,CVE-2025-22870 This update for elemental-toolkit fixes the following issues: - Updated to v2.2.3: * Adapted .golangci.yml format to a new version * Simplified podman calls in CI steup * Switched GHA runners to Ubuntu 24.04 * Updated year in headers * Vendored go.mod libraries * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) ----------------------------------------------------------------- Advisory ID: 145 Released: Thu Jun 12 09:37:25 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1217538,1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) ----------------------------------------------------------------- Advisory ID: 146 Released: Fri Jun 13 12:48:33 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1231698,1240366,CVE-2024-9676,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366) ----------------------------------------------------------------- Advisory ID: 147 Released: Fri Jun 13 12:50:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1200528,1217070,1221400,1224323,1228553,1234812,CVE-2022-1996,CVE-2023-45142,CVE-2023-45288,CVE-2023-47108,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812) ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2024-10220,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-37820,CVE-2024-43784,CVE-2024-45719,CVE-2024-50948,CVE-2024-52003,CVE-2024-52280,CVE-2024-52282,CVE-2024-52309,CVE-2024-52529,CVE-2024-52801,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53862,CVE-2024-54131,CVE-2024-54132,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-8676,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) ----------------------------------------------------------------- Advisory ID: 168 Released: Fri Jul 4 10:41:41 2025 Summary: Recommended update for elemental-operator Type: recommended Severity: moderate References: This update for elemental-operator fixes the following issues: - [v1.7.x] Label Templates: improve Random family processing - Dockerfile: bump golang container to 1.24 - operator: update RBAC for upgrade plans ----------------------------------------------------------------- Advisory ID: 170 Released: Fri Jul 4 16:31:25 2025 Summary: Recommended update for gptfdisk Type: recommended Severity: important References: 1242987 This update for gptfdisk fixes the following issues: - Fix boot failure with qcow and vmdk images (bsc#1242987) The following package changes have been done: - boost-license1_84_0-1.84.0-slfo.1.1_1.4 updated - btrfsprogs-udev-rules-6.8.1-slfo.1.1_1.2 updated - compat-usrmerge-tools-84.87-slfo.1.1_1.5 updated - crypto-policies-20230920.570ea89-slfo.1.1_1.2 updated - elemental-httpfy-1.7.3-slfo.1.1_1.1 updated - elemental-seedimage-hooks-1.7.3-slfo.1.1_1.1 updated - libsemanage-conf-3.5-slfo.1.1_1.3 updated - libssh-config-0.10.6-slfo.1.1_1.3 updated - pkgconf-m4-1.8.0-slfo.1.1_1.5 updated - system-user-root-20190513-slfo.1.1_1.2 updated - filesystem-84.87-slfo.1.1_1.2 updated - glibc-2.38-slfo.1.1_4.1 updated - libzstd1-1.5.5-slfo.1.1_1.4 updated - libz1-1.2.13-slfo.1.1_1.3 updated - libxxhash0-0.8.1-slfo.1.1_2.1 updated - libverto1-0.3.2-slfo.1.1_1.2 updated - libuuid1-2.40.4-slfo.1.1_1.1 updated - liburcu8-0.14.0-slfo.1.1_1.3 updated - libunistring5-1.1-slfo.1.1_1.2 updated - libtextstyle0-0.21.1-slfo.1.1_2.1 updated - libtasn1-6-4.19.0-slfo.1.1_2.1 updated - libsmartcols1-2.40.4-slfo.1.1_1.1 updated - libsepol2-3.5-slfo.1.1_1.3 updated - libseccomp2-2.5.4-slfo.1.1_1.4 updated - libsasl2-3-2.1.28-slfo.1.1_1.2 updated - libpopt0-1.19-slfo.1.1_1.3 updated - libpkgconf3-1.8.0-slfo.1.1_1.5 updated - libpcre2-8-0-10.42-slfo.1.1_1.4 updated - libparted-fs-resize0-3.5-slfo.1.1_1.2 updated - libnss_usrfiles2-2.27-slfo.1.1_1.3 updated - libnghttp2-14-1.52.0-slfo.1.1_1.4 updated - liblzo2-2-2.10-slfo.1.1_1.3 updated - liblzma5-5.4.3-slfo.1.1_1.4 updated - liblz4-1-1.9.4-slfo.1.1_1.2 updated - liblua5_4-5-5.4.6-slfo.1.1_1.3 updated - libkeyutils1-1.6.3-slfo.1.1_1.3 updated - libjson-c5-0.16-slfo.1.1_1.2 updated - libjitterentropy3-3.4.1-slfo.1.1_1.3 updated - libip4tc2-1.8.9-slfo.1.1_2.1 updated - libgpg-error0-1.47-slfo.1.1_1.3 updated - libgmp10-6.3.0-slfo.1.1_1.5 updated - libgcc_s1-14.2.0+git10526-slfo.1.1_2.1 updated - libfuse2-2.9.9-slfo.1.1_1.2 updated - libffi8-3.4.6-slfo.1.1_1.4 updated - libexpat1-2.7.1-slfo.1.1_1.1 updated - libeconf0-0.7.2-slfo.1.1_1.3 updated - libcrypt1-4.4.36-slfo.1.1_1.4 updated - libcom_err2-1.47.0-slfo.1.1_1.2 updated - libcap2-2.69-slfo.1.1_1.3 updated - libcap-ng0-0.8.3-slfo.1.1_1.4 updated - libbz2-1-1.0.8-slfo.1.1_1.4 updated - libburn4-1.5.4-slfo.1.1_1.2 updated - libbtrfsutil1-6.8.1-slfo.1.1_1.2 updated - libbtrfs0-6.8.1-slfo.1.1_1.2 updated - libbrotlicommon1-1.1.0-slfo.1.1_1.3 updated - libaudit1-3.1.1-slfo.1.1_1.3 updated - libattr1-2.5.1-slfo.1.1_1.3 updated - libargon2-1-20190702-slfo.1.1_1.2 updated - libalternatives1-1.2+30.a5431e9-slfo.1.1_1.3 updated - libaio1-0.3.113-slfo.1.1_1.2 updated - libacl1-2.3.1-slfo.1.1_1.3 updated - fillup-1.42-slfo.1.1_2.2 updated - dosfstools-4.2-slfo.1.1_1.2 updated - diffutils-3.10-slfo.1.1_1.3 updated - libpng16-16-1.6.43-slfo.1.1_1.2 updated - libidn2-0-2.3.4-slfo.1.1_1.2 updated - pkgconf-1.8.0-slfo.1.1_1.5 updated - libselinux1-3.5-slfo.1.1_1.3 updated - netcfg-11.6-slfo.1.1_1.2 updated - libxml2-2-2.11.6-slfo.1.1_5.1 updated - squashfs-4.6.1-slfo.1.1_1.2 updated - libgcrypt20-1.10.3-slfo.1.1_1.10 updated - libstdc++6-14.2.0+git10526-slfo.1.1_2.1 updated - libp11-kit0-0.25.3-slfo.1.1_1.2 updated - libblkid1-2.40.4-slfo.1.1_1.1 updated - perl-base-5.38.2-slfo.1.1_1.4 updated - libext2fs2-1.47.0-slfo.1.1_1.2 updated - libudev1-254.25-slfo.1.1_1.1 updated - chkstat-1600_20240206-slfo.1.1_1.5 updated - libzio1-1.08-slfo.1.1_1.3 updated - libjte2-1.22-slfo.1.1_1.2 updated - libbrotlidec1-1.1.0-slfo.1.1_1.3 updated - alts-1.2+30.a5431e9-slfo.1.1_1.3 updated - libpsl5-0.21.2-slfo.1.1_1.2 updated - sed-4.9-slfo.1.1_1.2 updated - libsubid4-4.15.1-slfo.1.1_1.3 updated - libsemanage2-3.5-slfo.1.1_1.3 updated - findutils-4.9.0-slfo.1.1_2.1 updated - libsystemd0-254.25-slfo.1.1_1.1 updated - libncurses6-6.4.20240224-slfo.1.1_1.5 updated - terminfo-base-6.4.20240224-slfo.1.1_1.5 updated - libinih0-56-slfo.1.1_1.3 updated - libboost_thread1_84_0-1.84.0-slfo.1.1_1.4 updated - p11-kit-0.25.3-slfo.1.1_1.2 updated - p11-kit-tools-0.25.3-slfo.1.1_1.2 updated - libmount1-2.40.4-slfo.1.1_1.1 updated - libfdisk1-2.40.4-slfo.1.1_1.1 updated - libisofs6-1.5.4-slfo.1.1_1.2 updated - libfreetype6-2.13.3-slfo.1.1_1.1 updated - ncurses-utils-6.4.20240224-slfo.1.1_1.5 updated - libreadline8-8.2-slfo.1.1_1.4 updated - libedit0-20210910.3.1-slfo.1.1_1.3 updated - gptfdisk-1.0.9-slfo.1.1_2.1 updated - libisoburn1-1.5.4-slfo.1.1_1.2 updated - bash-5.2.15-slfo.1.1_1.6 updated - bash-sh-5.2.15-slfo.1.1_1.6 updated - xz-5.4.3-slfo.1.1_1.4 updated - systemd-default-settings-branding-openSUSE-0.7-slfo.1.1_1.2 updated - systemd-default-settings-0.7-slfo.1.1_1.2 updated - pkgconf-pkg-config-1.8.0-slfo.1.1_1.5 updated - login_defs-4.15.1-slfo.1.1_1.3 updated - libdevmapper1_03-2.03.22_1.02.196-slfo.1.1_1.3 updated - gzip-1.13-slfo.1.1_2.4 updated - grep-3.11-slfo.1.1_1.2 updated - gettext-runtime-0.21.1-slfo.1.1_2.1 updated - coreutils-9.4-slfo.1.1_1.4 updated - ALP-dummy-release-0.1-slfo.1.1_1.5 updated - libparted2-3.5-slfo.1.1_1.2 updated - libdevmapper-event1_03-2.03.22_1.02.196-slfo.1.1_1.3 updated - info-7.0.3-slfo.1.1_1.3 updated - xfsprogs-6.5.0-slfo.1.1_1.2 updated - thin-provisioning-tools-0.9.0-slfo.1.1_1.4 updated - systemd-rpm-macros-24-slfo.1.1_1.2 updated - systemd-presets-common-SUSE-15-slfo.1.1_1.2 updated - rpm-config-SUSE-20240214-slfo.1.1_1.2 updated - rpm-4.18.0-slfo.1.1_1.5 updated - permissions-config-1600_20240206-slfo.1.1_1.5 updated - glibc-locale-base-2.38-slfo.1.1_4.1 updated - e2fsprogs-1.47.0-slfo.1.1_1.2 updated - ca-certificates-2+git20240805.fd24d50-slfo.1.1_1.2 updated - ca-certificates-mozilla-2.74-slfo.1.1_1.1 updated - btrfsprogs-6.8.1-slfo.1.1_1.2 updated - parted-3.5-slfo.1.1_1.2 updated - liblvm2cmd2_03-2.03.22-slfo.1.1_1.3 updated - xorriso-1.5.4-slfo.1.1_1.2 updated - device-mapper-2.03.22_1.02.196-slfo.1.1_1.3 updated - systemd-presets-branding-ALP-transactional-20230214-slfo.1.1_1.2 updated - permissions-1600_20240206-slfo.1.1_1.5 updated - mtools-4.0.43-slfo.1.1_1.2 updated - libopenssl3-3.1.4-slfo.1.1_5.1 updated - pam-1.6.1-slfo.1.1_3.1 updated - grub2-2.12-slfo.1.1_1.17 updated - grub2-i386-pc-2.12-slfo.1.1_1.17 updated - suse-module-tools-16.0.43-slfo.1.1_1.2 updated - kmod-32-slfo.1.1_1.2 updated - rsync-3.3.0-slfo.1.1_3.1 updated - libldap2-2.6.4-slfo.1.1_1.2 updated - libkmod2-32-slfo.1.1_1.2 updated - libcryptsetup12-2.6.1-slfo.1.1_1.2 updated - krb5-1.21.3-slfo.1.1_2.1 updated - util-linux-2.40.4-slfo.1.1_1.1 updated - shadow-4.15.1-slfo.1.1_1.3 updated - pam-config-2.11+git.20240906-slfo.1.1_1.2 updated - kbd-2.6.4-slfo.1.1_1.3 updated - libssh4-0.10.6-slfo.1.1_1.3 updated - libsnapper7-0.11.2-slfo.1.1_1.2 updated - aaa_base-84.87+git20240906.742565b-slfo.1.1_1.2 updated - libcurl4-8.12.1-slfo.1.1_1.1 updated - dbus-1-daemon-1.14.10-slfo.1.1_1.2 updated - curl-8.12.1-slfo.1.1_1.1 updated - dbus-1-tools-1.14.10-slfo.1.1_1.2 updated - systemd-254.25-slfo.1.1_1.1 updated - sysuser-shadow-3.1-slfo.1.1_1.2 updated - dbus-1-common-1.14.10-slfo.1.1_1.2 updated - libdbus-1-3-1.14.10-slfo.1.1_1.2 updated - dbus-1-1.14.10-slfo.1.1_1.2 updated - system-group-kvm-20170617-slfo.1.1_1.2 updated - system-group-hardware-20170617-slfo.1.1_1.2 updated - udev-254.25-slfo.1.1_1.1 updated - snapper-0.11.2-slfo.1.1_1.2 updated - lvm2-2.03.22-slfo.1.1_1.3 updated - elemental-toolkit-2.2.3-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.50 updated - file-magic-5.44-4.151 removed - kbd-legacy-2.6.4-1.3 removed - libmagic1-5.44-4.151 removed From sle-container-updates at lists.suse.com Sun Jul 13 07:02:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 13 Jul 2025 09:02:42 +0200 (CEST) Subject: SUSE-IU-2025:1941-1: Security update of suse-sles-15-sp6-chost-byos-v20250711-x86_64-gen2 Message-ID: <20250713070242.B617CFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp6-chost-byos-v20250711-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1941-1 Image Tags : suse-sles-15-sp6-chost-byos-v20250711-x86_64-gen2:20250711 Image Release : Severity : important Type : security References : 1220112 1223096 1226498 1228776 1229491 1230092 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1236931 1237312 1238212 1238473 1238774 1238992 1239012 1239119 1239543 1239602 1239691 1239765 1239817 1239925 1240132 1240150 1240385 1240593 1240866 1240899 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241463 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1241667 1241830 1242006 1242012 1242035 1242044 1242114 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242827 1242844 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243226 1243226 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243488 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243805 1243833 1243887 1243901 1243935 1243963 1244035 1244039 1244079 1244105 1244135 1244509 1244596 1244933 1245274 1245275 1245309 1245310 1245311 1245314 CVE-2023-53146 CVE-2024-28956 CVE-2024-41965 CVE-2024-43869 CVE-2024-45310 CVE-2024-46713 CVE-2024-47081 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-0495 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-22872 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-29768 CVE-2025-30258 CVE-2025-32462 CVE-2025-32463 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 CVE-2025-40909 CVE-2025-4373 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6018 CVE-2025-6020 CVE-2025-6052 ----------------------------------------------------------------- The container suse-sles-15-sp6-chost-byos-v20250711-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2000-1 Released: Wed Jun 18 13:08:14 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242006,1242012,1242035,1242044,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242944,1242945,1242948,1 242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243805,1243963,CVE-2023-53146,CVE-2024-28956,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070, CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-202 5-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982 ,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Squashfs: check return result of sb_min_blocksize (git-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - cBPF: Refresh fixes for cBPF issue (bsc#1242778) - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kernel-obs-qa: Use srchash for dependency as well - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: Update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvme: Update patch nvme-re-read-ANA-log-page-after-ns-scan-completes.patch (git-fixes bsc#1235149). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2103-1 Released: Wed Jun 25 10:26:23 2025 Summary: Recommended update for cifs-utils Type: recommended Severity: important References: 1243488 This update for cifs-utils fixes the following issues: - Add patches: * Fix cifs.mount with krb5 auth (bsc#1243488) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2104-1 Released: Wed Jun 25 10:26:59 2025 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1240899 This update for nfs-utils fixes the following issues: - gssd: add support for an 'allowed-enctypes' option in nfs.conf (bsc#1240899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2288-1 Released: Fri Jul 11 11:27:10 2025 Summary: Recommended update for python-azure-agent Type: recommended Severity: important References: 1240385,1244933 This update for python-azure-agent fixes the following issues: - Set AutoUpdate.UpdateToLatestVersion=n in /etc/waagent.conf (bsc#1244933) - Fix %suse_version conditional in spec file so package is built using python2 in SLE 12 (bsc#1240385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2289-1 Released: Fri Jul 11 13:12:28 2025 Summary: Security update for docker Type: security Severity: moderate References: 1239765,1240150,1241830,1242114,1243833,1244035,CVE-2025-0495,CVE-2025-22872 This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). The following package changes have been done: - cifs-utils-6.15-150400.3.15.1 updated - docker-28.2.2_ce-150000.227.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - gpg2-2.4.4-150600.3.9.1 updated - kernel-default-6.4.0-150600.23.53.1 updated - libbpf1-1.2.2-150600.3.6.2 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libnfsidmap1-1.0-150600.28.12.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - libsystemd0-254.25-150600.4.40.1 updated - libudev1-254.25-150600.4.40.1 updated - libzypp-17.37.5-150600.3.60.1 updated - nfs-client-2.6.4-150600.28.12.1 updated - openssh-clients-9.6p1-150600.6.29.2 updated - openssh-common-9.6p1-150600.6.29.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-9.6p1-150600.6.29.2 updated - openssl-3-3.1.4-150600.5.33.1 updated - pam-config-1.1-150600.16.8.1 updated - pam-1.3.0-150000.6.83.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - python-azure-agent-config-server-2.12.0.4-150100.3.50.1 updated - python-azure-agent-2.12.0.4-150100.3.50.1 updated - python3-requests-2.25.1-150300.3.15.1 updated - runc-1.2.6-150000.73.2 updated - sudo-1.9.15p5-150600.3.9.1 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-9.1.1406-150500.20.27.1 updated - zypper-1.14.90-150600.10.34.3 updated From sle-container-updates at lists.suse.com Sun Jul 13 07:02:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 13 Jul 2025 09:02:52 +0200 (CEST) Subject: SUSE-IU-2025:1942-1: Security update of suse-sles-15-sp6-chost-byos-v20250711-hvm-ssd-x86_64 Message-ID: <20250713070252.78EE2FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp6-chost-byos-v20250711-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1942-1 Image Tags : suse-sles-15-sp6-chost-byos-v20250711-hvm-ssd-x86_64:20250711 Image Release : Severity : important Type : security References : 1220112 1223096 1226498 1228776 1229491 1230092 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1236931 1237312 1238212 1238473 1238774 1238992 1239012 1239119 1239543 1239602 1239691 1239765 1239817 1239925 1240132 1240150 1240593 1240866 1240899 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241463 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1241667 1241830 1242006 1242012 1242035 1242044 1242114 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242827 1242844 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243226 1243226 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243488 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243805 1243833 1243887 1243901 1243935 1243963 1244035 1244039 1244079 1244105 1244135 1244509 1244596 1245274 1245275 1245309 1245310 1245311 1245314 CVE-2023-53146 CVE-2024-28956 CVE-2024-41965 CVE-2024-43869 CVE-2024-45310 CVE-2024-46713 CVE-2024-47081 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-0495 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-22872 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-29768 CVE-2025-30258 CVE-2025-32462 CVE-2025-32463 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 CVE-2025-40909 CVE-2025-4373 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6018 CVE-2025-6020 CVE-2025-6052 ----------------------------------------------------------------- The container suse-sles-15-sp6-chost-byos-v20250711-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2000-1 Released: Wed Jun 18 13:08:14 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242006,1242012,1242035,1242044,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242944,1242945,1242948,1 242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243805,1243963,CVE-2023-53146,CVE-2024-28956,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070, CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-202 5-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982 ,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Squashfs: check return result of sb_min_blocksize (git-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - cBPF: Refresh fixes for cBPF issue (bsc#1242778) - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kernel-obs-qa: Use srchash for dependency as well - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: Update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvme: Update patch nvme-re-read-ANA-log-page-after-ns-scan-completes.patch (git-fixes bsc#1235149). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2103-1 Released: Wed Jun 25 10:26:23 2025 Summary: Recommended update for cifs-utils Type: recommended Severity: important References: 1243488 This update for cifs-utils fixes the following issues: - Add patches: * Fix cifs.mount with krb5 auth (bsc#1243488) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2104-1 Released: Wed Jun 25 10:26:59 2025 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1240899 This update for nfs-utils fixes the following issues: - gssd: add support for an 'allowed-enctypes' option in nfs.conf (bsc#1240899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2289-1 Released: Fri Jul 11 13:12:28 2025 Summary: Security update for docker Type: security Severity: moderate References: 1239765,1240150,1241830,1242114,1243833,1244035,CVE-2025-0495,CVE-2025-22872 This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). The following package changes have been done: - cifs-utils-6.15-150400.3.15.1 updated - docker-28.2.2_ce-150000.227.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - gpg2-2.4.4-150600.3.9.1 updated - kernel-default-6.4.0-150600.23.53.1 updated - libbpf1-1.2.2-150600.3.6.2 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libnfsidmap1-1.0-150600.28.12.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - libsystemd0-254.25-150600.4.40.1 updated - libudev1-254.25-150600.4.40.1 updated - libzypp-17.37.5-150600.3.60.1 updated - nfs-client-2.6.4-150600.28.12.1 updated - openssh-clients-9.6p1-150600.6.29.2 updated - openssh-common-9.6p1-150600.6.29.2 updated - openssh-server-config-disallow-rootlogin-9.6p1-150600.6.29.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-9.6p1-150600.6.29.2 updated - openssl-3-3.1.4-150600.5.33.1 updated - pam-config-1.1-150600.16.8.1 updated - pam-1.3.0-150000.6.83.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - python3-requests-2.25.1-150300.3.15.1 updated - runc-1.2.6-150000.73.2 updated - sudo-1.9.15p5-150600.3.9.1 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-9.1.1406-150500.20.27.1 updated - zypper-1.14.90-150600.10.34.3 updated From sle-container-updates at lists.suse.com Sun Jul 13 07:03:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 13 Jul 2025 09:03:09 +0200 (CEST) Subject: SUSE-IU-2025:1943-1: Security update of sles-15-sp6-chost-byos-v20250711-x86-64 Message-ID: <20250713070309.9E639FCFE@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20250711-x86-64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1943-1 Image Tags : sles-15-sp6-chost-byos-v20250711-x86-64:20250711 Image Release : Severity : important Type : security References : 1220112 1223096 1226498 1228776 1229491 1230092 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1236931 1237312 1238212 1238473 1238774 1238992 1239012 1239119 1239543 1239602 1239691 1239765 1239817 1239925 1239948 1240132 1240150 1240593 1240866 1240899 1240966 1241112 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241463 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1241667 1241830 1242006 1242012 1242035 1242044 1242114 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242827 1242844 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243226 1243226 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243488 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243805 1243833 1243887 1243901 1243935 1243963 1243997 1244035 1244079 1244105 1244135 1244304 1244503 1244509 1244596 1245274 1245275 1245309 1245310 1245311 1245314 CVE-2023-53146 CVE-2024-28956 CVE-2024-41965 CVE-2024-43869 CVE-2024-45310 CVE-2024-45339 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-0495 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-22872 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-29768 CVE-2025-30258 CVE-2025-32462 CVE-2025-32463 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 CVE-2025-40909 CVE-2025-4373 CVE-2025-4598 CVE-2025-4877 CVE-2025-4878 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6018 CVE-2025-6020 CVE-2025-6052 ----------------------------------------------------------------- The container sles-15-sp6-chost-byos-v20250711-x86-64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2000-1 Released: Wed Jun 18 13:08:14 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242006,1242012,1242035,1242044,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242944,1242945,1242948,1 242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243805,1243963,CVE-2023-53146,CVE-2024-28956,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070, CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-202 5-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982 ,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Squashfs: check return result of sb_min_blocksize (git-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - cBPF: Refresh fixes for cBPF issue (bsc#1242778) - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kernel-obs-qa: Use srchash for dependency as well - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: Update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvme: Update patch nvme-re-read-ANA-log-page-after-ns-scan-completes.patch (git-fixes bsc#1235149). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2025-1 Released: Thu Jun 19 15:17:49 2025 Summary: Recommended update for google-guest-configs Type: recommended Severity: important References: 1241112 This update for google-guest-configs fixes the following issues: - Check that %{_sysconfdir}/sysconfig/network/ifcfg-eth0 actually exists before making any modifications to it (bsc#1241112) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2103-1 Released: Wed Jun 25 10:26:23 2025 Summary: Recommended update for cifs-utils Type: recommended Severity: important References: 1243488 This update for cifs-utils fixes the following issues: - Add patches: * Fix cifs.mount with krb5 auth (bsc#1243488) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2104-1 Released: Wed Jun 25 10:26:59 2025 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1240899 This update for nfs-utils fixes the following issues: - gssd: add support for an 'allowed-enctypes' option in nfs.conf (bsc#1240899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2149-1 Released: Fri Jun 27 07:21:48 2025 Summary: Security update for google-osconfig-agent Type: security Severity: important References: 1239948,1244304,1244503,CVE-2024-45339 This update for google-osconfig-agent fixes the following issues: - Update to version 20250416.02 (bsc#1244304, bsc#1244503) * defaultSleeper: tolerate 10% difference to reduce test flakiness * Add output of some packagemanagers to the testdata - from version 20250416.01 * Refactor OS Info package - from version 20250416.00 * Report RPM inventory as YUM instead of empty SoftwarePackage when neither Zypper nor YUM are installed. - from version 20250414.00 * Update hash computation algorithm - Update to version 20250320.00 * Bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 - from version 20250318.00 * Bump go.opentelemetry.io/otel/sdk/metric from 1.32.0 to 1.35.0 - from version 20250317.02 * Bump cel.dev/expr from 0.18.0 to 0.22.0 * Bump github.com/golang/glog from 1.2.3 to 1.2.4 in the go_modules group - from version 20250317.01 * Bump cloud.google.com/go/logging from 1.12.0 to 1.13.0 - from version 20250317.00 * Add tests for retryutil package. - from version 20250306.00 * Update OWNERS - from version 20250206.01 * Use separate counters for pre- and post-patch reboots. - from version 20250206.00 * Update owners - from version 20250203.00 * Fix the vet errors for contants in logging - from version 20250122.00 * change available package check - from version 20250121.00 * Fix Inventory reporting e2e tests. - from version 20250120.00 * fix e2e tests - Add -buildmode=pie to go build command line (bsc#1239948) - merged upstream - Renumber patches ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2263-1 Released: Thu Jul 10 07:25:48 2025 Summary: Recommended update for google-guest-oslogin Type: recommended Severity: important References: 1243997 This update for google-guest-oslogin fixes the following issues: - Override upstream version to address upgrade problems (bsc#1243997) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2289-1 Released: Fri Jul 11 13:12:28 2025 Summary: Security update for docker Type: security Severity: moderate References: 1239765,1240150,1241830,1242114,1243833,1244035,CVE-2025-0495,CVE-2025-22872 This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). The following package changes have been done: - cifs-utils-6.15-150400.3.15.1 updated - docker-28.2.2_ce-150000.227.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - google-guest-configs-20241205.00-150400.13.22.1 updated - google-guest-oslogin-20240311.01-150000.1.53.1 updated - google-osconfig-agent-20250416.02-150000.1.50.1 updated - gpg2-2.4.4-150600.3.9.1 updated - kernel-default-6.4.0-150600.23.53.1 updated - libbpf1-1.2.2-150600.3.6.2 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libnfsidmap1-1.0-150600.28.12.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libssh-config-0.9.8-150600.11.3.1 updated - libssh4-0.9.8-150600.11.3.1 updated - libsystemd0-254.25-150600.4.40.1 updated - libudev1-254.25-150600.4.40.1 updated - libzypp-17.37.5-150600.3.60.1 updated - nfs-client-2.6.4-150600.28.12.1 updated - openssh-clients-9.6p1-150600.6.29.2 updated - openssh-common-9.6p1-150600.6.29.2 updated - openssh-server-config-disallow-rootlogin-9.6p1-150600.6.29.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-9.6p1-150600.6.29.2 updated - openssl-3-3.1.4-150600.5.33.1 updated - pam-config-1.1-150600.16.8.1 updated - pam-1.3.0-150000.6.83.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - runc-1.2.6-150000.73.2 updated - sudo-1.9.15p5-150600.3.9.1 updated - systemd-254.25-150600.4.40.1 updated - udev-254.25-150600.4.40.1 updated - vim-data-common-9.1.1406-150500.20.27.1 updated - vim-9.1.1406-150500.20.27.1 updated - zypper-1.14.90-150600.10.34.3 updated - e2fsprogs-1.47.0-150600.4.6.2 removed - libext2fs2-1.47.0-150600.4.6.2 removed From sle-container-updates at lists.suse.com Wed Jul 16 09:06:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 16 Jul 2025 11:06:35 +0200 (CEST) Subject: SUSE-CU-2025:5359-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250716090635.29313FCF8@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5359-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.23 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.23 Severity : important Type : security References : 1012628 1151679 1151680 1151794 1151927 1210025 1211226 1215199 1218184 1220112 1223008 1226498 1228478 1228557 1228854 1229491 1229655 1230337 1231913 1232504 1232882 1233482 1235064 1235490 1235728 1235968 1236208 1237200 1237312 1237887 1237895 1237905 1237910 1237913 1238212 1238478 1238495 1238508 1238741 1238859 1238965 1238982 1238995 1239063 1239090 1239485 1239925 1240170 1240180 1240577 1240579 1240589 1240610 1240650 1240686 1240696 1240702 1240710 1240723 1240798 1240814 1240823 1240866 1240998 1241166 1241191 1241278 1241298 1241340 1241388 1241414 1241457 1241492 1241519 1241538 1241544 1241572 1241576 1241590 1241592 1241595 1241617 1241625 1241635 1241644 1241654 1241689 1242035 1242044 1242086 1242163 1242343 1242414 1242501 1242504 1242508 1242512 1242514 1242515 1242520 1242521 1242524 1242529 1242530 1242531 1242532 1242556 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242573 1242574 1242575 1242577 1242578 1242584 1242587 1242591 1242709 1242724 1242725 1242727 1242729 1242758 1242760 1242761 1242764 1242766 1242770 1242781 1242782 1242785 1242792 1242834 1242846 1242849 1242850 1242863 1242865 1242871 1242873 1242906 1242907 1242908 1242909 1242930 1242940 1242943 1242945 1242946 1242947 1242948 1242949 1242952 1242953 1242954 1242955 1242957 1242959 1242961 1242964 1242966 1242967 1242973 1242974 1242977 1242982 1242990 1243000 1243006 1243011 1243015 1243049 1243051 1243055 1243060 1243074 1243076 1243082 1243330 1243342 1243456 1243467 1243469 1243470 1243471 1243472 1243473 1243475 1243476 1243480 1243506 1243509 1243511 1243514 1243515 1243516 1243517 1243522 1243523 1243524 1243528 1243529 1243530 1243534 1243536 1243537 1243538 1243540 1243542 1243543 1243544 1243545 1243548 1243551 1243559 1243560 1243562 1243567 1243571 1243572 1243573 1243574 1243575 1243589 1243620 1243621 1243624 1243625 1243626 1243627 1243628 1243649 1243659 1243660 1243664 1243698 1243774 1243782 1243823 1243827 1243832 1243836 1243847 1244100 1244145 1244172 1244174 1244176 1244229 1244234 1244241 1244261 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244747 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245101 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2023-52888 CVE-2023-53146 CVE-2024-26762 CVE-2024-26831 CVE-2024-41085 CVE-2024-43869 CVE-2024-49568 CVE-2024-50034 CVE-2024-50106 CVE-2024-50293 CVE-2024-56541 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-57987 CVE-2024-57988 CVE-2024-57995 CVE-2024-58004 CVE-2024-58015 CVE-2024-58053 CVE-2024-58062 CVE-2024-58077 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21658 CVE-2025-21713 CVE-2025-21720 CVE-2025-21770 CVE-2025-21805 CVE-2025-21824 CVE-2025-21842 CVE-2025-21849 CVE-2025-21868 CVE-2025-21880 CVE-2025-21898 CVE-2025-21899 CVE-2025-21901 CVE-2025-21911 CVE-2025-21920 CVE-2025-21938 CVE-2025-21939 CVE-2025-21940 CVE-2025-21959 CVE-2025-21987 CVE-2025-21997 CVE-2025-22005 CVE-2025-22023 CVE-2025-22035 CVE-2025-22066 CVE-2025-22083 CVE-2025-22089 CVE-2025-22095 CVE-2025-22111 CVE-2025-22113 CVE-2025-22119 CVE-2025-22120 CVE-2025-22124 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23151 CVE-2025-23155 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23161 CVE-2025-23162 CVE-2025-37738 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37752 CVE-2025-37754 CVE-2025-37756 CVE-2025-37757 CVE-2025-37758 CVE-2025-37761 CVE-2025-37763 CVE-2025-37764 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37781 CVE-2025-37782 CVE-2025-37786 CVE-2025-37788 CVE-2025-37791 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37798 CVE-2025-37800 CVE-2025-37801 CVE-2025-37805 CVE-2025-37810 CVE-2025-37811 CVE-2025-37812 CVE-2025-37813 CVE-2025-37814 CVE-2025-37815 CVE-2025-37816 CVE-2025-37819 CVE-2025-37836 CVE-2025-37837 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37844 CVE-2025-37847 CVE-2025-37848 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37859 CVE-2025-37861 CVE-2025-37862 CVE-2025-37865 CVE-2025-37867 CVE-2025-37868 CVE-2025-37869 CVE-2025-37871 CVE-2025-37873 CVE-2025-37874 CVE-2025-37875 CVE-2025-37881 CVE-2025-37884 CVE-2025-37888 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37909 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37917 CVE-2025-37918 CVE-2025-37921 CVE-2025-37923 CVE-2025-37925 CVE-2025-37927 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37933 CVE-2025-37934 CVE-2025-37936 CVE-2025-37937 CVE-2025-37938 CVE-2025-37943 CVE-2025-37944 CVE-2025-37945 CVE-2025-37946 CVE-2025-37948 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37959 CVE-2025-37961 CVE-2025-37963 CVE-2025-37965 CVE-2025-37967 CVE-2025-37968 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37973 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37981 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37987 CVE-2025-37989 CVE-2025-37990 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-37998 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38055 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 CVE-2025-38104 CVE-2025-38240 CVE-2025-39735 CVE-2025-40014 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2307-1 Released: Mon Jul 14 14:30:54 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1151679,1151680,1151794,1151927,1210025,1211226,1215199,1218184,1220112,1223008,1226498,1228478,1228557,1228854,1229491,1230337,1231913,1232504,1232882,1233482,1235064,1235490,1235728,1235968,1236208,1237200,1237312,1237887,1237895,1237905,1237910,1237913,1238212,1238478,1238495,1238508,1238741,1238859,1238965,1238982,1238995,1239063,1239090,1239485,1239925,1240170,1240180,1240577,1240579,1240589,1240610,1240650,1240686,1240696,1240702,1240710,1240723,1240798,1240814,1240823,1240866,1240998,1241166,1241191,1241278,1241298,1241340,1241388,1241414,1241457,1241492,1241519,1241538,1241544,1241572,1241576,1241590,1241592,1241595,1241617,1241625,1241635,1241644,1241654,1241689,1242035,1242044,1242086,1242163,1242343,1242414,1242501,1242504,1242508,1242512,1242514,1242515,1242520,1242521,1242524,1242529,1242530,1242531,1242532,1242556,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242573,1242574,1242575,1242577,1242578,1242584,1242587,1242591,1242709,1 242724,1242725,1242727,1242729,1242758,1242760,1242761,1242764,1242766,1242770,1242781,1242782,1242785,1242792,1242834,1242846,1242849,1242850,1242863,1242865,1242871,1242873,1242906,1242907,1242908,1242909,1242930,1242940,1242943,1242945,1242946,1242947,1242948,1242949,1242952,1242953,1242954,1242955,1242957,1242959,1242961,1242964,1242966,1242967,1242973,1242974,1242977,1242982,1242990,1243000,1243006,1243011,1243015,1243049,1243051,1243055,1243060,1243074,1243076,1243082,1243330,1243342,1243456,1243467,1243469,1243470,1243471,1243472,1243473,1243475,1243476,1243480,1243506,1243509,1243511,1243514,1243515,1243516,1243517,1243522,1243523,1243524,1243528,1243529,1243530,1243534,1243536,1243537,1243538,1243540,1243542,1243543,1243544,1243545,1243548,1243551,1243559,1243560,1243562,1243567,1243571,1243572,1243573,1243574,1243575,1243589,1243620,1243621,1243624,1243625,1243626,1243627,1243628,1243649,1243659,1243660,1243664,1243698,1243774,1243782,1243823,1243827,1243832,1243836,124384 7,1244100,1244145,1244172,1244174,1244176,1244229,1244234,1244241,1244261,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244747,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245101,1245155,1245183,1245193,1245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2023-52888,CVE-2023-53146,CVE-2024-26762,CVE-2024-26831,CVE-2024-41085,CVE-2024-43869,CVE-2024-49568,CVE-2024-50034,CVE-2024-50106,CVE-2024-50293,CVE-2024-56541,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-57987,CVE-2024-57988,CVE-2024-57995,CVE-2024-58004,CVE-2024-58015,CVE-2024-58053,CVE-2024-58062,CVE-2024-58077,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21658,CVE-2025-21713,CVE-2025-21720,CVE-2025-21770,CVE-2025-21805,CVE-2025-21824,CVE-2025-21842,CVE-2025-21849,CVE-2025-21868 ,CVE-2025-21880,CVE-2025-21898,CVE-2025-21899,CVE-2025-21901,CVE-2025-21911,CVE-2025-21920,CVE-2025-21938,CVE-2025-21939,CVE-2025-21940,CVE-2025-21959,CVE-2025-21987,CVE-2025-21997,CVE-2025-22005,CVE-2025-22023,CVE-2025-22035,CVE-2025-22066,CVE-2025-22083,CVE-2025-22089,CVE-2025-22095,CVE-2025-22111,CVE-2025-22113,CVE-2025-22119,CVE-2025-22120,CVE-2025-22124,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23151,CVE-2025-23155,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23161,CVE-2025-23162,CVE-2025-37738,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37752,CVE-2025-37754,CVE-2025-37756,CVE-2025-37757,CVE-2025-37758,CVE-2025-37761,CVE-2025-37763,CVE-2025-37764,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37781,CVE-2025-37782,CVE-2025-37786,CVE-2025-37788,CVE-2025-37791,CVE-20 25-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37798,CVE-2025-37800,CVE-2025-37801,CVE-2025-37805,CVE-2025-37810,CVE-2025-37811,CVE-2025-37812,CVE-2025-37813,CVE-2025-37814,CVE-2025-37815,CVE-2025-37816,CVE-2025-37819,CVE-2025-37836,CVE-2025-37837,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37844,CVE-2025-37847,CVE-2025-37848,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37859,CVE-2025-37861,CVE-2025-37862,CVE-2025-37865,CVE-2025-37867,CVE-2025-37868,CVE-2025-37869,CVE-2025-37871,CVE-2025-37873,CVE-2025-37874,CVE-2025-37875,CVE-2025-37881,CVE-2025-37884,CVE-2025-37888,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37909,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37917,CVE-2025-37918,CVE-2025-37921,CVE-2025-37923,CVE-2025-37925,CVE-2025-37927,CVE-2025-3792 8,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37933,CVE-2025-37934,CVE-2025-37936,CVE-2025-37937,CVE-2025-37938,CVE-2025-37943,CVE-2025-37944,CVE-2025-37945,CVE-2025-37946,CVE-2025-37948,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37959,CVE-2025-37961,CVE-2025-37963,CVE-2025-37965,CVE-2025-37967,CVE-2025-37968,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37973,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37981,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37987,CVE-2025-37989,CVE-2025-37990,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-37998,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-38005,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2 025-38053,CVE-2025-38055,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083,CVE-2025-38104,CVE-2025-38240,CVE-2025-39735,CVE-2025-40014 The SUSE Linux Enterprise 15 SP7 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728). - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-57995: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() (bsc#1237895). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21868: kABI workaround for adding an header (bsc#1240180). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617). - CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573). - CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37837: iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() (bsc#1242952). - CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982). - CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954). - CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628). - CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572). - CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571). - CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38055: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq (bsc#1244747). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case (stable-fixes). - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: cs42l43: Disable headphone clamps during type detection (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() (git-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: btintel: Check dsbr size from EFI variable (git-fixes). - Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers (git-fixes). - Bluetooth: btintel_pcie: Increase the tx and rx descriptor count (git-fixes). - Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition (git-fixes). - Bluetooth: eir: Fix possible crashes on eir_create_adv_data (git-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Documentation: ACPI: Use all-string data node references (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - IB/cm: Drop lockdep assert and WARN when freeing old msg (git-fixes) - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - Input: xpad - add more controllers (stable-fixes). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - NFS: Do not allow waiting for exiting tasks (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (stable-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - Revert 'wifi: mwifiex: Fix HT40 bandwidth issue.' (git-fixes). - SUNRPC: Do not allow waiting for exiting tasks (git-fixes). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - accel/ivpu: Improve buffer object logging (git-fixes). - accel/ivpu: Use dma_resv_lock() instead of a custom mutex (git-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Do not allow creation of local partition over a remote one (bsc#1241166). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - cifs: change tcon status when need_reconnect is set on it (git-fixes). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Add debugging message for brightness caps (bsc#1240650). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Add support for disconnected eDP streams (stable-fixes). - drm/amd/display: Call FP Protect Before Mode Programming/Mode Support (stable-fixes). - drm/amd/display: Configure DTBCLK_P with OPTC only for dcn401 (stable-fixes). - drm/amd/display: Correct timing_adjust_pending flag setting (stable-fixes). - drm/amd/display: Defer BW-optimization-blocked DRR adjustments (git-fixes). - drm/amd/display: Do not enable replay when vtotal update is pending (stable-fixes). - drm/amd/display: Do not treat wb connector as physical in create_validate_stream_for_sink (stable-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35 (stable-fixes). - drm/amd/display: Fix BT2020 YCbCr limited/full range input (stable-fixes). - drm/amd/display: Fix DMUB reset sequence for DCN401 (stable-fixes). - drm/amd/display: Fix default DC and AC levels (bsc#1240650). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: Fix p-state type when p-state is unsupported (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Guard against setting dispclk low when active (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Populate register address for dentist for dcn401 (stable-fixes). - drm/amd/display: Read LTTPR ALPM caps during link cap retrieval (stable-fixes). - drm/amd/display: Request HW cursor on DCN3.2 with SubVP (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Support multiple options during psr entry (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It (stable-fixes). - drm/amd/display: calculate the remain segments for all pipes (stable-fixes). - drm/amd/display: check stream id dml21 wrapper to get plane_id (stable-fixes). - drm/amd/display: fix dcn4x init failed (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: handle max_downscale_src_width fail check (stable-fixes). - drm/amd/display: not abort link train when bw is low (stable-fixes). - drm/amd/display: pass calculated dram_speed_mts to dml2 (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/pm: Fetch current power limit from PMFW (stable-fixes). - drm/amd/pm: Skip P2S load for SMU v13.0.12 (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/amd: Adjust output for discovery error handling (git-fixes). - drm/amdgpu/discovery: check ip_discovery fw file available (stable-fixes). - drm/amdgpu/gfx11: do not read registers in mqd init (stable-fixes). - drm/amdgpu/gfx12: do not read registers in mqd init (stable-fixes). - drm/amdgpu/mes11: fix set_hw_resources_1 calculation (stable-fixes). - drm/amdgpu: Allow P2P access through XGMI (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: Fix missing drain retry fault the last entry (stable-fixes). - drm/amdgpu: Fix the race condition for draining retry fault (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: Skip pcie_replay_count sysfs creation for VF (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdgpu: Use active umc info from discovery (stable-fixes). - drm/amdgpu: adjust drm_firmware_drivers_only() handling (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: read back register after written for VCN v4.0.5 (stable-fixes). - drm/amdgpu: release xcp_mgr on exit (stable-fixes). - drm/amdgpu: remove all KFD fences from the BO on release (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/amdkfd: Correct F8_MODE for gfx950 (git-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amdkfd: Set per-process flags only once for gfx9/10/11/12 (stable-fixes). - drm/amdkfd: fix missing L2 cache info in topology (stable-fixes). - drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12 (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/buddy: fix issue that force_merge cannot free all roots (stable-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/i915/guc: Check if expecting reply before decrementing outstanding_submission_g2h (git-fixes). - drm/i915/guc: Handle race condition where wakeref count drops below 0 (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3 (git-fixes). - drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dpu: Clear CTL_FETCH_PIPE_ACTIVE before blend setup (git-fixes). - drm/msm/dpu: Clear CTL_FETCH_PIPE_ACTIVE on ctl_path reset (git-fixes). - drm/msm/dpu: enable SmartDMA on SC8180X (git-fixes). - drm/msm/dpu: enable SmartDMA on SM8150 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE (stable-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel-simple: fix the warnings for the Evervision VGG644804 (git-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/panic: add missing space (git-fixes). - drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions (git-fixes). - drm/panthor: Update panthor_mmu::irq::mask when needed (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0 (stable-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add error path for xa_store in vmw_bo_add_detached_resource (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - drm/vmwgfx: Fix dumb buffer leak (git-fixes). - drm/xe/bmg: Update Wa_16023588340 (git-fixes). - drm/xe/d3cold: Set power state to D3Cold during s2idle/s3 (git-fixes). - drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set (stable-fixes). - drm/xe/debugfs: fixed the return value of wedged_mode_set (stable-fixes). - drm/xe/display: Add check for alloc_ordered_workqueue() (git-fixes). - drm/xe/gt: Update handling of xe_force_wake_get return (stable-fixes). - drm/xe/oa: Ensure that polled read returns latest data (stable-fixes). - drm/xe/pf: Create a link between PF and VF devices (stable-fixes). - drm/xe/pf: Reset GuC VF config when unprovisioning critical resource (stable-fixes). - drm/xe/relay: Do not use GFP_KERNEL for new transactions (stable-fixes). - drm/xe/sa: Always call drm_suballoc_manager_fini() (stable-fixes). - drm/xe/sched: stop re-submitting signalled jobs (git-fixes). - drm/xe/vf: Retry sending MMIO request to GUC on timeout error (stable-fixes). - drm/xe/vm: move rebind_work init earlier (git-fixes). - drm/xe/xe2hpg: Add Wa_22021007897 (stable-fixes). - drm/xe: Create LRC BO without VM (git-fixes). - drm/xe: Do not attempt to bootstrap VF in execlists mode (stable-fixes). - drm/xe: Fix memset on iomem (git-fixes). - drm/xe: Fix xe_tile_init_noalloc() error propagation (stable-fixes). - drm/xe: Make xe_gt_freq part of the Documentation (git-fixes). - drm/xe: Move suballocator init to after display init (stable-fixes). - drm/xe: Nuke VM's mapping upon close (stable-fixes). - drm/xe: Process deferred GGTT node removals on device unwind (git-fixes). - drm/xe: Reject BO eviction if BO is bound to current VM (stable-fixes). - drm/xe: Retry BO allocation (stable-fixes). - drm/xe: Rework eviction rejection of bound external bos (git-fixes). - drm/xe: Save the gt pointer in lrc and drop the tile (stable-fixes). - drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init() (stable-fixes). - drm/xe: Wire up device shutdown handler (stable-fixes). - drm/xe: remove unmatched xe_vm_unlock() from __xe_exec_queue_init() (git-fixes). - drm/xe: xe_gen_wa_oob: replace program_invocation_short_name (stable-fixes). - drm: Add valid clones check (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - dummycon: Trigger redraw when switching consoles with deferred takeover (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - efi/libstub: Describe missing 'out' parameter in efi_load_initrd (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - ip6mr: fix tables suspicious RCU usage (git-fixes). - ip_tunnel: annotate data-races around t->parms.link (git-fixes). - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - ipmr: fix tables suspicious RCU usage (git-fixes). - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - ipv6: save dontfrag in cork (git-fixes). - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: ipv6: save dontfrag in cork (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - kernel-source: Do not use multiple -r in sed parameters - kernel-source: Remove log.sh from sources - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: intel/ipu6: Fix dma mask for non-secure mode (git-fixes). - media: ipu6: Remove workaround for Meteor Lake ES2 (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov2740: Move pm-runtime cleanup on probe-errors to proper place (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: platform: mtk-mdp3: Remove unused mdp_get_plat_device (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: verisilicon: Free post processor buffers on error (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/neighbor: clear error in case strict check is not set (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - net: linkwatch: use system_unbound_wq (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: page_pool: fix warning code (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - orangefs: Do not truncate file size (git-fixes). - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - platform/x86/amd/hsmp: Add new error code and error logs (jsc#PED-13094). - platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages (jsc#PED-13094). - platform/x86/amd/hsmp: Change generic plat_dev name to hsmp_pdev (jsc#PED-13094). - platform/x86/amd/hsmp: Change the error type (jsc#PED-13094). - platform/x86/amd/hsmp: Convert amd_hsmp_rdwr() to a function pointer (jsc#PED-13094). - platform/x86/amd/hsmp: Create hsmp/ directory (jsc#PED-13094). - platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers (jsc#PED-13094). - platform/x86/amd/hsmp: Create wrapper function init_acpi() (jsc#PED-13094). - platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers (jsc#PED-13094). - platform/x86/amd/hsmp: Make hsmp_pdev static instead of global (jsc#PED-13094). - platform/x86/amd/hsmp: Move ACPI code to acpi.c (jsc#PED-13094). - platform/x86/amd/hsmp: Move platform device specific code to plat.c (jsc#PED-13094). - platform/x86/amd/hsmp: Move structure and macros to header file (jsc#PED-13094). - platform/x86/amd/hsmp: Report power via hwmon sensor (jsc#PED-13094). - platform/x86/amd/hsmp: Use a single DRIVER_VERSION for all hsmp modules (jsc#PED-13094). - platform/x86/amd/hsmp: Use dev_groups in the driver structure (jsc#PED-13094). - platform/x86/amd/hsmp: Use name space while exporting module symbols (jsc#PED-13094). - platform/x86/amd/hsmp: acpi: Add sysfs files to display HSMP telemetry (jsc#PED-13094). - platform/x86/amd/hsmp: fix building with CONFIG_HWMON=m (jsc#PED-13094). - platform/x86/amd/hsmp: mark hsmp_msg_desc_table as maybe_unused (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: amd: Use *-y instead of *-objs in Makefiles (jsc#PED-13094). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: hp-bioscfg: Annotate struct bios_args with __counted_by (jsc#PED-13019). - platform/x86: hp-bioscfg: Change how enum possible values size is evaluated (jsc#PED-13019). - platform/x86: hp-bioscfg: Change how order list size is evaluated (jsc#PED-13019). - platform/x86: hp-bioscfg: Change how password encoding size is evaluated (jsc#PED-13019). - platform/x86: hp-bioscfg: Change how prerequisites size is evaluated (jsc#PED-13019). - platform/x86: hp-bioscfg: Fix error handling in hp_add_other_attributes() (jsc#PED-13019). - platform/x86: hp-bioscfg: Fix memory leaks in attribute packages (jsc#PED-13019). - platform/x86: hp-bioscfg: Fix reference leak (jsc#PED-13019). - platform/x86: hp-bioscfg: Fix uninitialized variable errors (jsc#PED-13019). - platform/x86: hp-bioscfg: Makefile (jsc#PED-13019). - platform/x86: hp-bioscfg: Remove duplicate use of variable in inner loop (jsc#PED-13019). - platform/x86: hp-bioscfg: Remove unused obj in hp_add_other_attributes() (jsc#PED-13019). - platform/x86: hp-bioscfg: Removed needless asm-generic (jsc#PED-13019). - platform/x86: hp-bioscfg: Replace the word HACK from source code (jsc#PED-13019). - platform/x86: hp-bioscfg: Simplify return check in hp_add_other_attributes() (jsc#PED-13019). - platform/x86: hp-bioscfg: Update steps order list elements are evaluated (jsc#PED-13019). - platform/x86: hp-bioscfg: Use kmemdup() to replace kmalloc + memcpy (jsc#PED-13019). - platform/x86: hp-bioscfg: biosattr-interface (jsc#PED-13019). - platform/x86: hp-bioscfg: bioscfg (jsc#PED-13019). - platform/x86: hp-bioscfg: bioscfg-h (jsc#PED-13019). - platform/x86: hp-bioscfg: enum-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: fix a signedness bug in hp_wmi_perform_query() (jsc#PED-13019). - platform/x86: hp-bioscfg: fix error reporting in hp_add_other_attributes() (jsc#PED-13019). - platform/x86: hp-bioscfg: int-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: move mutex_lock() down in hp_add_other_attributes() (jsc#PED-13019). - platform/x86: hp-bioscfg: order-list-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: passwdobj-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: prevent a small buffer overflow (jsc#PED-13019). - platform/x86: hp-bioscfg: spmobj-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: string-attributes (jsc#PED-13019). - platform/x86: hp-bioscfg: surestart-attributes (jsc#PED-13019). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - ptp: ocp: fix start time alignment in ptp_ocp_signal_set (git-fixes). - ptp: ocp: reject unsupported periodic output flags (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang. - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rpm: Stop using is_kotd_qa macro This macro is set by bs-upload-kernel, and a conditional in each spec file is used to determine when to build the spec file. This logic should not really be in the spec file. Previously this was done with package links and package meta for the individula links. However, the use of package links is rejected for packages in git based release projects (nothing to do with git actually, new policy). An alternative to package links is multibuild. However, for multibuild packages package meta cannot be used to set which spec file gets built. Use prjcon buildflags instead, and remove this conditional. Depends on bs-upload-kernel adding the build flag. - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: Improve CDL control (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Fix _ctl_get_mpt_mctp_passthru_adapter() to return IOC pointer (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: core: restore of_node information in sysfs (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: jsm: fix NPE during jsm_uart_port_init (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - supported.conf: Add SNP SVSM vTPM driver - supported.conf: add it - supported.conf: support firmware_attributes_class - svsm: Add header with SVSM_VTPM_CMD helpers (bsc#1241191). - sysfb: Fix screen_info type check for VGA (git-fixes). - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes). - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - thunderbolt: Improve redrive mode handling (git-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - tpm: Add SNP SVSM vTPM driver (bsc#1241191). - tpm: Make chip->{status,cancel,req_canceled} opt (bsc#1241191). - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - tty: serial: 8250_omap: fix TX with DMA for am33xx (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - udp: annotate data-races around up->pending (git-fixes). - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - udp: fix receiving fraglist GSO packets (git-fixes). - udp: preserve the connected status if only UDP cmsg (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work (git-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: ACPI CCA threshold support (bsc#1240998). - wifi: ath12k: ACPI SAR support (bsc#1240998). - wifi: ath12k: ACPI TAS support (bsc#1240998). - wifi: ath12k: ACPI band edge channel power support (bsc#1240998). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Add additional checks for vif and sta iterators (bsc#1240998). - wifi: ath12k: Add firmware coredump collection support (bsc#1240998). - wifi: ath12k: Add htt_stats_dump file ops support (bsc#1240998). - wifi: ath12k: Add lock to protect the hardware state (bsc#1240998). - wifi: ath12k: Add missing htt_metadata flag in ath12k_dp_tx() (bsc#1240998). - wifi: ath12k: Add support to enable debugfs_htt_stats (bsc#1240998). - wifi: ath12k: Add support to parse requested stats_type (bsc#1240998). - wifi: ath12k: Avoid -Wflex-array-member-not-at-end warnings (bsc#1240998). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: Cache vdev configs before vdev create (bsc#1240998). - wifi: ath12k: Dump additional Tx PDEV HTT stats (bsc#1240998). - wifi: ath12k: Fetch regdb.bin file from board-2.bin (stable-fixes). - wifi: ath12k: Fix WARN_ON during firmware crash in split-phy (bsc#1240998). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Fix buffer overflow in debugfs (bsc#1240998). - wifi: ath12k: Fix devmem address prefix when logging (bsc#1240998). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: Fix for out-of bound access error (bsc#1240998). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: Fix pdev id sent to firmware for single phy devices (bsc#1240998). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Handle error cases during extended skb allocation (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Introduce device index (bsc#1240998). - wifi: ath12k: Modify add and remove chanctx ops for single wiphy support (bsc#1240998). - wifi: ath12k: Modify print_array_to_buf() to support arrays with 1-based semantics (bsc#1240998). - wifi: ath12k: Modify rts threshold mac op for single wiphy (bsc#1240998). - wifi: ath12k: Modify set and get antenna mac ops for single wiphy (bsc#1240998). - wifi: ath12k: Optimize the lock contention of used list in Rx data path (bsc#1240998). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash (bsc#1240998). - wifi: ath12k: Refactor Rxdma buffer replinish argument (bsc#1240998). - wifi: ath12k: Refactor data path cmem init (bsc#1240998). - wifi: ath12k: Refactor error handler of Rxdma replenish (bsc#1240998). - wifi: ath12k: Refactor idle ring descriptor setup (bsc#1240998). - wifi: ath12k: Refactor the hardware cookie conversion init (bsc#1240998). - wifi: ath12k: Refactor the hardware recovery procedure (bsc#1240998). - wifi: ath12k: Refactor the hardware state (bsc#1240998). - wifi: ath12k: Remove unsupported tx monitor handling (bsc#1240998). - wifi: ath12k: Remove unused ath12k_base from ath12k_hw (bsc#1240998). - wifi: ath12k: Remove unused tcl_*_ring configuration (bsc#1240998). - wifi: ath12k: Replace 'chip' with 'device' in hal Rx return buffer manager (bsc#1240998). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: Resolve multicast packet drop by populating key_cipher in ath12k_install_key() (bsc#1240998). - wifi: ath12k: Support BE OFDMA Pdev Rate Stats (bsc#1240998). - wifi: ath12k: Support DMAC Reset Stats (bsc#1240998). - wifi: ath12k: Support Pdev OBSS Stats (bsc#1240998). - wifi: ath12k: Support Pdev Scheduled Algorithm Stats (bsc#1240998). - wifi: ath12k: Support Ring and SFM stats (bsc#1240998). - wifi: ath12k: Support Self-Generated Transmit stats (bsc#1240998). - wifi: ath12k: Support TQM stats (bsc#1240998). - wifi: ath12k: Support Transmit DE stats (bsc#1240998). - wifi: ath12k: Support Transmit Scheduler stats (bsc#1240998). - wifi: ath12k: Support pdev CCA Stats (bsc#1240998). - wifi: ath12k: Support pdev Transmit Multi-user stats (bsc#1240998). - wifi: ath12k: Support pdev error stats (bsc#1240998). - wifi: ath12k: add 6 GHz params in peer assoc command (bsc#1240998). - wifi: ath12k: add ATH12K_DBG_WOW log level (bsc#1240998). - wifi: ath12k: add EMA beacon support (bsc#1240998). - wifi: ath12k: add MBSSID beacon support (bsc#1240998). - wifi: ath12k: add WoW net-detect functionality (bsc#1240998). - wifi: ath12k: add basic WoW functionalities (bsc#1240998). - wifi: ath12k: add channel 2 into 6 GHz channel list (bsc#1240998). - wifi: ath12k: add hw_link_id in ath12k_pdev (bsc#1240998). - wifi: ath12k: add missing lockdep_assert_wiphy() for ath12k_mac_op_ functions (bsc#1240998). - wifi: ath12k: add multi device support for WBM idle ring buffer setup (bsc#1240998). - wifi: ath12k: add multiple radio support in a single MAC HW un/register (bsc#1240998). - wifi: ath12k: add panic handler (bsc#1240998). - wifi: ath12k: add support to handle beacon miss for WCN7850 (bsc#1240998). - wifi: ath12k: advertise driver capabilities for MBSSID and EMA (bsc#1240998). - wifi: ath12k: allocate dummy net_device dynamically (bsc#1240998). - wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1240998). - wifi: ath12k: ath12k_mac_op_sta_state(): clean up update_wk cancellation (bsc#1240998). - wifi: ath12k: ath12k_mac_set_key(): remove exit label (bsc#1240998). - wifi: ath12k: avoid double SW2HW_MACID conversion (bsc#1240998). - wifi: ath12k: avoid duplicated vdev down (bsc#1240998). - wifi: ath12k: avoid redundant code in Rx cookie conversion init (bsc#1240998). - wifi: ath12k: avoid stopping mac80211 queues in ath12k_core_restart() (bsc#1240998). - wifi: ath12k: avoid unnecessary MSDU drop in the Rx error process (bsc#1240998). - wifi: ath12k: change supports_suspend to true for WCN7850 (bsc#1240998). - wifi: ath12k: cleanup unneeded labels (bsc#1240998). - wifi: ath12k: configure MBSSID parameters in AP mode (bsc#1240998). - wifi: ath12k: configure MBSSID params in vdev create/start (bsc#1240998). - wifi: ath12k: convert struct ath12k_sta::update_wk to use struct wiphy_work (bsc#1240998). - wifi: ath12k: correct the capital word typo (bsc#1240998). - wifi: ath12k: create a structure for WMI vdev up parameters (bsc#1240998). - wifi: ath12k: debugfs: radar simulation support (bsc#1240998). - wifi: ath12k: decrease MHI channel buffer length to 8KB (bsc#1240998). - wifi: ath12k: delete NSS and TX power setting for monitor vdev (bsc#1240998). - wifi: ath12k: displace the Tx and Rx descriptor in cookie conversion table (bsc#1240998). - wifi: ath12k: do not dump SRNG statistics during resume (bsc#1240998). - wifi: ath12k: do not process consecutive RDDM event (bsc#1240998). - wifi: ath12k: do not use %pK in dmesg format strings (bsc#1240998). - wifi: ath12k: dynamic VLAN support (bsc#1240998). - wifi: ath12k: dynamically update peer puncturing bitmap for STA (bsc#1240998). - wifi: ath12k: enable WIPHY_FLAG_DISABLE_WEXT (bsc#1240998). - wifi: ath12k: enable service flag for survey dump stats (bsc#1240998). - wifi: ath12k: extend the link capable flag (bsc#1240998). - wifi: ath12k: fetch correct radio based on vdev status (bsc#1240998). - wifi: ath12k: fix A-MSDU indication in monitor mode (bsc#1240998). - wifi: ath12k: fix ACPI warning when resume (bsc#1240998). - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (git-fixes). - wifi: ath12k: fix NULL pointer access in ath12k_mac_op_get_survey() (bsc#1240998). - wifi: ath12k: fix Smatch warnings on ath12k_core_suspend() (bsc#1240998). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix ack signal strength calculation (bsc#1240998). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix build vs old compiler (bsc#1240998). - wifi: ath12k: fix calling correct function for rx monitor mode (bsc#1240998). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: fix desc address calculation in wbm tx completion (bsc#1240998). - wifi: ath12k: fix driver initialization for WoW unsupported devices (bsc#1240998). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix flush failure in recovery scenarios (bsc#1240998). - wifi: ath12k: fix hal_rx_buf_return_buf_manager documentation (bsc#1240998). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: fix key cache handling (bsc#1240998). - wifi: ath12k: fix legacy peer association due to missing HT or 6 GHz capabilities (bsc#1240998). - wifi: ath12k: fix link capable flags (bsc#1240998). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix mac id extraction when MSDU spillover in rx error path (bsc#1240998). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix mbssid max interface advertisement (bsc#1240998). - wifi: ath12k: fix missing endianness conversion in wmi_vdev_create_cmd() (bsc#1240998). - wifi: ath12k: fix misspelling of 'dma' in num_rxmda_per_pdev (bsc#1240998). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix one more memcpy size error (bsc#1240998). - wifi: ath12k: fix per pdev debugfs registration (bsc#1240998). - wifi: ath12k: fix reusing outside iterator in ath12k_wow_vif_set_wakeups() (bsc#1240998). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath12k: fix skb_ext_desc leak in ath12k_dp_tx() error path (bsc#1240998). - wifi: ath12k: fix struct hal_rx_mpdu_start (bsc#1240998). - wifi: ath12k: fix struct hal_rx_phyrx_rssi_legacy_info (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_end_user_stats (bsc#1240998). - wifi: ath12k: fix struct hal_rx_ppdu_start (bsc#1240998). - wifi: ath12k: fix survey dump collection in 6 GHz (bsc#1240998). - wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV (stable-fixes). - wifi: ath12k: fix the stack frame size warning in ath12k_mac_op_hw_scan (bsc#1240998). - wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() (bsc#1240998). - wifi: ath12k: fix warning on DMA ring capabilities event (bsc#1240998). - wifi: ath12k: flush all packets before suspend (bsc#1240998). - wifi: ath12k: handle keepalive during WoWLAN suspend and resume (bsc#1240998). - wifi: ath12k: handle symlink cleanup for per pdev debugfs dentry (bsc#1240998). - wifi: ath12k: implement WoW enable and wakeup commands (bsc#1240998). - wifi: ath12k: implement hardware data filter (bsc#1240998). - wifi: ath12k: improve the rx descriptor error information (bsc#1240998). - wifi: ath12k: initial debugfs support (bsc#1240998). - wifi: ath12k: make read-only array svc_id static const (bsc#1240998). - wifi: ath12k: modify ath12k mac start/stop ops for single wiphy (bsc#1240998). - wifi: ath12k: modify ath12k_get_arvif_iter() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_bss_info_changed() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_op_set_key() for MLO (bsc#1240998). - wifi: ath12k: modify ath12k_mac_vif_chan() for MLO (bsc#1240998). - wifi: ath12k: modify link arvif creation and removal for MLO (bsc#1240998). - wifi: ath12k: modify regulatory support for single wiphy architecture (bsc#1240998). - wifi: ath12k: modify remain on channel for single wiphy (bsc#1240998). - wifi: ath12k: move txbaddr/rxbaddr into struct ath12k_dp (bsc#1240998). - wifi: ath12k: no need to handle pktlog during suspend/resume (bsc#1240998). - wifi: ath12k: pass ath12k_link_vif instead of vif/ahvif (bsc#1240998). - wifi: ath12k: prepare sta data structure for MLO handling (bsc#1240998). - wifi: ath12k: prepare vif config caching for MLO (bsc#1240998). - wifi: ath12k: prepare vif data structure for MLO handling (bsc#1240998). - wifi: ath12k: read single_chip_mlo_support parameter from QMI PHY capability (bsc#1240998). - wifi: ath12k: rearrange IRQ enable/disable in reset path (bsc#1240998). - wifi: ath12k: refactor SMPS configuration (bsc#1240998). - wifi: ath12k: refactor arvif security parameter configuration (bsc#1240998). - wifi: ath12k: refactor ath12k_hw_regs structure (stable-fixes). - wifi: ath12k: refactor rx descriptor CMEM configuration (bsc#1240998). - wifi: ath12k: remove MHI LOOPBACK channels (bsc#1240998). - wifi: ath12k: remove duplicate definition of MAX_RADIOS (bsc#1240998). - wifi: ath12k: remove duplicate definitions in wmi.h (bsc#1240998). - wifi: ath12k: remove invalid peer create logic (bsc#1240998). - wifi: ath12k: remove obsolete struct wmi_start_scan_arg (bsc#1240998). - wifi: ath12k: remove redundant peer delete for WCN7850 (bsc#1240998). - wifi: ath12k: remove unused variable monitor_flags (bsc#1240998). - wifi: ath12k: remove unused variable monitor_present (bsc#1240998). - wifi: ath12k: rename MBSSID fields in wmi_vdev_up_cmd (bsc#1240998). - wifi: ath12k: restore ASPM for supported hardwares only (bsc#1240998). - wifi: ath12k: scan statemachine changes for single wiphy (bsc#1240998). - wifi: ath12k: set mlo_capable_flags based on QMI PHY capability (bsc#1240998). - wifi: ath12k: skip sending vdev down for channel switch (bsc#1240998). - wifi: ath12k: support ARP and NS offload (bsc#1240998). - wifi: ath12k: support GTK rekey offload (bsc#1240998). - wifi: ath12k: support SMPS configuration for 6 GHz (bsc#1240998). - wifi: ath12k: support get_survey mac op for single wiphy (bsc#1240998). - wifi: ath12k: support suspend/resume (bsc#1240998). - wifi: ath12k: switch to using wiphy_lock() and remove ar->conf_mutex (bsc#1240998). - wifi: ath12k: unregister per pdev debugfs (bsc#1240998). - wifi: ath12k: update ath12k_mac_op_conf_tx() for MLO (bsc#1240998). - wifi: ath12k: update ath12k_mac_op_update_vif_offload() for MLO (bsc#1240998). - wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850 (bsc#1240998). - wifi: ath12k: use correct MAX_RADIOS (bsc#1240998). - wifi: ath12k: use tail MSDU to get MSDU information (bsc#1240998). - wifi: ath12k: using msdu end descriptor to check for rx multicast packets (stable-fixes). - wifi: ath12k: vdev statemachine changes for single wiphy (bsc#1240998). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: cfg80211: allow IR in 20 MHz configurations (stable-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: do not warn during reprobe (stable-fixes). - wifi: iwlwifi: do not warn when if there is a FW error (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: iwlwifi: fix the ECKV UEFI variable name (stable-fixes). - wifi: iwlwifi: mark Br device not integrated (stable-fixes). - wifi: iwlwifi: mvm: fix beacon CCK flag (stable-fixes). - wifi: iwlwifi: mvm: fix setting the TK when associated (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: iwlwifi: use correct IMR dump variable (stable-fixes). - wifi: iwlwifi: w/a FW SMPS mode selection (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211: fix warning on disconnect during failed ML reconf (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx (stable-fixes). - wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO (stable-fixes). - wifi: mac80211_hwsim: Fix MLD address translation (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix fails to enter low power mode in suspend state (stable-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: introduce thermal protection (stable-fixes). - wifi: mt76: mt7925: load the appropriate CLC data based on hardware type (stable-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: mwifiex: Fix HT40 bandwidth issue (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: 8922a: fix TX fail with wrong VCO setting (stable-fixes). - wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU (stable-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: call power_on ahead before selecting firmware (stable-fixes). - wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32() (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - wifi: rtw89: phy: add dummy C2H event handler for report of TAS power (stable-fixes). - wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (stable-fixes). - workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() (bsc#1245101 jsc#PED-11934). - x86/acpi: Fix LAPIC/x2APIC parsing order (git-fixes). - x86/amd_nb, hwmon: (k10temp): Simplify amd_pci_dev_to_node_id() (jsc#PED-13094). - x86/amd_nb: Clean up early_is_amd_nb() (jsc#PED-13094). - x86/amd_nb: Move SMN access code to a new amd_node driver (jsc#PED-13094). - x86/amd_nb: Restrict init function to AMD-based systems (jsc#PED-13094). - x86/amd_nb: Simplify function 4 search (jsc#PED-13094). - x86/amd_nb: Simplify root device search (jsc#PED-13094). - x86/amd_node: Add SMN offsets to exclusive region access (jsc#PED-13094). - x86/amd_node: Add support for debugfs access to SMN registers (jsc#PED-13094). - x86/amd_node: Remove dependency on AMD_NB (jsc#PED-13094). - x86/amd_node: Update __amd_smn_rw() error paths (jsc#PED-13094). - x86/amd_node: Use defines for SMN register offsets (jsc#PED-13094). - x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/mce/amd: Remove shared threshold bank plumbing (jsc#PED-13094). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/platform/amd: Move the <asm/amd_hsmp.h> header to <asm/amd/hsmp.h> (jsc#PED-13094). - x86/sev: Add SVSM vTPM probe/send_command functions (bsc#1241191). - x86/sev: Provide guest VMPL level to userspace (bsc#1241191). - x86/sev: Register tpm-svsm platform device (bsc#1241191). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - x86: Start moving AMD node functionality out of AMD_NB (jsc#PED-13094). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). - xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive (git-fixes). - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). The following package changes have been done: - libsasl2-3-2.1.28-150600.7.6.2 updated - kernel-macros-6.4.0-150700.53.6.1 updated - kernel-devel-6.4.0-150700.53.6.1 updated - kernel-default-devel-6.4.0-150700.53.6.1 updated - kernel-syms-6.4.0-150700.53.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-27ee9f90d96cb98ecaf3bdb9290e225f11b1a29d18c0a1bac62e00a4a9235682-0 updated From sle-container-updates at lists.suse.com Tue Jul 22 09:13:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 22 Jul 2025 11:13:10 +0200 (CEST) Subject: SUSE-IU-2025:2020-1: Security update of sles-15-sp4-chost-byos-v20250721-arm64 Message-ID: <20250722091310.0B009FCFE@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp4-chost-byos-v20250721-arm64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2020-1 Image Tags : sles-15-sp4-chost-byos-v20250721-arm64:20250721 Image Release : Severity : important Type : security References : 1027519 1065729 1165294 1170891 1173139 1180814 1183663 1183682 1184350 1185010 1185551 1187939 1188441 1189788 1190336 1190358 1190428 1190768 1190786 1193173 1193629 1193629 1193629 1193629 1194111 1194765 1194869 1194869 1194904 1195823 1196261 1196444 1196516 1196894 1197158 1197174 1197227 1197246 1197302 1197331 1197472 1197661 1197926 1198017 1198019 1198021 1198240 1198577 1198660 1199657 1199853 1200045 1200571 1200807 1200809 1200810 1200824 1200825 1200871 1200872 1201193 1201218 1201323 1201381 1201610 1201855 1202672 1202711 1202712 1202771 1202774 1202778 1202781 1203360 1203617 1203699 1203769 1204171 1204171 1204549 1204569 1204619 1204705 1204720 1205282 1205796 1206006 1206048 1206049 1206051 1206073 1206132 1206188 1206258 1206344 1206649 1206886 1206887 1207034 1207157 1207158 1207186 1207593 1207640 1207878 1208542 1208995 1209262 1209290 1209292 1209547 1209556 1209684 1209788 1209798 1210050 1210337 1210382 1210449 1210627 1210647 1210763 1210767 1210959 1211263 1211465 1211547 1213012 1213013 1213034 1213094 1213096 1213167 1213291 1213946 1214290 1214713 1214715 1214915 1214991 1215304 1216049 1216091 1216091 1216146 1216147 1216150 1216151 1216223 1216223 1216228 1216229 1216230 1216231 1216232 1216233 1216241 1216388 1216522 1216813 1216827 1216834 1217070 1217287 1217339 1217761 1218069 1218201 1218282 1218324 1218470 1218562 1218644 1218812 1218814 1219007 1219031 1219241 1219454 1219639 1220262 1220382 1220382 1220718 1220724 1220946 1221202 1221309 1221326 1221601 1221645 1221757 1222021 1222044 1222296 1222453 1222590 1222650 1222878 1222896 1223191 1223330 1223384 1223524 1223600 1223824 1223958 1224105 1224700 1225189 1225272 1225336 1225451 1225462 1225611 1225742 1225742 1225974 1226586 1226666 1227127 1227216 1227233 1227355 1227378 1227487 1227807 1227832 1227999 1228020 1228114 1228265 1228324 1228337 1228434 1228466 1228466 1228466 1228483 1228489 1228516 1228553 1228574 1228575 1228576 1228634 1228647 1228661 1228708 1228718 1228743 1228776 1228779 1228780 1228801 1228866 1228959 1228966 1229014 1229028 1229042 1229106 1229292 1229345 1229400 1229407 1229452 1229454 1229454 1229456 1229476 1229500 1229503 1229506 1229507 1229508 1229509 1229510 1229512 1229516 1229522 1229526 1229528 1229531 1229533 1229535 1229536 1229537 1229540 1229544 1229554 1229555 1229555 1229556 1229557 1229565 1229566 1229568 1229581 1229596 1229598 1229603 1229604 1229608 1229611 1229612 1229613 1229614 1229617 1229619 1229620 1229622 1229623 1229624 1229625 1229626 1229628 1229629 1229630 1229631 1229633 1229635 1229636 1229637 1229638 1229639 1229641 1229642 1229643 1229645 1229657 1229662 1229664 1229685 1229707 1229745 1229792 1229806 1229808 1229822 1229947 1230015 1230078 1230092 1230145 1230220 1230227 1230229 1230245 1230267 1230267 1230272 1230294 1230316 1230331 1230333 1230366 1230371 1230398 1230413 1230429 1230434 1230442 1230454 1230507 1230516 1230600 1230620 1230625 1230697 1230697 1230715 1230767 1230771 1230795 1230894 1230903 1230906 1230911 1230912 1230972 1230984 1231016 1231016 1231043 1231060 1231073 1231185 1231191 1231193 1231195 1231197 1231200 1231203 1231229 1231293 1231328 1231348 1231375 1231375 1231396 1231423 1231472 1231502 1231610 1231646 1231661 1231673 1231775 1231775 1231775 1231776 1231776 1231776 1231795 1231829 1231833 1231838 1231846 1231847 1231861 1231883 1231885 1231887 1231888 1231890 1231892 1231893 1231895 1231896 1231897 1231929 1231936 1231937 1231938 1231939 1231940 1231941 1231942 1231958 1231960 1231961 1231962 1231972 1231976 1231979 1231987 1231988 1231991 1231992 1231995 1231996 1231997 1232001 1232005 1232006 1232007 1232024 1232024 1232025 1232026 1232033 1232035 1232036 1232037 1232038 1232039 1232067 1232069 1232070 1232071 1232097 1232108 1232119 1232120 1232123 1232133 1232136 1232145 1232150 1232163 1232165 1232170 1232172 1232174 1232187 1232224 1232229 1232234 1232234 1232237 1232241 1232260 1232262 1232281 1232282 1232286 1232304 1232312 1232383 1232395 1232418 1232424 1232432 1232436 1232436 1232458 1232519 1232528 1232533 1232542 1232579 1232622 1232624 1232649 1232860 1232905 1232907 1232919 1232919 1232928 1232999 1233070 1233070 1233112 1233117 1233214 1233282 1233293 1233307 1233307 1233393 1233420 1233453 1233456 1233463 1233468 1233479 1233479 1233490 1233491 1233499 1233555 1233557 1233557 1233558 1233561 1233606 1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616 1233617 1233625 1233626 1233642 1233642 1233726 1233773 1233819 1233977 1234025 1234068 1234089 1234128 1234154 1234254 1234255 1234273 1234281 1234282 1234282 1234289 1234293 1234383 1234452 1234452 1234464 1234563 1234690 1234708 1234749 1234752 1234798 1234846 1234853 1234853 1234884 1234887 1234891 1234891 1234896 1234921 1234931 1234958 1234960 1234963 1234963 1235004 1235035 1235054 1235054 1235056 1235061 1235061 1235073 1235073 1235100 1235134 1235217 1235220 1235224 1235230 1235246 1235249 1235430 1235433 1235441 1235451 1235466 1235480 1235481 1235507 1235521 1235528 1235584 1235598 1235606 1235636 1235645 1235664 1235695 1235723 1235751 1235759 1235764 1235814 1235818 1235920 1235969 1236033 1236136 1236151 1236282 1236316 1236317 1236384 1236403 1236406 1236407 1236460 1236481 1236560 1236588 1236590 1236596 1236619 1236628 1236661 1236675 1236677 1236705 1236757 1236758 1236760 1236761 1236779 1236820 1236842 1236878 1236939 1236974 1236983 1237002 1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014 1237025 1237028 1237029 1237040 1237044 1237137 1237139 1237172 1237230 1237294 1237316 1237335 1237363 1237367 1237370 1237418 1237521 1237530 1237587 1237693 1237718 1237721 1237722 1237723 1237724 1237725 1237726 1237727 1237728 1237729 1237734 1237735 1237736 1237737 1237738 1237739 1237740 1237742 1237743 1237745 1237746 1237748 1237751 1237752 1237753 1237755 1237759 1237761 1237763 1237766 1237767 1237768 1237774 1237775 1237778 1237779 1237780 1237782 1237783 1237784 1237785 1237786 1237787 1237788 1237789 1237795 1237797 1237798 1237807 1237808 1237810 1237812 1237813 1237814 1237815 1237817 1237818 1237821 1237823 1237824 1237826 1237827 1237829 1237831 1237835 1237836 1237837 1237839 1237840 1237845 1237846 1237865 1237868 1237872 1237875 1237877 1237890 1237892 1237903 1237904 1237916 1237918 1237922 1237925 1237926 1237929 1237931 1237932 1237933 1237937 1237939 1237940 1237941 1237942 1237946 1237949 1237951 1237952 1237954 1237955 1237957 1237958 1237959 1237960 1237961 1237963 1237965 1237966 1237967 1237968 1237969 1237970 1237971 1237973 1237975 1237976 1237978 1237979 1237981 1237983 1237984 1237986 1237987 1237990 1237996 1237997 1237998 1237999 1238000 1238003 1238006 1238007 1238010 1238011 1238012 1238013 1238014 1238016 1238017 1238018 1238019 1238021 1238022 1238024 1238030 1238032 1238033 1238036 1238037 1238041 1238043 1238046 1238047 1238071 1238077 1238079 1238080 1238089 1238090 1238091 1238092 1238096 1238097 1238099 1238103 1238105 1238106 1238108 1238110 1238111 1238112 1238113 1238115 1238116 1238120 1238123 1238125 1238126 1238127 1238131 1238134 1238135 1238138 1238139 1238140 1238142 1238144 1238146 1238147 1238149 1238150 1238155 1238156 1238157 1238158 1238162 1238166 1238167 1238168 1238169 1238170 1238171 1238172 1238175 1238176 1238177 1238180 1238181 1238183 1238184 1238228 1238229 1238231 1238234 1238235 1238236 1238238 1238239 1238241 1238242 1238243 1238244 1238246 1238247 1238248 1238249 1238253 1238255 1238256 1238257 1238260 1238262 1238263 1238264 1238266 1238267 1238268 1238269 1238270 1238271 1238272 1238274 1238275 1238276 1238277 1238278 1238279 1238281 1238282 1238283 1238284 1238286 1238287 1238288 1238289 1238292 1238293 1238295 1238298 1238301 1238302 1238306 1238307 1238308 1238309 1238311 1238313 1238315 1238326 1238327 1238328 1238331 1238333 1238334 1238336 1238337 1238338 1238339 1238343 1238345 1238372 1238373 1238374 1238376 1238377 1238381 1238382 1238383 1238386 1238387 1238388 1238389 1238390 1238391 1238392 1238393 1238394 1238395 1238396 1238397 1238400 1238410 1238411 1238413 1238415 1238416 1238417 1238418 1238419 1238420 1238423 1238428 1238429 1238430 1238431 1238432 1238433 1238434 1238435 1238436 1238437 1238440 1238441 1238442 1238443 1238444 1238445 1238446 1238447 1238453 1238454 1238458 1238459 1238462 1238463 1238465 1238467 1238469 1238471 1238512 1238533 1238536 1238538 1238539 1238540 1238543 1238545 1238546 1238556 1238557 1238599 1238600 1238601 1238602 1238605 1238612 1238615 1238617 1238618 1238619 1238621 1238623 1238625 1238626 1238630 1238631 1238632 1238633 1238635 1238636 1238638 1238639 1238640 1238641 1238642 1238643 1238645 1238646 1238647 1238650 1238653 1238654 1238655 1238662 1238663 1238664 1238666 1238668 1238705 1238707 1238710 1238712 1238718 1238719 1238721 1238722 1238727 1238729 1238747 1238750 1238787 1238789 1238792 1238799 1238804 1238805 1238808 1238809 1238811 1238814 1238815 1238816 1238817 1238818 1238819 1238821 1238823 1238825 1238830 1238834 1238835 1238836 1238838 1238865 1238867 1238868 1238869 1238870 1238871 1238878 1238889 1238892 1238893 1238896 1238897 1238898 1238899 1238902 1238911 1238916 1238919 1238925 1238930 1238933 1238936 1238937 1238938 1238939 1238943 1238945 1238948 1238949 1238950 1238951 1238952 1238954 1238956 1238957 1239001 1239004 1239012 1239016 1239035 1239036 1239040 1239041 1239051 1239060 1239061 1239070 1239071 1239073 1239076 1239109 1239115 1239126 1239185 1239197 1239197 1239322 1239452 1239454 1239465 1239543 1239602 1239618 1239663 1239680 1239749 1239763 1239765 1239809 1239866 1239909 1239948 1239968 1239968 1239969 1240009 1240132 1240133 1240150 1240177 1240188 1240195 1240195 1240205 1240207 1240208 1240210 1240212 1240213 1240218 1240220 1240227 1240229 1240231 1240242 1240245 1240247 1240250 1240254 1240256 1240264 1240266 1240272 1240275 1240276 1240278 1240279 1240280 1240281 1240282 1240283 1240284 1240286 1240288 1240290 1240292 1240293 1240297 1240304 1240308 1240309 1240317 1240318 1240322 1240343 1240343 1240529 1240553 1240648 1240747 1240802 1240835 1240869 1240897 1241012 1241020 1241045 1241078 1241112 1241189 1241280 1241371 1241421 1241433 1241453 1241463 1241525 1241526 1241541 1241551 1241640 1241648 1241678 1241830 1242114 1242147 1242150 1242151 1242154 1242157 1242158 1242164 1242165 1242169 1242215 1242218 1242219 1242222 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242241 1242244 1242245 1242248 1242261 1242264 1242265 1242270 1242276 1242279 1242280 1242281 1242282 1242284 1242285 1242289 1242294 1242300 1242305 1242312 1242320 1242338 1242352 1242353 1242355 1242357 1242358 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242382 1242385 1242387 1242389 1242391 1242392 1242394 1242398 1242399 1242402 1242403 1242409 1242411 1242415 1242416 1242421 1242422 1242426 1242428 1242440 1242443 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242467 1242469 1242473 1242478 1242481 1242484 1242489 1242493 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242743 1242744 1242745 1242746 1242747 1242749 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1242842 1242844 1243047 1243117 1243133 1243226 1243226 1243254 1243284 1243313 1243317 1243450 1243488 1243505 1243649 1243660 1243737 1243767 1243772 1243833 1243887 1243901 1243919 1243997 1244035 1244079 1244105 1244304 1244503 1244509 1244554 1244557 1244590 1244644 1244700 1245274 1245309 1245310 1245311 1245314 1246112 CVE-2017-5753 CVE-2021-31879 CVE-2021-4441 CVE-2021-4453 CVE-2021-4454 CVE-2021-47202 CVE-2021-47416 CVE-2021-47534 CVE-2021-47631 CVE-2021-47632 CVE-2021-47633 CVE-2021-47635 CVE-2021-47636 CVE-2021-47637 CVE-2021-47638 CVE-2021-47639 CVE-2021-47641 CVE-2021-47642 CVE-2021-47643 CVE-2021-47644 CVE-2021-47645 CVE-2021-47646 CVE-2021-47647 CVE-2021-47648 CVE-2021-47649 CVE-2021-47650 CVE-2021-47651 CVE-2021-47652 CVE-2021-47653 CVE-2021-47654 CVE-2021-47656 CVE-2021-47657 CVE-2021-47659 CVE-2021-47671 CVE-2022-0168 CVE-2022-0995 CVE-2022-1016 CVE-2022-1048 CVE-2022-1184 CVE-2022-2977 CVE-2022-29900 CVE-2022-29901 CVE-2022-3303 CVE-2022-3435 CVE-2022-3435 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-4382 CVE-2022-45934 CVE-2022-48664 CVE-2022-48868 CVE-2022-48869 CVE-2022-48870 CVE-2022-48871 CVE-2022-48872 CVE-2022-48873 CVE-2022-48875 CVE-2022-48878 CVE-2022-48879 CVE-2022-48880 CVE-2022-48890 CVE-2022-48891 CVE-2022-48896 CVE-2022-48898 CVE-2022-48899 CVE-2022-48903 CVE-2022-48904 CVE-2022-48905 CVE-2022-48907 CVE-2022-48909 CVE-2022-48911 CVE-2022-48912 CVE-2022-48913 CVE-2022-48914 CVE-2022-48915 CVE-2022-48916 CVE-2022-48917 CVE-2022-48918 CVE-2022-48919 CVE-2022-48921 CVE-2022-48923 CVE-2022-48924 CVE-2022-48925 CVE-2022-48926 CVE-2022-48927 CVE-2022-48928 CVE-2022-48929 CVE-2022-48930 CVE-2022-48931 CVE-2022-48932 CVE-2022-48934 CVE-2022-48935 CVE-2022-48937 CVE-2022-48938 CVE-2022-48941 CVE-2022-48942 CVE-2022-48943 CVE-2022-48944 CVE-2022-48945 CVE-2022-48946 CVE-2022-48947 CVE-2022-48948 CVE-2022-48949 CVE-2022-48951 CVE-2022-48953 CVE-2022-48954 CVE-2022-48955 CVE-2022-48956 CVE-2022-48959 CVE-2022-48960 CVE-2022-48961 CVE-2022-48962 CVE-2022-48967 CVE-2022-48968 CVE-2022-48969 CVE-2022-48970 CVE-2022-48971 CVE-2022-48972 CVE-2022-48973 CVE-2022-48975 CVE-2022-48977 CVE-2022-48978 CVE-2022-48981 CVE-2022-48985 CVE-2022-48987 CVE-2022-48988 CVE-2022-48991 CVE-2022-48992 CVE-2022-48994 CVE-2022-48995 CVE-2022-48997 CVE-2022-48999 CVE-2022-49000 CVE-2022-49002 CVE-2022-49003 CVE-2022-49005 CVE-2022-49006 CVE-2022-49007 CVE-2022-49010 CVE-2022-49011 CVE-2022-49012 CVE-2022-49014 CVE-2022-49015 CVE-2022-49016 CVE-2022-49019 CVE-2022-49021 CVE-2022-49022 CVE-2022-49023 CVE-2022-49024 CVE-2022-49025 CVE-2022-49026 CVE-2022-49027 CVE-2022-49028 CVE-2022-49029 CVE-2022-49031 CVE-2022-49032 CVE-2022-49035 CVE-2022-49043 CVE-2022-49044 CVE-2022-49050 CVE-2022-49051 CVE-2022-49053 CVE-2022-49054 CVE-2022-49055 CVE-2022-49058 CVE-2022-49059 CVE-2022-49060 CVE-2022-49061 CVE-2022-49063 CVE-2022-49065 CVE-2022-49066 CVE-2022-49073 CVE-2022-49074 CVE-2022-49076 CVE-2022-49078 CVE-2022-49080 CVE-2022-49082 CVE-2022-49083 CVE-2022-49084 CVE-2022-49085 CVE-2022-49086 CVE-2022-49088 CVE-2022-49089 CVE-2022-49090 CVE-2022-49091 CVE-2022-49092 CVE-2022-49093 CVE-2022-49095 CVE-2022-49096 CVE-2022-49097 CVE-2022-49098 CVE-2022-49099 CVE-2022-49100 CVE-2022-49102 CVE-2022-49103 CVE-2022-49104 CVE-2022-49105 CVE-2022-49106 CVE-2022-49107 CVE-2022-49109 CVE-2022-49110 CVE-2022-49111 CVE-2022-49112 CVE-2022-49113 CVE-2022-49114 CVE-2022-49115 CVE-2022-49116 CVE-2022-49118 CVE-2022-49119 CVE-2022-49120 CVE-2022-49121 CVE-2022-49122 CVE-2022-49126 CVE-2022-49128 CVE-2022-49129 CVE-2022-49130 CVE-2022-49131 CVE-2022-49132 CVE-2022-49135 CVE-2022-49137 CVE-2022-49139 CVE-2022-49145 CVE-2022-49147 CVE-2022-49148 CVE-2022-49151 CVE-2022-49153 CVE-2022-49154 CVE-2022-49155 CVE-2022-49156 CVE-2022-49157 CVE-2022-49158 CVE-2022-49159 CVE-2022-49160 CVE-2022-49162 CVE-2022-49163 CVE-2022-49164 CVE-2022-49165 CVE-2022-49174 CVE-2022-49175 CVE-2022-49176 CVE-2022-49177 CVE-2022-49179 CVE-2022-49180 CVE-2022-49182 CVE-2022-49185 CVE-2022-49187 CVE-2022-49188 CVE-2022-49189 CVE-2022-49193 CVE-2022-49194 CVE-2022-49196 CVE-2022-49199 CVE-2022-49200 CVE-2022-49201 CVE-2022-49206 CVE-2022-49208 CVE-2022-49212 CVE-2022-49213 CVE-2022-49214 CVE-2022-49216 CVE-2022-49217 CVE-2022-49218 CVE-2022-49221 CVE-2022-49222 CVE-2022-49224 CVE-2022-49226 CVE-2022-49227 CVE-2022-49232 CVE-2022-49235 CVE-2022-49236 CVE-2022-49239 CVE-2022-49241 CVE-2022-49242 CVE-2022-49243 CVE-2022-49244 CVE-2022-49246 CVE-2022-49247 CVE-2022-49248 CVE-2022-49249 CVE-2022-49250 CVE-2022-49251 CVE-2022-49252 CVE-2022-49253 CVE-2022-49254 CVE-2022-49256 CVE-2022-49257 CVE-2022-49258 CVE-2022-49259 CVE-2022-49260 CVE-2022-49261 CVE-2022-49262 CVE-2022-49263 CVE-2022-49264 CVE-2022-49265 CVE-2022-49266 CVE-2022-49268 CVE-2022-49269 CVE-2022-49270 CVE-2022-49271 CVE-2022-49272 CVE-2022-49273 CVE-2022-49274 CVE-2022-49275 CVE-2022-49276 CVE-2022-49277 CVE-2022-49278 CVE-2022-49279 CVE-2022-49280 CVE-2022-49281 CVE-2022-49283 CVE-2022-49285 CVE-2022-49286 CVE-2022-49287 CVE-2022-49288 CVE-2022-49290 CVE-2022-49291 CVE-2022-49292 CVE-2022-49293 CVE-2022-49294 CVE-2022-49295 CVE-2022-49297 CVE-2022-49298 CVE-2022-49299 CVE-2022-49300 CVE-2022-49301 CVE-2022-49302 CVE-2022-49304 CVE-2022-49305 CVE-2022-49307 CVE-2022-49308 CVE-2022-49309 CVE-2022-49310 CVE-2022-49311 CVE-2022-49312 CVE-2022-49313 CVE-2022-49314 CVE-2022-49315 CVE-2022-49316 CVE-2022-49319 CVE-2022-49320 CVE-2022-49321 CVE-2022-49322 CVE-2022-49323 CVE-2022-49326 CVE-2022-49327 CVE-2022-49328 CVE-2022-49331 CVE-2022-49332 CVE-2022-49335 CVE-2022-49336 CVE-2022-49337 CVE-2022-49339 CVE-2022-49341 CVE-2022-49342 CVE-2022-49343 CVE-2022-49345 CVE-2022-49346 CVE-2022-49347 CVE-2022-49348 CVE-2022-49349 CVE-2022-49350 CVE-2022-49351 CVE-2022-49352 CVE-2022-49354 CVE-2022-49356 CVE-2022-49357 CVE-2022-49367 CVE-2022-49368 CVE-2022-49370 CVE-2022-49371 CVE-2022-49373 CVE-2022-49375 CVE-2022-49376 CVE-2022-49377 CVE-2022-49378 CVE-2022-49379 CVE-2022-49381 CVE-2022-49382 CVE-2022-49384 CVE-2022-49385 CVE-2022-49386 CVE-2022-49389 CVE-2022-49392 CVE-2022-49394 CVE-2022-49396 CVE-2022-49397 CVE-2022-49398 CVE-2022-49399 CVE-2022-49400 CVE-2022-49402 CVE-2022-49404 CVE-2022-49407 CVE-2022-49409 CVE-2022-49410 CVE-2022-49411 CVE-2022-49412 CVE-2022-49413 CVE-2022-49414 CVE-2022-49416 CVE-2022-49418 CVE-2022-49421 CVE-2022-49422 CVE-2022-49424 CVE-2022-49426 CVE-2022-49427 CVE-2022-49429 CVE-2022-49430 CVE-2022-49431 CVE-2022-49432 CVE-2022-49433 CVE-2022-49434 CVE-2022-49435 CVE-2022-49437 CVE-2022-49438 CVE-2022-49440 CVE-2022-49441 CVE-2022-49442 CVE-2022-49443 CVE-2022-49444 CVE-2022-49445 CVE-2022-49447 CVE-2022-49448 CVE-2022-49449 CVE-2022-49451 CVE-2022-49453 CVE-2022-49455 CVE-2022-49459 CVE-2022-49460 CVE-2022-49462 CVE-2022-49463 CVE-2022-49465 CVE-2022-49466 CVE-2022-49467 CVE-2022-49468 CVE-2022-49472 CVE-2022-49473 CVE-2022-49474 CVE-2022-49475 CVE-2022-49477 CVE-2022-49478 CVE-2022-49480 CVE-2022-49481 CVE-2022-49482 CVE-2022-49486 CVE-2022-49487 CVE-2022-49488 CVE-2022-49489 CVE-2022-49490 CVE-2022-49491 CVE-2022-49492 CVE-2022-49493 CVE-2022-49494 CVE-2022-49495 CVE-2022-49498 CVE-2022-49501 CVE-2022-49502 CVE-2022-49503 CVE-2022-49504 CVE-2022-49505 CVE-2022-49506 CVE-2022-49507 CVE-2022-49508 CVE-2022-49509 CVE-2022-49512 CVE-2022-49514 CVE-2022-49515 CVE-2022-49517 CVE-2022-49519 CVE-2022-49520 CVE-2022-49521 CVE-2022-49522 CVE-2022-49523 CVE-2022-49524 CVE-2022-49525 CVE-2022-49526 CVE-2022-49527 CVE-2022-49532 CVE-2022-49534 CVE-2022-49535 CVE-2022-49536 CVE-2022-49537 CVE-2022-49541 CVE-2022-49542 CVE-2022-49544 CVE-2022-49545 CVE-2022-49546 CVE-2022-49549 CVE-2022-49551 CVE-2022-49555 CVE-2022-49556 CVE-2022-49559 CVE-2022-49562 CVE-2022-49563 CVE-2022-49564 CVE-2022-49566 CVE-2022-49568 CVE-2022-49569 CVE-2022-49570 CVE-2022-49579 CVE-2022-49581 CVE-2022-49583 CVE-2022-49584 CVE-2022-49591 CVE-2022-49592 CVE-2022-49603 CVE-2022-49605 CVE-2022-49606 CVE-2022-49607 CVE-2022-49609 CVE-2022-49610 CVE-2022-49611 CVE-2022-49613 CVE-2022-49615 CVE-2022-49616 CVE-2022-49617 CVE-2022-49618 CVE-2022-49621 CVE-2022-49623 CVE-2022-49625 CVE-2022-49626 CVE-2022-49627 CVE-2022-49628 CVE-2022-49631 CVE-2022-49634 CVE-2022-49640 CVE-2022-49641 CVE-2022-49642 CVE-2022-49643 CVE-2022-49644 CVE-2022-49645 CVE-2022-49646 CVE-2022-49647 CVE-2022-49648 CVE-2022-49649 CVE-2022-49650 CVE-2022-49652 CVE-2022-49653 CVE-2022-49656 CVE-2022-49657 CVE-2022-49661 CVE-2022-49663 CVE-2022-49665 CVE-2022-49667 CVE-2022-49668 CVE-2022-49670 CVE-2022-49671 CVE-2022-49672 CVE-2022-49673 CVE-2022-49674 CVE-2022-49675 CVE-2022-49676 CVE-2022-49677 CVE-2022-49678 CVE-2022-49679 CVE-2022-49680 CVE-2022-49683 CVE-2022-49685 CVE-2022-49687 CVE-2022-49688 CVE-2022-49693 CVE-2022-49695 CVE-2022-49699 CVE-2022-49700 CVE-2022-49701 CVE-2022-49703 CVE-2022-49704 CVE-2022-49705 CVE-2022-49707 CVE-2022-49708 CVE-2022-49710 CVE-2022-49711 CVE-2022-49712 CVE-2022-49713 CVE-2022-49714 CVE-2022-49715 CVE-2022-49716 CVE-2022-49719 CVE-2022-49720 CVE-2022-49721 CVE-2022-49722 CVE-2022-49723 CVE-2022-49724 CVE-2022-49725 CVE-2022-49726 CVE-2022-49729 CVE-2022-49730 CVE-2022-49731 CVE-2022-49733 CVE-2022-49739 CVE-2022-49741 CVE-2022-49746 CVE-2022-49748 CVE-2022-49751 CVE-2022-49753 CVE-2022-49755 CVE-2022-49759 CVE-2022-49767 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49783 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49931 CVE-2023-0179 CVE-2023-1192 CVE-2023-1652 CVE-2023-1990 CVE-2023-2162 CVE-2023-2166 CVE-2023-28327 CVE-2023-28410 CVE-2023-3567 CVE-2023-4016 CVE-2023-45142 CVE-2023-47108 CVE-2023-50782 CVE-2023-52489 CVE-2023-52572 CVE-2023-52766 CVE-2023-52800 CVE-2023-52881 CVE-2023-52893 CVE-2023-52894 CVE-2023-52896 CVE-2023-52898 CVE-2023-52900 CVE-2023-52901 CVE-2023-52905 CVE-2023-52907 CVE-2023-52911 CVE-2023-52919 CVE-2023-52922 CVE-2023-52930 CVE-2023-52933 CVE-2023-52935 CVE-2023-52939 CVE-2023-52941 CVE-2023-52973 CVE-2023-52974 CVE-2023-52975 CVE-2023-52976 CVE-2023-52979 CVE-2023-52983 CVE-2023-52984 CVE-2023-52988 CVE-2023-52989 CVE-2023-52992 CVE-2023-52993 CVE-2023-53000 CVE-2023-53005 CVE-2023-53006 CVE-2023-53007 CVE-2023-53008 CVE-2023-53010 CVE-2023-53015 CVE-2023-53016 CVE-2023-53019 CVE-2023-53023 CVE-2023-53024 CVE-2023-53025 CVE-2023-53026 CVE-2023-53028 CVE-2023-53029 CVE-2023-53030 CVE-2023-53033 CVE-2023-53035 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53051 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53106 CVE-2023-53108 CVE-2023-53111 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2023-6270 CVE-2024-10041 CVE-2024-10041 CVE-2024-10524 CVE-2024-11053 CVE-2024-11168 CVE-2024-11168 CVE-2024-11187 CVE-2024-12133 CVE-2024-12243 CVE-2024-13176 CVE-2024-2201 CVE-2024-2201 CVE-2024-23337 CVE-2024-23650 CVE-2024-24790 CVE-2024-26782 CVE-2024-27043 CVE-2024-28956 CVE-2024-29018 CVE-2024-29018 CVE-2024-31143 CVE-2024-31145 CVE-2024-31146 CVE-2024-35949 CVE-2024-36350 CVE-2024-36357 CVE-2024-40635 CVE-2024-40910 CVE-2024-41009 CVE-2024-41011 CVE-2024-41062 CVE-2024-41087 CVE-2024-41087 CVE-2024-41087 CVE-2024-41092 CVE-2024-41110 CVE-2024-41110 CVE-2024-41965 CVE-2024-42077 CVE-2024-42098 CVE-2024-42126 CVE-2024-42145 CVE-2024-42229 CVE-2024-42230 CVE-2024-42232 CVE-2024-42240 CVE-2024-42271 CVE-2024-42301 CVE-2024-43790 CVE-2024-43802 CVE-2024-43853 CVE-2024-43854 CVE-2024-43861 CVE-2024-43882 CVE-2024-43883 CVE-2024-44932 CVE-2024-44938 CVE-2024-44946 CVE-2024-44947 CVE-2024-44947 CVE-2024-44964 CVE-2024-45003 CVE-2024-45013 CVE-2024-45016 CVE-2024-45021 CVE-2024-45026 CVE-2024-45306 CVE-2024-45310 CVE-2024-45337 CVE-2024-45339 CVE-2024-45339 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-45817 CVE-2024-45818 CVE-2024-45819 CVE-2024-46674 CVE-2024-46716 CVE-2024-46774 CVE-2024-46784 CVE-2024-46813 CVE-2024-46814 CVE-2024-46815 CVE-2024-46816 CVE-2024-46817 CVE-2024-46818 CVE-2024-46849 CVE-2024-47668 CVE-2024-47674 CVE-2024-47684 CVE-2024-47706 CVE-2024-47747 CVE-2024-47748 CVE-2024-47757 CVE-2024-49860 CVE-2024-49867 CVE-2024-49925 CVE-2024-49930 CVE-2024-49936 CVE-2024-49945 CVE-2024-49960 CVE-2024-49969 CVE-2024-49974 CVE-2024-49982 CVE-2024-49991 CVE-2024-49995 CVE-2024-50017 CVE-2024-50047 CVE-2024-50089 CVE-2024-50115 CVE-2024-50115 CVE-2024-50125 CVE-2024-50127 CVE-2024-50128 CVE-2024-50154 CVE-2024-50154 CVE-2024-50199 CVE-2024-50205 CVE-2024-50208 CVE-2024-50259 CVE-2024-50264 CVE-2024-50267 CVE-2024-50274 CVE-2024-50279 CVE-2024-50290 CVE-2024-50290 CVE-2024-50301 CVE-2024-50302 CVE-2024-50602 CVE-2024-52533 CVE-2024-52616 CVE-2024-53061 CVE-2024-53063 CVE-2024-53063 CVE-2024-53064 CVE-2024-53068 CVE-2024-53095 CVE-2024-53095 CVE-2024-53104 CVE-2024-53135 CVE-2024-53142 CVE-2024-53144 CVE-2024-53146 CVE-2024-53156 CVE-2024-53166 CVE-2024-53168 CVE-2024-53173 CVE-2024-53173 CVE-2024-53177 CVE-2024-53179 CVE-2024-53206 CVE-2024-53214 CVE-2024-53239 CVE-2024-53239 CVE-2024-53240 CVE-2024-53241 CVE-2024-53241 CVE-2024-54661 CVE-2024-54680 CVE-2024-56171 CVE-2024-5642 CVE-2024-56539 CVE-2024-56539 CVE-2024-56548 CVE-2024-56548 CVE-2024-56558 CVE-2024-56570 CVE-2024-56598 CVE-2024-56600 CVE-2024-56601 CVE-2024-56602 CVE-2024-56604 CVE-2024-56605 CVE-2024-56605 CVE-2024-56619 CVE-2024-56623 CVE-2024-56631 CVE-2024-56642 CVE-2024-56645 CVE-2024-56648 CVE-2024-56650 CVE-2024-56651 CVE-2024-56658 CVE-2024-56661 CVE-2024-56664 CVE-2024-56704 CVE-2024-56737 CVE-2024-56759 CVE-2024-57791 CVE-2024-57792 CVE-2024-57798 CVE-2024-57849 CVE-2024-57893 CVE-2024-57897 CVE-2024-57948 CVE-2024-57996 CVE-2024-58014 CVE-2024-58083 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8176 CVE-2024-8805 CVE-2024-8805 CVE-2024-9287 CVE-2024-9681 CVE-2025-0167 CVE-2025-0395 CVE-2025-0495 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-0725 CVE-2025-0938 CVE-2025-1118 CVE-2025-1125 CVE-2025-1215 CVE-2025-1713 CVE-2025-21690 CVE-2025-21692 CVE-2025-21693 CVE-2025-21699 CVE-2025-21714 CVE-2025-21718 CVE-2025-21726 CVE-2025-21732 CVE-2025-21753 CVE-2025-21772 CVE-2025-21780 CVE-2025-21785 CVE-2025-21791 CVE-2025-21812 CVE-2025-21839 CVE-2025-21886 CVE-2025-21888 CVE-2025-21999 CVE-2025-22004 CVE-2025-22020 CVE-2025-22045 CVE-2025-22055 CVE-2025-22056 CVE-2025-22060 CVE-2025-22097 CVE-2025-22134 CVE-2025-22868 CVE-2025-22868 CVE-2025-22868 CVE-2025-22869 CVE-2025-22872 CVE-2025-2312 CVE-2025-23138 CVE-2025-23145 CVE-2025-24014 CVE-2025-24528 CVE-2025-24928 CVE-2025-2588 CVE-2025-26465 CVE-2025-27113 CVE-2025-27363 CVE-2025-27465 CVE-2025-29087 CVE-2025-29088 CVE-2025-29768 CVE-2025-32414 CVE-2025-32415 CVE-2025-32462 CVE-2025-32728 CVE-2025-3277 CVE-2025-3360 CVE-2025-37785 CVE-2025-37789 CVE-2025-37948 CVE-2025-37963 CVE-2025-40909 CVE-2025-4373 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 CVE-2025-4877 CVE-2025-4878 CVE-2025-48964 CVE-2025-49794 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container sles-15-sp4-chost-byos-v20250721-arm64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:167-1 Released: Mon Jan 24 18:16:24 2022 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1187939 This update for cloud-netconfig fixes the following issues: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:658-1 Released: Wed Mar 8 10:51:10 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1199853,1204549 This update for cloud-netconfig fixes the following issues: - Update to version 1.7: + Overhaul policy routing setup + Support alias IPv4 ranges + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3637-1 Released: Mon Sep 18 13:02:23 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1214715 This update for cloud-netconfig fixes the following issues: - Update to version 1.8: - Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:630-1 Released: Tue Feb 27 09:14:49 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1218069,1219007 This update for cloud-netconfig fixes the following issues: - Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) - Drop package dependency on sysconfig-netconfig - Improve log level handling - Support IPv6 IMDS endpoint in EC2 (bsc#1218069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:781-1 Released: Wed Mar 6 15:05:13 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1219454,1220718 This update for cloud-netconfig fixes the following issues: - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:869-1 Released: Wed Mar 13 10:48:51 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1221202 This update for cloud-netconfig fixes the following issues: - Update to version 1.12 (bsc#1221202) * If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1085-1 Released: Tue Apr 2 11:24:09 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1221757 This update for cloud-netconfig fixes the following issues: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3234-1 Released: Fri Sep 13 08:49:43 2024 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1217761,1228866 This update for grub2 fixes the following issues: - Support powerpc net boot installation when secure boot is enabled (bsc#1217761, bsc#1228866) - Improved check for disk device when looking for PReP partition ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3238-1 Released: Fri Sep 13 11:56:14 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1229476 This update for util-linux fixes the following issue: - Skip aarch64 decode path for rest of the architectures (bsc#1229476). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3300-1 Released: Wed Sep 18 14:27:53 2024 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1229028 This update for ncurses fixes the following issues: - Allow the terminal description based on static fallback entries to be freed (bsc#1229028) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3330-1 Released: Thu Sep 19 09:42:12 2024 Summary: Recommended update for suseconnect-ng Type: recommended Severity: important References: 1229014,1230229 This update for suseconnect-ng fixes the following issue: - Set the filesystem root on zypper when given (bsc#1230229, bsc#1229014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3408-1 Released: Tue Sep 24 08:39:14 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1193629,1194111,1194765,1194869,1196261,1196516,1196894,1198017,1203360,1206006,1206258,1207158,1216834,1221326,1221645,1223191,1224105,1227832,1228020,1228114,1228466,1228489,1228516,1228576,1228718,1228801,1228959,1229042,1229292,1229400,1229454,1229500,1229503,1229506,1229507,1229508,1229509,1229510,1229512,1229516,1229522,1229526,1229528,1229531,1229533,1229535,1229536,1229537,1229540,1229544,1229554,1229557,1229565,1229566,1229568,1229581,1229598,1229603,1229604,1229608,1229611,1229612,1229613,1229614,1229617,1229619,1229620,1229622,1229623,1229624,1229625,1229626,1229628,1229629,1229630,1229631,1229635,1229636,1229637,1229638,1229639,1229641,1229642,1229643,1229645,1229657,1229664,1229707,1229792,1230245,1230413,CVE-2021-4441,CVE-2022-4382,CVE-2022-48868,CVE-2022-48869,CVE-2022-48870,CVE-2022-48871,CVE-2022-48872,CVE-2022-48873,CVE-2022-48875,CVE-2022-48878,CVE-2022-48880,CVE-2022-48890,CVE-2022-48891,CVE-2022-48896,CVE-2022-48898,CVE-2022-48899,CVE-2022-48903,CVE- 2022-48904,CVE-2022-48905,CVE-2022-48907,CVE-2022-48909,CVE-2022-48912,CVE-2022-48913,CVE-2022-48914,CVE-2022-48915,CVE-2022-48916,CVE-2022-48917,CVE-2022-48918,CVE-2022-48919,CVE-2022-48921,CVE-2022-48924,CVE-2022-48925,CVE-2022-48926,CVE-2022-48927,CVE-2022-48928,CVE-2022-48929,CVE-2022-48930,CVE-2022-48931,CVE-2022-48932,CVE-2022-48934,CVE-2022-48935,CVE-2022-48937,CVE-2022-48938,CVE-2022-48941,CVE-2022-48942,CVE-2022-48943,CVE-2023-52489,CVE-2023-52893,CVE-2023-52894,CVE-2023-52896,CVE-2023-52898,CVE-2023-52900,CVE-2023-52901,CVE-2023-52905,CVE-2023-52907,CVE-2023-52911,CVE-2024-40910,CVE-2024-41009,CVE-2024-41011,CVE-2024-41062,CVE-2024-41087,CVE-2024-42077,CVE-2024-42126,CVE-2024-42230,CVE-2024-42232,CVE-2024-42271,CVE-2024-43853,CVE-2024-43861,CVE-2024-43882,CVE-2024-43883,CVE-2024-44938,CVE-2024-44947,CVE-2024-45003 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-41062: Sync sock recv cb and release (bsc#1228576). - CVE-2024-44947: Initialize beyond-EOF page contents before setting uptodate (bsc#1229454). - CVE-2024-43883: Do not drop references before new references are gained (bsc#1229707). - CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229500). - CVE-2023-52489: Fix race in accessing memory_section->usage (bsc#1221326). - CVE-2024-44938: Fix shift-out-of-bounds in dbDiscardAG (bsc#1229792). - CVE-2024-41087: Fix double free on error (CVE-2024-41087,bsc#1228466). - CVE-2024-43882: Fixed ToCToU between perm check and set-uid/gid usage. (bsc#1229503) - CVE-2022-48935: Fixed an unregister flowtable hooks on netns exit (bsc#1229619) - CVE-2022-48912: Fix use-after-free in __nf_register_net_hook() (bsc#1229641) - CVE-2024-42271: Fixed a use after free in iucv_sock_close(). (bsc#1229400) - CVE-2024-42232: Fixed a race between delayed_work() and ceph_monc_stop(). (bsc#1228959) - CVE-2024-40910: Fix refcount imbalance on inbound connections (bsc#1227832). - CVE-2024-41009: Fix overrunning reservations in ringbuf (bsc#1228020). - CVE-2024-45003: Don't evict inode under the inode lru traversing context (bsc#1230245). The following non-security bugs were fixed: - Bluetooth: L2CAP: Fix deadlock (git-fixes). - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - Revert 'mm: prevent derefencing NULL ptr in pfn_section_valid()' (bsc#1230413). - Revert 'mm, kmsan: fix infinite recursion due to RCU critical section' (bsc#1230413). - Revert 'mm/sparsemem: fix race in accessing memory_section->usage' (bsc#1230413). - nvme_core: scan namespaces asynchronously (bsc#1224105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3423-1 Released: Tue Sep 24 17:25:33 2024 Summary: Security update for xen Type: security Severity: important References: 1222453,1227355,1228574,1228575,1230366,CVE-2024-2201,CVE-2024-31143,CVE-2024-31145,CVE-2024-31146,CVE-2024-45817 This update for xen fixes the following issues: - CVE-2024-2201: Mitigation for Native Branch History Injection (XSA-456, bsc#1222453) - CVE-2024-31143: Fixed double unlock in x86 guest IRQ handling (XSA-458, bsc#1227355) - CVE-2024-31145: Fixed error handling in x86 IOMMU identity mapping (XSA-460, bsc#1228574) - CVE-2024-31146: Fixed PCI device pass-through with shared resources (XSA-461, bsc#1228575) - CVE-2024-45817: Fixed a deadlock in vlapic_error (XSA-462, bsc#1230366) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3451-1 Released: Thu Sep 26 09:10:50 2024 Summary: Recommended update for pam-config Type: recommended Severity: moderate References: 1227216 This update for pam-config fixes the following issues: - Improved check for existence of modules (bsc#1227216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3470-1 Released: Fri Sep 27 14:34:46 2024 Summary: Security update for python3 Type: security Severity: important References: 1227233,1227378,1227999,1228780,1229596,1230227,CVE-2024-5642,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592 This update for python3 fixes the following issues: - CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module (bsc#1228780). - CVE-2024-5642: Fixed buffer overread when NPN is used and invalid values are sent to the OpenSSL API (bsc#1227233). - CVE-2024-7592: Fixed Email header injection due to unquoted newlines (bsc#1229596). - CVE-2024-6232: excessive backtracking when parsing tarfile headers leads to ReDoS. (bsc#1230227) Bug fixes: - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999). - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). - Remove %suse_update_desktop_file macro as it is not useful any more. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3477-1 Released: Fri Sep 27 15:22:22 2024 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1230516 This update for curl fixes the following issue: - Make special characters in URL work with aws-sigv4 (bsc#1230516). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3485-1 Released: Fri Sep 27 19:54:13 2024 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1228647,1230267 This update for libzypp, zypper fixes the following issues: - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - Fix wrong numbers used in CommitSummary skipped/failed messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3487-1 Released: Fri Sep 27 19:56:02 2024 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: This update for logrotate fixes the following issues: - Backport 'ignoreduplicates' configuration flag (jsc#PED-10366) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3503-1 Released: Tue Oct 1 16:13:07 2024 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1228661 This update for glibc fixes the following issue: - fix memory malloc problem: Initiate tcache shutdown even without allocations (bsc#1228661). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3527-1 Released: Fri Oct 4 15:27:07 2024 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1230145 This update for e2fsprogs fixes the following issue: - resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3530-1 Released: Fri Oct 4 15:43:33 2024 Summary: Recommended update for libpcap Type: recommended Severity: moderate References: 1230894 This update for libpcap fixes the following issue: - enable rdma support (bsc#1230894). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3547-1 Released: Tue Oct 8 16:06:05 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1216223,1223600,1223958,1225272,1227487,1228466,1229407,1229633,1229662,1229947,1230015,1230398,1230434,1230507,1230767,1231016,CVE-2022-48911,CVE-2022-48923,CVE-2022-48944,CVE-2022-48945,CVE-2024-41087,CVE-2024-42301,CVE-2024-44946,CVE-2024-45021,CVE-2024-46674,CVE-2024-46774 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-48911: kabi: add __nf_queue_get_refs() for kabi compliance. (bsc#1229633). - CVE-2022-48923: btrfs: prevent copying too big compressed lzo segment (bsc#1229662) - CVE-2024-41087: Fix double free on error (bsc#1228466). - CVE-2024-42301: Fix the array out-of-bounds risk (bsc#1229407). - CVE-2024-44946: kcm: Serialise kcm_sendmsg() for the same socket (bsc#1230015). - CVE-2024-45021: memcg_write_event_control(): fix a user-triggerable oops (bsc#1230434). - CVE-2024-46674: usb: dwc3: st: fix probed platform device ref count on probe error path (bsc#1230507). The following non-security bugs were fixed: - blk-mq: add helper for checking if one CPU is mapped to specified hctx (bsc#1223600). - blk-mq: do not schedule block kworker on isolated CPUs (bsc#1223600). - kabi: add __nf_queue_get_refs() for kabi compliance. - scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223). - scsi: smartpqi: Expose SAS address for SATA drives (bsc#1223958). - SUNRPC: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272 bsc#1231016). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3580-1 Released: Thu Oct 10 08:39:49 2024 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1229555 This update for wicked fixes the following issue: - compat-suse: fix dummy interfaces configuration with `INTERFACETYPE=dummy` (bsc#1229555). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3593-1 Released: Thu Oct 10 18:43:13 2024 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1231229 This update for rsyslog fixes the following issue: - fix PreserveFQDN option before daemon is restarted (bsc#1231229) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3597-1 Released: Fri Oct 11 10:39:52 2024 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1227807 This update for bash fixes the following issues: - Load completion file eveh if a brace expansion is in the command line included (bsc#1227807). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3659-1 Released: Wed Oct 16 15:12:47 2024 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1188441,1210959,1214915,1219031,1220724,1221601 This update for gcc14 fixes the following issues: This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474) The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc14 compilers use: - install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages. - override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages. For a full changelog with all new GCC14 features, check out https://gcc.gnu.org/gcc-14/changes.html - Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Remove timezone Recommends from the libstdc++6 package. [bsc#1221601] - Revert libgccjit dependency change. [bsc#1220724] - Fix libgccjit-devel dependency, a newer shared library is OK. - Fix libgccjit dependency, the corresponding compiler isn't required. - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031] - Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3727-1 Released: Fri Oct 18 15:04:09 2024 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1230912,1231043 This update for libzypp fixes the following issues: - Send unescaped colons in header values. According to the STOMP protocol, it would be correct to escape colon here but the practice broke plugin receivers that didn't expect this. The incompatiblity affected customers who were running spacewalk-repo-sync and experienced issues when accessing the cloud URL. [bsc#1231043] - Fix hang in curl code with no network connection. [bsc#1230912] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3865-1 Released: Fri Nov 1 16:10:37 2024 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1231833 This update for gcc14 fixes the following issues: - Fixed parsing timezone tzdata 2024b [gcc#116657 bsc#1231833] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3868-1 Released: Fri Nov 1 16:15:26 2024 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1231829 This update for suse-build-key fixes the following issues: - Also include the GPG key from the current build project to allow Staging testing without production keys, but only in staging. (bsc#1231829) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3872-1 Released: Fri Nov 1 16:20:29 2024 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-1_1 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3879-1 Released: Fri Nov 1 17:04:25 2024 Summary: Security update for python3 Type: security Severity: moderate References: 1230906,1232241,CVE-2024-9287 This update for python3 fixes the following issues: Security fixes: - CVE-2024-9287: properly quote path names provided when creating a virtual environment (bsc#1232241) Other fixes: - Drop .pyc files from docdir for reproducible builds (bsc#1230906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3890-1 Released: Mon Nov 4 10:14:19 2024 Summary: Recommended update for wget Type: recommended Severity: moderate References: 1204720,1231661 This update for wget fixes the following issues: - wget incorrectly truncates long filenames (bsc#1231661). - wget dies writing too long filenames (bsc#1204720). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3897-1 Released: Mon Nov 4 12:08:56 2024 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1228337,1230972 This update for shadow fixes the following issues: - Add useradd warnings when requested UID is outside the default range (bsc#1230972) - Chage -d date vs passwd -S output is off by one (bsc#1228337) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3902-1 Released: Mon Nov 4 13:15:51 2024 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1210382,1230316 This update for shim fixes the following issues: - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3926-1 Released: Wed Nov 6 11:15:25 2024 Summary: Security update for curl Type: security Severity: moderate References: 1232528,CVE-2024-9681 This update for curl fixes the following issues: - CVE-2024-9681: Fixed HSTS subdomain overwrites parent cache entry (bsc#1232528) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3930-1 Released: Thu Nov 7 06:11:20 2024 Summary: Recommended update for wicked Type: recommended Severity: important References: 1229555,1229745,1230911,1231060 This update for wicked fixes the following issues: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911) - Always generate the ipv4/ipv6 true|false node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad - Consider only interface specific accept_redirects sysctl settings - Adopt ifsysctl(5) manual page with wicked specific behavior - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option - team: set arp link watcher interval default to 1s - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (bsc#1229555) - arp: don't set target broadcast hardware address - dbus: don't memcpy empty/NULL array value - ethtool: fix leak and free pause data in ethtool_free ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4035-1 Released: Mon Nov 18 16:22:57 2024 Summary: Security update for expat Type: security Severity: moderate References: 1232579,CVE-2024-50602 This update for expat fixes the following issues: - CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4044-1 Released: Mon Nov 25 08:28:17 2024 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update to v0.389: * Update pci, usb and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4046-1 Released: Mon Nov 25 09:25:58 2024 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1230984 This update for rsyslog fixes the following issue: - restart daemon after update at the end of the transaction (bsc#1230984) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4065-1 Released: Tue Nov 26 11:10:58 2024 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1233499 This update for crypto-policies ships the missing crypto-policies scripts to SUSE Linux Enterprise Micro, which allows configuration of the policies. (bsc#1233499) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4078-1 Released: Wed Nov 27 13:53:14 2024 Summary: Security update for glib2 Type: security Severity: important References: 1233282,CVE-2024-52533 This update for glib2 fixes the following issues: - CVE-2024-52533: Fixed a single byte buffer overflow (bsc#1233282). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4087-1 Released: Thu Nov 28 08:38:52 2024 Summary: Recommended update for google-guest-agent, google-guest-configs, google-osconfig-agent Type: recommended Severity: moderate References: 1231775,1231776 This update for google-guest-agent, google-guest-configs, google-osconfig-agent fixes the following issues: - Update to version 20241011.01 (bsc#1231775, bsc#1231776) - Set enable regardless of previous check failed or not - Avoid unnecessary reloads, check before overwriting configs - network/netplan: Do generate instead of apply - Skip SetupInterfaces if configs are already applied - Repeated logging could be mistaken for a recurring issue, log mds mtls endpoint error only once - Retry MDS PUT operation, reload netplan/networkctl only if configs are changed - Log interface state after setting up network - network: Debian 12 rollback only if default netplan is ok - Change mtls mds defaults, update log message to assure error is harmless - network: Restore Debian 12 netplan configuration - network: Remove primary NIC left over configs - Update VLAN interfaces format to match with MDS - Fix panics in agent when setting up VLAN with netplan - Add VLAN NIC support for NetworkManager - Fix debian12 netplan config issue, use ptr receiver - Introduce a configuration toggle for enabling/disabling cloud logging - Adapt and update config key to be consistent with MDS - Allow users to enable/disable the mds mtls via metadata key - Make primary nic management config consistent across all network managers - Avoid writing configuration files when they already exist on wicked - Fix where agent panics on nil event - Update NIC management strategy - Only release dhclient leases for an interface if the respective dhclient is still running - Disable OS Login without pruning off any extra suffix - Skip root cert rotation if installed once - Add ipv6 support to guest agent - Update google-startup-scripts.service to enable logging - Network subsystem remove os rules - oslogin: Don't remove sshca watcher when oslogin is disabled - Network manager netplan implementation - Log current available routes on error - Fix command monitor bugs - windows account: Ignore 'user already belongs to group' error - Add more error logging in snapshot handling requests, use common retry util - All non-200 status code from MDS should raise error - Change metadata key to enable-oslogin-certificates - Update dhclient pid/lease file directory to abide apparmor rules - Add require-oslogin-certificates logic to disable keys - systemd-networkd: Support Debian 12's version - NetworkManager: Only set secondary interfaces as up - address manager: Make sure we check for oldMetadata - network: Early setup network - NetworkManager: Fix ipv6 and ipv4 mode attribute - Network Manager: Make sure we clean up ifcfg files - metadata script runner: Fix script download - oslogin: Avoid adding extra empty line at the end of /etc/security/group.conf - Dynamic vlan - Check for nil response - Create NetworkManager implementation - Skip interface manager on Windows - network: Remove ignore setup - Create wicked network service implementation and its respective unit - Update metadata script runner, add tests - Refactor guest-agent to use common retry util - Flush logs before exiting - Implement retry util - Refactor utils package to not dump everything unrelated into one file - Set version on metadata script runner - Implement cleanup of deprecated configuration directives - Ignore DHCP offered routes only for secondary nics - Deprecate DHClient in favor of systemd-networkd - Generate windows and linux licenses - Remove quintonamore from OWNERS - Delete integration tests - Add configuration toggle to enable/disable use of OS native certificate stores - Avoid writing configuration files when they already exist on wicked and NetworkManager - Get rid of deprecated dependencies in snapshot service generate code - Configure primary nic if only set in cfg file ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4116-1 Released: Fri Nov 29 17:06:06 2024 Summary: Security update for xen Type: security Severity: important References: 1232542,1232622,1232624,CVE-2024-45818,CVE-2024-45819 This update for xen fixes the following issues: - CVE-2024-45818: Fixed deadlock in x86 HVM standard VGA handling (XSA-463) (bsc#1232622). - CVE-2024-45819: Fixed libxl data leaks to PVH guests via ACPI tables (XSA-464) (bsc#1232624). Bug fixes: - Remove usage of net-tools-deprecated from supportconfig plugin (bsc#1232542). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4131-1 Released: Mon Dec 2 10:59:56 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1204171,1205796,1206188,1206344,1209290,1210449,1210627,1213034,1216223,1216813,1218562,1220382,1223384,1223524,1223824,1225189,1225336,1225611,1226666,1228743,1229345,1229452,1229454,1229456,1229556,1230429,1230442,1230454,1230600,1230620,1230715,1230903,1231016,1231073,1231191,1231193,1231195,1231197,1231200,1231203,1231293,1231375,1231502,1231673,1231861,1231883,1231885,1231887,1231888,1231890,1231892,1231893,1231895,1231896,1231897,1231929,1231936,1231937,1231938,1231939,1231940,1231941,1231942,1231958,1231960,1231961,1231962,1231972,1231976,1231979,1231987,1231988,1231991,1231992,1231995,1231996,1231997,1232001,1232005,1232006,1232007,1232025,1232026,1232033,1232035,1232036,1232037,1232038,1232039,1232067,1232069,1232070,1232071,1232097,1232108,1232119,1232120,1232123,1232133,1232136,1232145,1232150,1232163,1232165,1232170,1232172,1232174,1232224,1232229,1232237,1232260,1232262,1232281,1232282,1232286,1232304,1232383,1232395,1232418,1232424,1232432,1232436,1232519,1 233117,CVE-2021-47416,CVE-2021-47534,CVE-2022-3435,CVE-2022-45934,CVE-2022-48664,CVE-2022-48879,CVE-2022-48946,CVE-2022-48947,CVE-2022-48948,CVE-2022-48949,CVE-2022-48951,CVE-2022-48953,CVE-2022-48954,CVE-2022-48955,CVE-2022-48956,CVE-2022-48959,CVE-2022-48960,CVE-2022-48961,CVE-2022-48962,CVE-2022-48967,CVE-2022-48968,CVE-2022-48969,CVE-2022-48970,CVE-2022-48971,CVE-2022-48972,CVE-2022-48973,CVE-2022-48975,CVE-2022-48977,CVE-2022-48978,CVE-2022-48981,CVE-2022-48985,CVE-2022-48987,CVE-2022-48988,CVE-2022-48991,CVE-2022-48992,CVE-2022-48994,CVE-2022-48995,CVE-2022-48997,CVE-2022-48999,CVE-2022-49000,CVE-2022-49002,CVE-2022-49003,CVE-2022-49005,CVE-2022-49006,CVE-2022-49007,CVE-2022-49010,CVE-2022-49011,CVE-2022-49012,CVE-2022-49014,CVE-2022-49015,CVE-2022-49016,CVE-2022-49019,CVE-2022-49021,CVE-2022-49022,CVE-2022-49023,CVE-2022-49024,CVE-2022-49025,CVE-2022-49026,CVE-2022-49027,CVE-2022-49028,CVE-2022-49029,CVE-2022-49031,CVE-2022-49032,CVE-2023-2166,CVE-2023-28327,CVE-2023-52766,CV E-2023-52800,CVE-2023-52881,CVE-2023-52919,CVE-2023-6270,CVE-2024-27043,CVE-2024-42145,CVE-2024-43854,CVE-2024-44947,CVE-2024-45013,CVE-2024-45016,CVE-2024-45026,CVE-2024-46716,CVE-2024-46813,CVE-2024-46814,CVE-2024-46815,CVE-2024-46816,CVE-2024-46817,CVE-2024-46818,CVE-2024-46849,CVE-2024-47668,CVE-2024-47674,CVE-2024-47684,CVE-2024-47706,CVE-2024-47747,CVE-2024-47748,CVE-2024-49860,CVE-2024-49867,CVE-2024-49925,CVE-2024-49930,CVE-2024-49936,CVE-2024-49945,CVE-2024-49960,CVE-2024-49969,CVE-2024-49974,CVE-2024-49982,CVE-2024-49991,CVE-2024-49995,CVE-2024-50047,CVE-2024-50208 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-43854: Initialize integrity buffer to zero before writing it to media (bsc#1229345) - CVE-2024-49925: fbdev: efifb: Register sysfs groups through driver core (bsc#1232224) - CVE-2024-49945: net/ncsi: Disable the ncsi work before freeing the associated structure (bsc#1232165). - CVE-2024-50208: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (bsc#1233117). - CVE-2022-48879: efi: fix NULL-deref in init error path (bsc#1229556). - CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1231893). - CVE-2022-48959: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() (bsc#1231976). - CVE-2022-48960: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() (bsc#1231979). - CVE-2022-48962: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() (bsc#1232286). - CVE-2022-48991: mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma (bsc#1232070). - CVE-2022-49015: net: hsr: Fix potential use-after-free (bsc#1231938). - CVE-2024-45013: nvme: move stopping keep-alive into nvme_uninit_ctrl() (bsc#1230442). - CVE-2024-45016: netem: fix return value if duplicate enqueue fails (bsc#1230429). - CVE-2024-45026: s390/dasd: fix error recovery leading to data corruption on ESE devices (bsc#1230454). - CVE-2024-46716: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor (bsc#1230715). - CVE-2024-46813: drm/amd/display: Check link_index before accessing dc->links (bsc#1231191). - CVE-2024-46814: drm/amd/display: Check msg_id before processing transcation (bsc#1231193). - CVE-2024-46815: drm/amd/display: Check num_valid_sets before accessing reader_wm_sets (bsc#1231195). - CVE-2024-46816: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links (bsc#1231197). - CVE-2024-46817: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (bsc#1231200). - CVE-2024-46818: drm/amd/display: Check gpio_id before used as array index (bsc#1231203). - CVE-2024-46849: ASoC: meson: axg-card: fix 'use-after-free' (bsc#1231073). - CVE-2024-47668: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (bsc#1231502). - CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case (bsc#1231673). - CVE-2024-47684: tcp: check skb is non-NULL in tcp_rto_delta_us() (bsc#1231987). - CVE-2024-47706: block, bfq: fix possible UAF for bfqq->bic with merge chain (bsc#1231942). - CVE-2024-47747: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition (bsc#1232145). - CVE-2024-47748: vhost_vdpa: assign irq bypass producer token correctly (bsc#1232174). - CVE-2024-49860: ACPI: sysfs: validate return type of _STR method (bsc#1231861). - CVE-2024-49930: wifi: ath11k: fix array out-of-bound access in SoC stats (bsc#1232260). - CVE-2024-49936: net/xen-netback: prevent UAF in xenvif_flush_hash() (bsc#1232424). - CVE-2024-49960: ext4: fix timer use-after-free on failed mount (bsc#1232395). - CVE-2024-49969: drm/amd/display: Fix index out of bounds in DCN30 color transformation (bsc#1232519). - CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232383). - CVE-2024-49991: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer (bsc#1232282). - CVE-2024-49995: tipc: guard against string buffer overrun (bsc#1232432). - CVE-2024-50047: smb: client: fix UAF in async decryption (bsc#1232418). The following non-security bugs were fixed: - NFSv3: only use NFS timeout for MOUNT when protocols are compatible (bsc#1231016). - PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666). - RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page (bsc#1232036). - bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (bsc#1231375). - dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). - initramfs: avoid filename buffer overrun (bsc#1232436). - ipv6: blackhole_netdev needs snmp6 counters (bsc#1216813). - ipv6: give an IPv6 dev to blackhole_netdev (bsc#1216813). - net: mana: Fix the extra HZ in mana_hwc_send_request (bsc#1232033). - x86/kexec: Add EFI config table identity mapping for kexec kernel (bsc#1220382). - x86/mm/ident_map: Use gbpages only where full GB page should be mapped (bsc#1220382). - xfrm: set dst dev to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4138-1 Released: Mon Dec 2 13:29:57 2024 Summary: Security update for wget Type: security Severity: moderate References: 1233773,CVE-2024-10524 This update for wget fixes the following issues: - CVE-2024-10524: Fixed SSRF via shorthand HTTP URL (bsc#1233773) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4168-1 Released: Wed Dec 4 11:51:48 2024 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1230625,1231846 This update for vim fixes the following issues: - Update from vim-9.1.0330 to vim-9.1.0836 (bsc#1230625, bsc#1230625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4184-1 Released: Thu Dec 5 06:00:20 2024 Summary: Recommended update for suseconnect-ng Type: recommended Severity: moderate References: 1231185,1231328 This update for suseconnect-ng fixes the following issues: - Integrating uptime-tracker - Honor auto-import-gpg-keys flag on migration (bsc#1231328) - Only send labels if targetting SCC - Skip the docker auth generation on RMT (bsc#1231185) - Add --set-labels to register command to set labels at registration time on SCC - Add a new function to display suse-uptime-tracker version - Add a command to show the info being gathered ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4193-1 Released: Thu Dec 5 12:01:40 2024 Summary: Security update for python3 Type: security Severity: low References: 1231795,1233307,CVE-2024-11168 This update for python3 fixes the following issues: - CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307) Other fixes: - Remove -IVendor/ from python-config (bsc#1231795) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4201-1 Released: Thu Dec 5 14:49:22 2024 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1225451,1233393 This update for libsolv, libzypp, zypper fixes the following issues: - Fix replaces_installed_package using the wrong solvable id when checking the noupdate map - Make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - Add rpm_query_idarray query function - Support rpm's 'orderwithrequires' dependency - BuildCache: Don't try to retrieve missing raw metadata if no permission to write the cache (bsc#1225451) - RepoManager: Throw RepoNoPermissionException if the user has no permission to update(write) the caches (bsc#1225451) - The 20MB download limit must not apply to non-metadata files like package URLs provided via the CLI (bsc#1233393) - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4302-1 Released: Thu Dec 12 09:51:03 2024 Summary: Security update for socat Type: security Severity: moderate References: 1225462,CVE-2024-54661 This update for socat fixes the following issues: - CVE-2024-54661: Fixed arbitrary file overwrite via predictable /tmp directory (bsc#1225462) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4338-1 Released: Tue Dec 17 08:18:46 2024 Summary: Recommended update for systemd Type: recommended Severity: important References: 1230272,1231610 This update for systemd fixes the following issues: - core/unit: increase the NameOwnerChanged/GetNameOwner timeout to the unit's start timeout (bsc#1230272) - core/unit: add get_timeout_start_usec in UnitVTable and define it for service - sd-bus: make bus_add_match_full accept timeout - udev-builtin-path_id: SAS wide ports must have num_phys > 1 (bsc#1231610) - sd-device: add helper to read a unsigned int attribute ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4346-1 Released: Tue Dec 17 09:32:22 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1218644,1220382,1221309,1222590,1229808,1230220,1231646,1232187,1232312,1232860,1232907,1232919,1232928,1233070,1233214,1233293,1233453,1233456,1233463,1233468,1233479,1233490,1233491,1233555,1233557,1233561,1233977,CVE-2023-52922,CVE-2024-26782,CVE-2024-44932,CVE-2024-44964,CVE-2024-47757,CVE-2024-50017,CVE-2024-50089,CVE-2024-50115,CVE-2024-50125,CVE-2024-50127,CVE-2024-50154,CVE-2024-50205,CVE-2024-50259,CVE-2024-50264,CVE-2024-50267,CVE-2024-50274,CVE-2024-50279,CVE-2024-50290,CVE-2024-50301,CVE-2024-50302,CVE-2024-53061,CVE-2024-53063,CVE-2024-53068 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-26782: mptcp: fix double-free on socket dismantle (bsc#1222590). - CVE-2024-44932: idpf: fix UAFs when destroying the queues (bsc#1229808). - CVE-2024-44964: idpf: fix memory leaks and crashes while performing a soft reset (bsc#1230220). - CVE-2024-47757: nilfs2: fix potential oob read in nilfs_btree_check_delete() (bsc#1232187). - CVE-2024-50089: unicode: Do not special case ignorable code points (bsc#1232860). - CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1232919). - CVE-2024-50125: Bluetooth: SCO: Fix UAF on sco_sock_timeout (bsc#1232928). - CVE-2024-50127: net: sched: fix use-after-free in taprio_change() (bsc#1232907). - CVE-2024-50154: tcp: Fix use-after-free of nreq in reqsk_timer_handler() (bsc#1233070). - CVE-2024-50205: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() (bsc#1233293). - CVE-2024-50259: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() (bsc#1233214). - CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233453). - CVE-2024-50267: USB: serial: io_edgeport: fix use after free in debug printk (bsc#1233456). - CVE-2024-50274: idpf: avoid vport access in idpf_get_link_ksettings (bsc#1233463). - CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233468). - CVE-2024-50290: media: cx24116: prevent overflows on SNR calculus (bsc#1233479). - CVE-2024-50301: security/keys: fix slab-out-of-bounds in key_task_permission (bsc#1233490). - CVE-2024-50302: HID: core: zero-initialize the report buffer (bsc#1233491). - CVE-2024-53061: media: s5p-jpeg: prevent buffer overflows (bsc#1233555). - CVE-2024-53063: media: dvbdev: prevent the risk of out of memory access (bsc#1233557). - CVE-2024-53068: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() (bsc#1233561). The following non-security bugs were fixed: - Update config files (bsc#1218644). - Update config files. Enabled IDPF for ARM64 (bsc#1221309) - kernel-binary: Enable livepatch package only when livepatch is enabled Otherwise the filelist may be empty failing the build (bsc#1218644). - mm/memory: add non-anonymous page check in the copy_present_page() (bsc#1231646). - rpm/scripts: Remove obsolete Symbols.list Symbols.list is not longer needed by the new klp-convert implementation. (bsc#1218644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4359-1 Released: Tue Dec 17 14:19:32 2024 Summary: Security update for curl Type: security Severity: moderate References: 1234068,CVE-2024-11053 This update for curl fixes the following issues: - CVE-2024-11053: Fixed password leak in curl used for the first host to the followed-to host under certain circumstances (bsc#1234068) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4360-1 Released: Tue Dec 17 15:35:28 2024 Summary: Security update for docker Type: security Severity: important References: 1217070,1228324,1228553,1229806,1230294,1230331,1230333,1231348,1232999,1233819,CVE-2023-45142,CVE-2023-47108,CVE-2024-41110 This update for docker fixes the following issues: - Update docker-buildx to v0.19.2. See upstream changelog online at . Some notable changelogs from the last update: * * - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 > /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 > /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. - Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819 - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Allow a parallel docker-stable RPM to exists in repositories. - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at - Allow users to disable SUSE secrets support by setting DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. (bsc#1231348) - Mark docker-buildx as required since classic 'docker build' has been deprecated since Docker 23.0. (bsc#1230331) - Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate package, but with docker-stable it will be necessary to maintain the packages together and it makes more sense to have them live in the same OBS package. (bsc#1230333) - Update to Docker 26.1.5-ce. See upstream changelog online at bsc#1230294 - This update includes fixes for: * CVE-2024-41110. bsc#1228324 * CVE-2023-47108. bsc#1217070 bsc#1229806 * CVE-2023-45142. bsc#1228553 bsc#1229806 - Update to Docker 26.1.4-ce. See upstream changelog online at - Update to Docker 26.1.0-ce. See upstream changelog online at - Update --add-runtime to point to correct binary path. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4363-1 Released: Tue Dec 17 16:12:41 2024 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update v0.390 * Update pci and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-feature-2024:4377-1 Released: Thu Dec 19 07:10:53 2024 Summary: Feature update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: feature Severity: low References: 1232024 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Add amazon-dracut-config, google-dracut-config, microsoft-dracut-config to Public Cloud 15-SP[3-6] channels (bsc#1232024) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4378-1 Released: Thu Dec 19 08:23:55 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1203617 This update for aaa_base fixes the following issues: - Added Midnigh Commander helpers for tcsh and bash resources (bsc#1203617) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4386-1 Released: Thu Dec 19 15:04:16 2024 Summary: Security update for avahi Type: security Severity: moderate References: 1226586,1233420,CVE-2024-52616 This update for avahi fixes the following issues: - CVE-2024-52616: Fixed Avahi Wide-Area DNS Predictable Transaction IDs (bsc#1233420) Other fixes: - no longer supply bogus services to callbacks (bsc#1226586). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4404-1 Released: Fri Dec 20 16:43:28 2024 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1234749 This update for libzypp fixes the following issues: - Url: queryparams without value should not have a trailing '=' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4410-1 Released: Mon Dec 23 12:19:40 2024 Summary: Recommended update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: recommended Severity: moderate References: 1234708 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Fix support level to L3 (bsc#1234708) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4426-1 Released: Fri Dec 27 08:46:10 2024 Summary: Recommended update for google-guest-configs Type: recommended Severity: moderate References: 1231775,1231776,1233625,1233626 This update for google-guest-configs fixes the following issues: - Update to version 20241121.00 (bsc#1233625, bsc#1233626) - Temporarily revert google_set_multiqueue changes for release - Remove IDPF devices from renaming rules - gce-nic-naming: Exit 1 so that udev ignores the rule on error - Remove Apt IPv4 only config for Debian and Ubuntu - Add GCE intent based NIC naming tools - google_set_multiqueue: skip set_irq if NIC is not a gvnic device - Update to version 20241021.00 (bsc#1231775, bsc#1231776) - Add GCE-specific config for systemd-resolved - Update google_set_multiqueue to enable on A3Ultra family - Update OWNERS - Depend on jq in enterprise linux - Always use IP from primary NIC in the networkd-dispatcher routable hook - Call google_set_hostname on openSUSE and when the agent is configured to manage hostname and FQDN, let it - Include systemd-networkd hook in Ubuntu packaging - Fix the name for A3 Edge VMs - Update is_a3_platform to include A3-edge shape - Add systemd-networkd hostname hook - Add hostname hook for NetworkManager without dhclient compat script ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:73-1 Released: Mon Jan 13 07:10:00 2025 Summary: Recommended update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: recommended Severity: moderate References: 1232024 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Add amazon-dracut-config, google-dracut-config, microsoft-dracut-config to MicroOS 5.1, 5.2 and Micro 5.3, 5.4, 5.5 channels (bsc#1232024) - Move dracut config files to usr/lib/ dir - Add provides and conflicts on generic name dracut-instance-change-config - Rename config for nvme for consistency ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:76-1 Released: Mon Jan 13 10:42:05 2025 Summary: Recommended update for containerd Type: recommended Severity: moderate References: This update for containerd fixes the following issues: containerd was updated from version 1.7.21 to 1.7.23: - Changes in version 1.7.23: * Highlights: + Added error definition aliases + Allow proxy plugins to have capabilities + Revert a previous errdefs package migration * Container Runtime Interface (CRI): + Added check for CNI plugins before tearing down pod network * Image Distribution: + Fixed the race condition during GC of snapshots when client retries * Full Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.23 - Changes in version 1.7.22: * Highlights: + Build and Release Toolchain + Updated Go (go1.22.7 and go1.23.1) * Container Runtime Interface (CRI): + Added a fix for decreasing cumulative stats * Runtime: + Fixed bug where init exits were being dropped + Update runc binary to 1.1.14 * Full Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.22 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:148-1 Released: Thu Jan 16 17:00:45 2025 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1234273 This update for cryptsetup fixes the following issue: - luksFormat succeeds despite creating corrupt device (bsc#1234273). * Add a better warning if luksFormat ends with image without any space for data. * Print warning early if LUKS container is too small for activation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:203-1 Released: Tue Jan 21 14:58:16 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1170891,1173139,1185010,1190358,1190428,1209798,1215304,1222878,1228466,1230697,1232436,1233070,1233642,1234281,1234282,1234846,1234853,1234891,1234921,1234960,1234963,1235004,1235035,1235054,1235056,1235061,1235073,1235220,1235224,1235246,1235507,CVE-2021-47202,CVE-2022-49035,CVE-2024-41087,CVE-2024-50154,CVE-2024-53095,CVE-2024-53142,CVE-2024-53146,CVE-2024-53156,CVE-2024-53173,CVE-2024-53179,CVE-2024-53206,CVE-2024-53214,CVE-2024-53239,CVE-2024-53240,CVE-2024-53241,CVE-2024-56539,CVE-2024-56548,CVE-2024-56570,CVE-2024-56598,CVE-2024-56604,CVE-2024-56605,CVE-2024-56619,CVE-2024-8805 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-41087: Fix double free on error (bsc#1228466). - CVE-2024-53095: smb: client: Fix use-after-free of network namespace (bsc#1233642). - CVE-2024-53146: NFSD: Prevent a potential integer overflow (bsc#1234853). - CVE-2024-53156: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (bsc#1234846). - CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234891). - CVE-2024-53179: smb: client: fix use-after-free of signing key (bsc#1234921). - CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235004). - CVE-2024-53239: ALSA: 6fire: Release resources at card release (bsc#1235054). - CVE-2024-53240: xen/netfront: fix crash when removing device (bsc#1234281). - CVE-2024-53241: x86/xen: use new hypercall functions instead of hypercall page (XSA-466 bsc#1234282). - CVE-2024-56539: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() (bsc#1234963). - CVE-2024-56548: hfsplus: do not query the device logical block size multiple times (bsc#1235073). - CVE-2024-56570: ovl: Filter invalid inodes with missing lookup function (bsc#1235035). - CVE-2024-56598: jfs: array-index-out-of-bounds fix in dtReadFirst (bsc#1235220). - CVE-2024-56604: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() (bsc#1235056). - CVE-2024-56605: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() (bsc#1235061). - CVE-2024-56619: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() (bsc#1235224). - CVE-2024-8805: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE (bsc#1230697). The following non-security bugs were fixed: - Drop a couple of block layer git-fixes (bsc#1170891 bsc#1173139) - KVM: x86: fix sending PV IPI (git-fixes). - fixup 'rpm: support gz and zst compression methods' once more (bsc#1190428, bsc#1190358) - idpf: add support for SW triggered interrupts (bsc#1235507). - idpf: enable WB_ON_ITR (bsc#1235507). - idpf: trigger SW interrupt when exiting wb_on_itr mode (bsc#1235507). - kernel-binary: do not BuildIgnore m4. It is actually needed for regenerating zconf when it is not up-to-date due to merge. - net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024 (bsc#1235246). - rpm/kernel-binary.spec.in: Fix build regression The previous fix forgot to take over grep -c option that broke the conditional expression - scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error (git-fixes). - smb: client: fix TCP timers deadlock after rmmod (git-fixes) [hcarvalho: this fixes issue discussed in bsc#1233642]. - supported.conf: add bsc1185010 dependency - supported.conf: hyperv_drm (jsc#sle-19733) - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes). - x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes). - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes). - x86/fpu: Remove unused supervisor only offsets (git-fixes). - x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes). - x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes). - x86/mce: Allow instrumentation during task work queueing (git-fixes). - x86/mce: Mark mce_end() noinstr (git-fixes). - x86/mce: Mark mce_panic() noinstr (git-fixes). - x86/mce: Mark mce_read_aux() noinstr (git-fixes). - x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes). - x86/sgx: Free backing memory after faulting the enclave page (git-fixes). - x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes). - x86/uaccess: Move variable into switch case statement (git-fixes). - x86: Annotate call_on_stack() (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:218-1 Released: Wed Jan 22 04:33:35 2025 Summary: Optional update for augeas Type: optional Severity: moderate References: This update ships the augeas commandline tool and the augeas-lenses to SUSE Linux Enterprise Micro 5.5. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2025:223-1 Released: Wed Jan 22 12:30:52 2025 Summary: Feature update for zypper, libzypp Type: feature Severity: low References: This update for zypper, libzypp fixes the following issues: - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - version 1.14.79 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:276-1 Released: Tue Jan 28 21:38:15 2025 Summary: Recommended update for google-guest-configs Type: recommended Severity: moderate References: 1234254,1234255,1234289,1234293 This update for google-guest-configs fixes the following issues: - Update to version 20241205.00 (bsc#1234254, bsc#1234255) - Avoid duplicate entries for the metadata server in /etc/hosts (bsc#1234289, bsc#1234293) - Include components to set hostname and /etc/hosts entries (bsc#1234289, bsc#1234293) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:302-1 Released: Thu Jan 30 15:50:21 2025 Summary: Security update for google-osconfig-agent Type: security Severity: moderate References: 1225974,1236406,1236407,CVE-2024-24790 This update for google-osconfig-agent fixes the following issues: - Update to version 20250115.01 (bsc#1236406, bsc#1236407) - CVE-2024-24790: Bump the golang compiler version to 1.22.4 (bsc#1225974) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:341-1 Released: Mon Feb 3 17:33:00 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1236460,CVE-2022-49043 This update for libxml2 fixes the following issues: - CVE-2022-49043: Fixed a use-after-free in xmlXIncludeAddNode. (bsc#1236460) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:343-1 Released: Mon Feb 3 18:03:52 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for krb5 fixes the following issues: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:349-1 Released: Tue Feb 4 09:34:30 2025 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-1_1 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:361-1 Released: Wed Feb 5 11:00:36 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1216091,1229106,1232458,1234752,1235636 This update for libzypp, zypper fixes the following issues: - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cached there (bsc#1232458) - Fix missing UID checks in repomanager workflow - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - lr: Show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:366-1 Released: Wed Feb 5 11:57:42 2025 Summary: Security update for wget Type: security Severity: moderate References: 1185551,1230795,CVE-2021-31879 This update for wget fixes the following issues: - CVE-2021-31879: Authorization header disclosed upon redirects to different origins. (bsc#1185551) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:370-1 Released: Wed Feb 5 16:33:28 2025 Summary: Security update for curl Type: security Severity: moderate References: 1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:384-1 Released: Fri Feb 7 14:00:26 2025 Summary: Security update for bind Type: security Severity: important References: 1236596,CVE-2024-11187 This update for bind fixes the following issues: - CVE-2024-11187: Fixes CPU exhaustion caused by many records in the additional section (bsc#1236596) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:507-1 Released: Thu Feb 13 12:08:43 2025 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1206132,1207157,1235606 This update for open-iscsi fixes the following issues: - Fix device discovery failure on systems with a large number of devices (bsc#1235606). - Fix issue with yast restarting iscsid service without restarting the iscsid socket, this upsets systemd and it is already fixed in upstream (bsc#1206132). - Branched SLE-15-SP3 from Factory. No longer in sync with Tumbleweed. - Backported upstream commit, which sets 'safe_logout' and 'startup' in iscsid.conf (bsc#1207157). - Updated year in SPEC file ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:548-1 Released: Fri Feb 14 11:19:24 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1236878,CVE-2024-12133 This update for libtasn1 fixes the following issues: - CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes quadratic time to complete. (bsc#1236878) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:554-1 Released: Fri Feb 14 16:10:40 2025 Summary: Security update for python3 Type: security Severity: moderate References: 1236705,CVE-2025-0938 This update for python3 fixes the following issues: - CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse. (bsc#1236705) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:562-1 Released: Mon Feb 17 12:43:41 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:576-1 Released: Tue Feb 18 13:49:58 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1230697,1231847,1233112,1233642,1234025,1234690,1234884,1234896,1234931,1235134,1235217,1235230,1235249,1235430,1235433,1235441,1235451,1235466,1235480,1235521,1235584,1235645,1235723,1235759,1235764,1235814,1235818,1235920,1235969,1236628,CVE-2024-50199,CVE-2024-53095,CVE-2024-53104,CVE-2024-53144,CVE-2024-53166,CVE-2024-53177,CVE-2024-54680,CVE-2024-56600,CVE-2024-56601,CVE-2024-56602,CVE-2024-56623,CVE-2024-56631,CVE-2024-56642,CVE-2024-56645,CVE-2024-56648,CVE-2024-56650,CVE-2024-56658,CVE-2024-56661,CVE-2024-56664,CVE-2024-56704,CVE-2024-56759,CVE-2024-57791,CVE-2024-57792,CVE-2024-57798,CVE-2024-57849,CVE-2024-57893,CVE-2024-57897,CVE-2024-8805 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-50199: mm/swapfile: skip HugeTLB pages for unuse_vma (bsc#1233112). - CVE-2024-53104: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (bsc#1234025). - CVE-2024-53166: block, bfq: fix bfqq uaf in bfq_limit_depth() (bsc#1234884). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-56600: net: inet6: do not leave a dangling sk pointer in inet6_create() (bsc#1235217). - CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inet_create() (bsc#1235230). - CVE-2024-56602: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() (bsc#1235521). - CVE-2024-56623: scsi: qla2xxx: Fix use after free on unload (bsc#1235466). - CVE-2024-56631: scsi: sg: Fix slab-use-after-free read in sg_release() (bsc#1235480). - CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer() (bsc#1235433). - CVE-2024-56645: can: j1939: j1939_session_new(): fix skb reference counting (bsc#1235134). - CVE-2024-56648: net: hsr: avoid potential out-of-bound access in fill_frame_info() (bsc#1235451). - CVE-2024-56650: netfilter: x_tables: fix LED ID check in led_tg_check() (bsc#1235430). - CVE-2024-56658: net: defer final 'struct net' free in netns dismantle (bsc#1235441). - CVE-2024-56664: bpf, sockmap: Fix race between element replace and close() (bsc#1235249). - CVE-2024-56704: 9p/xen: fix release of IRQ (bsc#1235584). - CVE-2024-56759: btrfs: fix use-after-free when COWing tree bock and tracing is enabled (bsc#1235645). - CVE-2024-57791: net/smc: check return value of sock_recvmsg when draining clc data (bsc#1235759). - CVE-2024-57792: power: supply: gpio-charger: Fix set charge current limits (bsc#1235764). - CVE-2024-57798: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (bsc#1235818). - CVE-2024-57849: s390/cpum_sf: Handle CPU hotplug remove during sampling (bsc#1235814). - CVE-2024-57893: ALSA: seq: oss: Fix races at processing SysEx messages (bsc#1235920). - CVE-2024-57897: drm/amdkfd: Correct the migration DMA map direction (bsc#1235969). The following non-security bugs were fixed: - NFS: Adjust the amount of readahead performed by NFS readdir (bsc#1231847). - NFS: Do not flush the readdir cache in nfs_dentry_iput() (bsc#1231847). - NFS: Improve heuristic for readdirplus (bsc#1231847). - NFS: Trigger the 'ls -l' readdir heuristic sooner (bsc#1231847). - tipc: fix NULL deref in cleanup_bearer() (bsc#1235433). - x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:588-1 Released: Wed Feb 19 08:30:14 2025 Summary: Security update for grub2 Type: security Severity: important References: 1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125 This update for grub2 fixes the following issues: - CVE-2024-45781: Fixed strcpy overflow in ufs. (bsc#1233617) - CVE-2024-56737: Fixed a heap-based buffer overflow in hfs. (bsc#1234958) - CVE-2024-45782: Fixed strcpy overflow in hfs. (bsc#1233615) - CVE-2024-45780: Fixed an overflow in tar/cpio. (bsc#1233614) - CVE-2024-45783: Fixed a refcount overflow in hfsplus. (bsc#1233616) - CVE-2024-45774: Fixed a heap overflow in JPEG parser. (bsc#1233609) - CVE-2024-45775: Fixed a missing NULL check in extcmd parser. (bsc#1233610) - CVE-2024-45776: Fixed an overflow in .MO file handling. (bsc#1233612) - CVE-2024-45777: Fixed an integer overflow in gettext. (bsc#1233613) - CVE-2024-45778: Fixed bfs filesystem by removing it from lockdown capable modules. (bsc#1233606) - CVE-2024-45779: Fixed a heap overflow in bfs. (bsc#1233608) - CVE-2025-0624: Fixed an out-of-bounds write during the network boot process. (bsc#1236316) - CVE-2025-0622: Fixed a use-after-free when handling hooks during module unload in command/gpg . (bsc#1236317) - CVE-2025-0690: Fixed an integer overflow that may lead to an out-of-bounds write through the read command. (bsc#1237012) - CVE-2025-1118: Fixed an issue where the dump command was not being blocked when grub was in lockdown mode. (bsc#1237013) - CVE-2025-0677: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in ufs. (bsc#1237002) - CVE-2025-0684: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in reiserfs. (bsc#1237008) - CVE-2025-0685: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in jfs. (bsc#1237009) - CVE-2025-0686: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in romfs. (bsc#1237010) - CVE-2025-0689: Fixed a heap-based buffer overflow in udf that may lead to arbitrary code execution. (bsc#1237011) - CVE-2025-1125: Fixed an integer overflow that may lead to an out-of-bounds write in hfs. (bsc#1237014) - CVE-2025-0678: Fixed an integer overflow that may lead to an out-of-bounds write in squash4. (bsc#1237006) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:605-1 Released: Thu Feb 20 15:42:48 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1237040,CVE-2025-26465 This update for openssh fixes the following issues: - CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:611-1 Released: Fri Feb 21 11:36:56 2025 Summary: Security update for google-osconfig-agent Type: security Severity: important References: 1236560,CVE-2024-45339 This update for google-osconfig-agent fixes the following issues: - CVE-2024-45339: github.com/golang/glog: a privileged process' log file path can be easily predicted and used to overwrite other sensitive files in a system. (bsc#1236560) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:678-1 Released: Mon Feb 24 11:59:54 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1228434,1236384,1236820,1236939,1236983 This update for libzypp, zypper fixes the following issues: - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps' - Fix Repoverification plugin not being executed - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Deprecate RepoReports we do not trigger - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939) - New system-architecture command (bsc#1236384) - Change versioncmp command to return exit code according to the comparison result ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:721-1 Released: Wed Feb 26 10:06:07 2025 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: This update for open-iscsi fixes the following issues: - Moved this patch upstream, so now it's part of the diff file and is no longer needed here ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:724-1 Released: Wed Feb 26 14:30:20 2025 Summary: Security update for vim Type: security Severity: moderate References: 1229685,1229822,1230078,1235695,1236151,1237137,CVE-2024-43790,CVE-2024-43802,CVE-2024-45306,CVE-2025-1215,CVE-2025-22134,CVE-2025-24014 This update for vim fixes the following issues: Update to version 9.1.1101: - CVE-2024-43790: possible out-of-bounds read when performing a search command (bsc#1229685). - CVE-2024-43802: heap buffer overflow due to incorrect flushing of the typeahead buffer (bsc#1229822). - CVE-2024-45306: heap buffer overflow when cursor position is invalid (bsc#1230078). - CVE-2025-22134: heap buffer overflow when switching to other buffers using the :all command with active visual mode (bsc#1235695). - CVE-2025-24014: NULL pointer dereference may lead to segmentation fault when in silent Ex mode (bsc#1236151). - CVE-2025-1215: memory corruption when manipulating the --log argument (bsc#1237137). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:741-1 Released: Fri Feb 28 11:15:50 2025 Summary: Security update for procps Type: security Severity: important References: 1214290,1236842,CVE-2023-4016 This update for procps fixes the following issues: - Integer overflow due to incomplete fix for CVE-2023-4016 can lead to segmentation fault in ps command when pid argument has a leading space (bsc#1236842, bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:748-1 Released: Fri Feb 28 17:14:02 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363). - CVE-2025-24928: stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370). - CVE-2025-27113: NULL pointer dereference in xmlPatMatch in pattern.c (bsc#1237418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:759-1 Released: Mon Mar 3 04:44:21 2025 Summary: Recommended update for google-guest-agent Type: recommended Severity: moderate References: 1231775,1231776,1235664,1236403 This update for google-guest-agent fixes the following issues: google-guest-agent was updated from version 20241011.01 to 20250116.00: - Version 20250116.00 (bsc#1236403): * Implemented support for vlan dynamic removal * Update logging library - Version 20241209.01 (bsc#1235664): * Avoid changing permissions of directory if parent is `/` * Fixed fallback from systemd-networkd to dhclient * network: fixed nmcli check pattern * network: force NetworkManager to connect to primary nic * Updated metadata script runner to honor cloud logging config flag * Updated README.md with note regarding the introduction of Agent Plugin Manager - Version 20241018.01 (bsc#1231775, bsc#1231776): * Implemented support for Agent Plugin Manager to manage plugins via a systemd service file. * documentation: Updated metadata script runner details ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:765-1 Released: Mon Mar 3 09:44:13 2025 Summary: Security update for gnutls Type: security Severity: moderate References: 1236974,CVE-2024-12243 This update for gnutls fixes the following issues: - CVE-2024-12243: quadratic complexity of DER input decoding in libtasn1 can lead to a DoS (bsc#1236974). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:776-1 Released: Tue Mar 4 15:55:35 2025 Summary: Security update for docker Type: security Severity: moderate References: 1234089,1237335,CVE-2024-29018 This update for docker fixes the following issues: Update to Docker 27.5.1-ce (bsc#1237335): - CVE-2024-29018: External DNS requests from 'internal' networks could lead to data exfiltration (bsc#1234089). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:830-1 Released: Tue Mar 11 09:55:10 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Update to 2025a: * Paraguay adopts permanent -03 starting spring 2024 * Improve pre-1991 data for the Philippines * Etc/Unknown is now reserved * Improve historical data for Mexico, Mongolia, and Portugal * System V names are now obsolescent * The main data form now uses %z * The code now conforms to RFC 8536 for early timestamps * Support POSIX.1-2024, which removes asctime_r and ctime_r * Assume POSIX.2-1992 or later for shell scripts * SUPPORT_C89 now defaults to 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:835-1 Released: Tue Mar 11 11:57:43 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1208995,1220946,1224700,1225742,1232905,1232919,1234154,1234853,1234891,1234963,1235054,1235061,1235073,1236661,1236675,1236677,1236757,1236758,1236760,1236761,1237025,1237028,1237139,1237316,1237693,1238033,CVE-2022-49080,CVE-2023-1192,CVE-2023-52572,CVE-2024-35949,CVE-2024-50115,CVE-2024-50128,CVE-2024-53135,CVE-2024-53173,CVE-2024-53239,CVE-2024-56539,CVE-2024-56548,CVE-2024-56605,CVE-2024-57948,CVE-2025-21690,CVE-2025-21692,CVE-2025-21699 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238033). - CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1224700). - CVE-2024-50128: net: wwan: fix global oob in wwan_rtnl_policy (bsc#1232905). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-57948: mac802154: check local interfaces before deleting sdata list (bsc#1236677). - CVE-2025-21690: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service (bsc#1237025). - CVE-2025-21692: net: sched: fix ets qdisc OOB Indexing (bsc#1237028). - CVE-2025-21699: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag (bsc#1237139). The following non-security bugs were fixed: - idpf: call set_real_num_queues in idpf_open (bsc#1236661 bsc#1237316). - ipv4/tcp: do not use per netns ctl sockets (bsc#1237693). - net: mana: Add get_link and get_link_ksettings in ethtool (bsc#1236761). - net: mana: Cleanup 'mana' debugfs dir after cleanup of all children (bsc#1236760). - net: mana: Enable debugfs files for MANA device (bsc#1236758). - net: netvsc: Update default VMBus channels (bsc#1236757). - scsi: storvsc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (git-fixes). - x86/kvm: fix is_stale_page_fault() (bsc#1236675). - x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes). - x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:839-1 Released: Tue Mar 11 13:12:01 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1189788,1216091,1236481,1237044 This update for libzypp, zypper fixes the following issues: - Disable zypp.conf:download.use_deltarpm by default Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) - Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Annonunce --root in commands not launching a Target (bsc#1237044) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:931-1 Released: Wed Mar 19 11:06:47 2025 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1237865 This update for grub2 fixes the following issues: - Fix zfs.mo not found message when booting on legacy BIOS (bsc#1237865) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:998-1 Released: Tue Mar 25 03:07:02 2025 Summary: Security update for freetype2 Type: security Severity: important References: 1239465,CVE-2025-27363 This update for freetype2 fixes the following issues: - CVE-2025-27363: Fixed out-of-bounds write when attempting to parse font subglyph structures related to TrueType GX and variable font files (bsc#1239465). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1005-1 Released: Tue Mar 25 09:43:18 2025 Summary: Security update for google-guest-agent Type: security Severity: important References: 1239197,CVE-2025-22868 This update for google-guest-agent fixes the following issues: - CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239197) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1006-1 Released: Tue Mar 25 09:43:55 2025 Summary: Security update for google-osconfig-agent Type: security Severity: important References: 1239197,CVE-2025-22868 This update for google-osconfig-agent fixes the following issues: - CVE-2025-22868: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239197) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1027-1 Released: Wed Mar 26 13:11:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1180814,1183682,1190336,1190768,1190786,1193629,1194869,1194904,1195823,1196444,1197158,1197174,1197246,1197302,1197331,1197472,1197661,1197926,1198019,1198021,1198240,1198577,1198660,1199657,1200045,1200571,1200807,1200809,1200810,1200824,1200825,1200871,1200872,1201193,1201218,1201323,1201381,1201610,1202672,1202711,1202712,1202771,1202774,1202778,1202781,1203699,1203769,1204171,1206048,1206049,1207593,1207640,1210050,1211263,1217339,1228483,1228708,1228779,1228966,1237521,1237718,1237721,1237722,1237723,1237724,1237725,1237726,1237727,1237728,1237729,1237734,1237735,1237736,1237737,1237738,1237739,1237740,1237742,1237743,1237745,1237746,1237748,1237751,1237752,1237753,1237755,1237759,1237761,1237763,1237766,1237767,1237768,1237774,1237775,1237778,1237779,1237780,1237782,1237783,1237784,1237785,1237786,1237787,1237788,1237789,1237795,1237797,1237798,1237807,1237808,1237810,1237812,1237813,1237814,1237815,1237817,1237818,1237821,1237823,1237824,1237826,1237827,1 237829,1237831,1237835,1237836,1237837,1237839,1237840,1237845,1237846,1237868,1237872,1237892,1237903,1237904,1237916,1237922,1237925,1237926,1237929,1237931,1237932,1237933,1237937,1237939,1237940,1237941,1237942,1237946,1237951,1237952,1237954,1237955,1237957,1237958,1237959,1237960,1237961,1237963,1237965,1237966,1237967,1237968,1237969,1237970,1237971,1237973,1237975,1237976,1237978,1237979,1237983,1237984,1237986,1237987,1237990,1237996,1237997,1237998,1237999,1238000,1238003,1238006,1238007,1238010,1238011,1238012,1238013,1238014,1238016,1238017,1238018,1238019,1238021,1238022,1238024,1238030,1238036,1238037,1238041,1238046,1238047,1238071,1238077,1238079,1238080,1238089,1238090,1238091,1238092,1238096,1238097,1238099,1238103,1238105,1238106,1238108,1238110,1238111,1238112,1238113,1238115,1238116,1238120,1238123,1238125,1238126,1238127,1238131,1238134,1238135,1238138,1238139,1238140,1238142,1238144,1238146,1238147,1238149,1238150,1238155,1238156,1238157,1238158,1238162,123816 6,1238167,1238168,1238169,1238170,1238171,1238172,1238175,1238176,1238177,1238180,1238181,1238183,1238184,1238228,1238229,1238231,1238234,1238235,1238236,1238238,1238239,1238241,1238242,1238243,1238244,1238246,1238247,1238248,1238249,1238253,1238255,1238256,1238257,1238260,1238262,1238263,1238264,1238266,1238267,1238268,1238269,1238270,1238271,1238272,1238274,1238275,1238276,1238277,1238278,1238279,1238281,1238282,1238283,1238284,1238286,1238287,1238288,1238289,1238292,1238293,1238295,1238298,1238301,1238302,1238306,1238307,1238308,1238309,1238311,1238313,1238326,1238327,1238328,1238331,1238333,1238334,1238336,1238337,1238338,1238339,1238343,1238345,1238372,1238373,1238374,1238376,1238377,1238381,1238382,1238383,1238386,1238387,1238388,1238389,1238390,1238391,1238392,1238393,1238394,1238395,1238396,1238397,1238400,1238410,1238411,1238413,1238415,1238416,1238417,1238418,1238419,1238420,1238423,1238428,1238429,1238430,1238431,1238432,1238433,1238434,1238435,1238436,1238437,1238440,123 8441,1238442,1238443,1238444,1238445,1238446,1238447,1238453,1238454,1238458,1238459,1238462,1238463,1238465,1238467,1238469,1238533,1238536,1238538,1238539,1238540,1238543,1238545,1238546,1238556,1238557,1238599,1238600,1238601,1238602,1238605,1238612,1238615,1238617,1238618,1238619,1238621,1238623,1238625,1238626,1238630,1238631,1238632,1238633,1238635,1238636,1238638,1238639,1238640,1238641,1238642,1238643,1238645,1238646,1238647,1238650,1238653,1238654,1238655,1238662,1238663,1238664,1238666,1238668,1238705,1238707,1238710,1238712,1238718,1238719,1238721,1238722,1238727,1238729,1238750,1238787,1238789,1238792,1238799,1238804,1238805,1238808,1238809,1238811,1238814,1238815,1238816,1238817,1238818,1238819,1238821,1238823,1238825,1238830,1238834,1238835,1238836,1238838,1238867,1238868,1238869,1238870,1238871,1238878,1238889,1238892,1238893,1238897,1238898,1238899,1238902,1238916,1238925,1238930,1238933,1238936,1238937,1238938,1238939,1238943,1238945,1238948,1238949,1238950,1238951, 1238952,1238954,1238956,1238957,1239001,1239004,1239035,1239040,1239041,1239051,1239060,1239070,1239071,1239073,1239076,1239109,1239115,CVE-2021-4453,CVE-2021-47631,CVE-2021-47632,CVE-2021-47633,CVE-2021-47635,CVE-2021-47636,CVE-2021-47637,CVE-2021-47638,CVE-2021-47639,CVE-2021-47641,CVE-2021-47642,CVE-2021-47643,CVE-2021-47644,CVE-2021-47645,CVE-2021-47646,CVE-2021-47647,CVE-2021-47648,CVE-2021-47649,CVE-2021-47650,CVE-2021-47651,CVE-2021-47652,CVE-2021-47653,CVE-2021-47654,CVE-2021-47656,CVE-2021-47657,CVE-2021-47659,CVE-2022-0168,CVE-2022-0995,CVE-2022-1048,CVE-2022-1184,CVE-2022-2977,CVE-2022-29900,CVE-2022-29901,CVE-2022-3303,CVE-2022-3435,CVE-2022-49044,CVE-2022-49050,CVE-2022-49051,CVE-2022-49054,CVE-2022-49055,CVE-2022-49058,CVE-2022-49059,CVE-2022-49060,CVE-2022-49061,CVE-2022-49063,CVE-2022-49065,CVE-2022-49066,CVE-2022-49073,CVE-2022-49074,CVE-2022-49076,CVE-2022-49078,CVE-2022-49082,CVE-2022-49083,CVE-2022-49084,CVE-2022-49085,CVE-2022-49086,CVE-2022-49088,CVE-2022-49089 ,CVE-2022-49090,CVE-2022-49091,CVE-2022-49092,CVE-2022-49093,CVE-2022-49095,CVE-2022-49096,CVE-2022-49097,CVE-2022-49098,CVE-2022-49099,CVE-2022-49100,CVE-2022-49102,CVE-2022-49103,CVE-2022-49104,CVE-2022-49105,CVE-2022-49106,CVE-2022-49107,CVE-2022-49109,CVE-2022-49111,CVE-2022-49112,CVE-2022-49113,CVE-2022-49114,CVE-2022-49115,CVE-2022-49116,CVE-2022-49118,CVE-2022-49119,CVE-2022-49120,CVE-2022-49121,CVE-2022-49122,CVE-2022-49126,CVE-2022-49128,CVE-2022-49129,CVE-2022-49130,CVE-2022-49131,CVE-2022-49132,CVE-2022-49135,CVE-2022-49137,CVE-2022-49145,CVE-2022-49147,CVE-2022-49148,CVE-2022-49151,CVE-2022-49153,CVE-2022-49154,CVE-2022-49155,CVE-2022-49156,CVE-2022-49157,CVE-2022-49158,CVE-2022-49159,CVE-2022-49160,CVE-2022-49162,CVE-2022-49163,CVE-2022-49164,CVE-2022-49165,CVE-2022-49174,CVE-2022-49175,CVE-2022-49176,CVE-2022-49177,CVE-2022-49179,CVE-2022-49180,CVE-2022-49182,CVE-2022-49185,CVE-2022-49187,CVE-2022-49188,CVE-2022-49189,CVE-2022-49193,CVE-2022-49194,CVE-2022-49196,CVE-20 22-49199,CVE-2022-49200,CVE-2022-49201,CVE-2022-49206,CVE-2022-49208,CVE-2022-49212,CVE-2022-49213,CVE-2022-49214,CVE-2022-49216,CVE-2022-49217,CVE-2022-49218,CVE-2022-49221,CVE-2022-49222,CVE-2022-49224,CVE-2022-49226,CVE-2022-49227,CVE-2022-49232,CVE-2022-49235,CVE-2022-49236,CVE-2022-49239,CVE-2022-49241,CVE-2022-49242,CVE-2022-49243,CVE-2022-49244,CVE-2022-49246,CVE-2022-49247,CVE-2022-49248,CVE-2022-49249,CVE-2022-49250,CVE-2022-49251,CVE-2022-49252,CVE-2022-49253,CVE-2022-49254,CVE-2022-49256,CVE-2022-49257,CVE-2022-49258,CVE-2022-49259,CVE-2022-49260,CVE-2022-49261,CVE-2022-49262,CVE-2022-49263,CVE-2022-49264,CVE-2022-49265,CVE-2022-49266,CVE-2022-49268,CVE-2022-49269,CVE-2022-49270,CVE-2022-49271,CVE-2022-49272,CVE-2022-49273,CVE-2022-49274,CVE-2022-49275,CVE-2022-49276,CVE-2022-49277,CVE-2022-49278,CVE-2022-49279,CVE-2022-49280,CVE-2022-49281,CVE-2022-49283,CVE-2022-49285,CVE-2022-49286,CVE-2022-49287,CVE-2022-49288,CVE-2022-49290,CVE-2022-49291,CVE-2022-49292,CVE-2022-4929 4,CVE-2022-49295,CVE-2022-49297,CVE-2022-49298,CVE-2022-49299,CVE-2022-49300,CVE-2022-49301,CVE-2022-49302,CVE-2022-49304,CVE-2022-49305,CVE-2022-49307,CVE-2022-49308,CVE-2022-49309,CVE-2022-49310,CVE-2022-49311,CVE-2022-49312,CVE-2022-49313,CVE-2022-49314,CVE-2022-49315,CVE-2022-49316,CVE-2022-49319,CVE-2022-49320,CVE-2022-49321,CVE-2022-49322,CVE-2022-49323,CVE-2022-49326,CVE-2022-49327,CVE-2022-49328,CVE-2022-49331,CVE-2022-49332,CVE-2022-49335,CVE-2022-49336,CVE-2022-49337,CVE-2022-49339,CVE-2022-49341,CVE-2022-49342,CVE-2022-49343,CVE-2022-49345,CVE-2022-49346,CVE-2022-49347,CVE-2022-49348,CVE-2022-49349,CVE-2022-49350,CVE-2022-49351,CVE-2022-49352,CVE-2022-49354,CVE-2022-49356,CVE-2022-49357,CVE-2022-49367,CVE-2022-49368,CVE-2022-49370,CVE-2022-49371,CVE-2022-49373,CVE-2022-49375,CVE-2022-49376,CVE-2022-49377,CVE-2022-49378,CVE-2022-49379,CVE-2022-49381,CVE-2022-49382,CVE-2022-49384,CVE-2022-49385,CVE-2022-49386,CVE-2022-49389,CVE-2022-49392,CVE-2022-49394,CVE-2022-49396,CVE-2 022-49397,CVE-2022-49398,CVE-2022-49399,CVE-2022-49400,CVE-2022-49402,CVE-2022-49404,CVE-2022-49407,CVE-2022-49409,CVE-2022-49410,CVE-2022-49411,CVE-2022-49412,CVE-2022-49413,CVE-2022-49414,CVE-2022-49416,CVE-2022-49418,CVE-2022-49421,CVE-2022-49422,CVE-2022-49424,CVE-2022-49426,CVE-2022-49427,CVE-2022-49429,CVE-2022-49430,CVE-2022-49431,CVE-2022-49432,CVE-2022-49433,CVE-2022-49434,CVE-2022-49435,CVE-2022-49437,CVE-2022-49438,CVE-2022-49440,CVE-2022-49441,CVE-2022-49442,CVE-2022-49443,CVE-2022-49444,CVE-2022-49445,CVE-2022-49447,CVE-2022-49448,CVE-2022-49449,CVE-2022-49451,CVE-2022-49453,CVE-2022-49455,CVE-2022-49459,CVE-2022-49460,CVE-2022-49462,CVE-2022-49463,CVE-2022-49466,CVE-2022-49467,CVE-2022-49468,CVE-2022-49472,CVE-2022-49473,CVE-2022-49474,CVE-2022-49475,CVE-2022-49477,CVE-2022-49478,CVE-2022-49480,CVE-2022-49481,CVE-2022-49482,CVE-2022-49486,CVE-2022-49487,CVE-2022-49488,CVE-2022-49489,CVE-2022-49490,CVE-2022-49491,CVE-2022-49492,CVE-2022-49493,CVE-2022-49494,CVE-2022-494 95,CVE-2022-49498,CVE-2022-49501,CVE-2022-49502,CVE-2022-49503,CVE-2022-49504,CVE-2022-49505,CVE-2022-49506,CVE-2022-49507,CVE-2022-49508,CVE-2022-49509,CVE-2022-49512,CVE-2022-49514,CVE-2022-49515,CVE-2022-49517,CVE-2022-49519,CVE-2022-49520,CVE-2022-49521,CVE-2022-49522,CVE-2022-49523,CVE-2022-49524,CVE-2022-49525,CVE-2022-49526,CVE-2022-49527,CVE-2022-49532,CVE-2022-49534,CVE-2022-49535,CVE-2022-49536,CVE-2022-49537,CVE-2022-49541,CVE-2022-49542,CVE-2022-49544,CVE-2022-49545,CVE-2022-49546,CVE-2022-49549,CVE-2022-49551,CVE-2022-49555,CVE-2022-49556,CVE-2022-49559,CVE-2022-49562,CVE-2022-49563,CVE-2022-49564,CVE-2022-49566,CVE-2022-49568,CVE-2022-49569,CVE-2022-49570,CVE-2022-49579,CVE-2022-49581,CVE-2022-49583,CVE-2022-49584,CVE-2022-49591,CVE-2022-49592,CVE-2022-49603,CVE-2022-49605,CVE-2022-49606,CVE-2022-49607,CVE-2022-49609,CVE-2022-49610,CVE-2022-49611,CVE-2022-49613,CVE-2022-49615,CVE-2022-49616,CVE-2022-49617,CVE-2022-49618,CVE-2022-49621,CVE-2022-49623,CVE-2022-49625,CVE- 2022-49626,CVE-2022-49627,CVE-2022-49628,CVE-2022-49631,CVE-2022-49634,CVE-2022-49640,CVE-2022-49641,CVE-2022-49642,CVE-2022-49643,CVE-2022-49644,CVE-2022-49645,CVE-2022-49646,CVE-2022-49647,CVE-2022-49648,CVE-2022-49649,CVE-2022-49652,CVE-2022-49653,CVE-2022-49656,CVE-2022-49657,CVE-2022-49661,CVE-2022-49663,CVE-2022-49665,CVE-2022-49667,CVE-2022-49668,CVE-2022-49670,CVE-2022-49671,CVE-2022-49672,CVE-2022-49673,CVE-2022-49674,CVE-2022-49675,CVE-2022-49676,CVE-2022-49677,CVE-2022-49678,CVE-2022-49679,CVE-2022-49680,CVE-2022-49683,CVE-2022-49685,CVE-2022-49687,CVE-2022-49688,CVE-2022-49693,CVE-2022-49695,CVE-2022-49699,CVE-2022-49700,CVE-2022-49701,CVE-2022-49703,CVE-2022-49704,CVE-2022-49705,CVE-2022-49707,CVE-2022-49708,CVE-2022-49710,CVE-2022-49711,CVE-2022-49712,CVE-2022-49713,CVE-2022-49714,CVE-2022-49715,CVE-2022-49716,CVE-2022-49719,CVE-2022-49720,CVE-2022-49721,CVE-2022-49722,CVE-2022-49723,CVE-2022-49724,CVE-2022-49725,CVE-2022-49726,CVE-2022-49729,CVE-2022-49730,CVE-2022-49 731,CVE-2022-49733,CVE-2023-28410,CVE-2024-2201,CVE-2024-41092,CVE-2024-42098,CVE-2024-42229,CVE-2024-42240,CVE-2024-57996,CVE-2024-58014,CVE-2025-21718,CVE-2025-21780 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-2201: Fixed information leak in x86/BHI (bsc#1217339). - CVE-2024-41092: drm/i915/gt: Fix potential UAF by revoke of fence registers (bsc#1228483). - CVE-2024-42098: crypto: ecdh - explicitly zeroize private_key (bsc#1228779). - CVE-2024-42229: crypto: aead,cipher - zeroize key buffer after use (bsc#1228708). - CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239076). - CVE-2024-58014: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (bsc#1239109). - CVE-2025-21718: net: rose: fix timer races against user threads (bsc#1239073). - CVE-2025-21780: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (bsc#1239115). The following non-security bugs were fixed: - initcall_blacklist: Does not allow kernel_lockdown be blacklisted (bsc#1237521). - x86/bhi: Avoid warning in #DB handler due to BHI mitigation (git-fixes). - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES (git-fixes). - x86/bugs: Fix BHI documentation (git-fixes). - x86/bugs: Fix BHI handling of RRSBA (git-fixes). - x86/bugs: Fix BHI retpoline check (git-fixes). - x86/bugs: Fix return type of spectre_bhi_state() (git-fixes). - x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1035-1 Released: Thu Mar 27 10:34:01 2025 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1236779,1237294 This update for suse-build-key fixes the following issues: - Changed and extented the SUSE Linux Enterprise 15 and 16 signing keys to use SHA256 GPG UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1056-1 Released: Fri Mar 28 18:06:22 2025 Summary: Security update for python3 Type: security Severity: moderate References: 1233307,CVE-2024-11168 This update for python3 fixes the following issues: - CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1062-1 Released: Mon Mar 31 10:45:08 2025 Summary: Security update for docker, docker-stable Type: security Severity: important References: 1237367,1239185,1239322,CVE-2024-23650,CVE-2024-29018,CVE-2024-41110,CVE-2025-22868,CVE-2025-22869 This update for docker, docker-stable fixes the following issues: - CVE-2025-22868: Fixed unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239185). - CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322). Other fixes: - Make container-selinux requirement conditional on selinux-policy (bsc#1237367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1130-1 Released: Thu Apr 3 15:08:55 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1234798,1240009,1240343 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: - Removed: * SwissSign Silver CA - G2 - Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): - Removed: * SecureSign RootCA11 * Security Communication RootCA3 - Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1143-1 Released: Fri Apr 4 15:31:17 2025 Summary: Security update for google-guest-agent Type: security Severity: important References: 1234563,1239763,1239866,CVE-2024-45337 This update for google-guest-agent fixes the following issues: - CVE-2024-45337: golang.org/x/crypto/ssh: Fixed misuse of ServerConfig.PublicKeyCallback leading to authorization bypass (bsc#1234563). Other fixes: - Updated to version 20250327.01 (bsc#1239763, bsc#1239866) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) - from version 20250327.00 * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert 'oslogin: Correctly handle newlines at the end of modified files (#520)' (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert 'Revert bundling new binaries in the package (#509)' (#511) - from version 20250326.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250324.00 * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert 'Revert bundling new binaries in the package (#509)' (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250317.00 * Revert 'Revert bundling new binaries in the package (#509)' (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250312.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250305.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250304.01 * Fix typo in windows build script (#501) - from version 20250214.01 * Include core plugin binary for all packages (#500) - from version 20250214.00 * Update crypto library to fix CVE-2024-45337 (#499) - from version 20250212.00 * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) - from version 20250211.00 * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250207.00 * vlan: toggle vlan configuration in debian packaging (#495) * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) * Include interfaces in lists even if it has an invalid MAC. (#489) * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250204.02 * force concourse to move version forward. - from version 20250204.01 * vlan: toggle vlan configuration in debian packaging (#495) - from version 20250204.00 * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) - from version 20250203.01 * Include interfaces in lists even if it has an invalid MAC. (#489) - from version 20250203.00 * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250122.00 * networkd(vlan): remove the interface in addition to config (#468) * Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465) * Update logging library (#479) * Remove Pat from owners file. (#478) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1160-1 Released: Mon Apr 7 17:28:43 2025 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1235751 vim was updated to 9.1.1176. Changes: * wrong indent when expanding multiple lines * inconsistent behaviour with exclusive selection and motion commands * filetype: ABNF files are not detected * [security]: overflow with 'nostartofline' and Ex command in tag file * wildmenu highlighting in popup can be improved * using global variable for get_insert()/get_lambda_name() * wrong flags passed down to nextwild() * mark '] wrong after copying text object * command-line auto-completion hard with wildmenu * diff: regression with multi-file diff blocks * [security]: code execution with tar.vim and special crafted tar files * $MYVIMDIR is set too late * completion popup not cleared in cmdline * preinsert requires bot 'menu' and 'menuone' to be set * Ctrl-Y does not work well with 'preinsert' when completing items * $MYVIMDIR may not always be set * :verbose set has wrong file name with :compiler! * command completion wrong for input() * Mode message not cleared after :silent message * Vim9: not able to use autoload class accross scripts * build error on Haiku * Patch v9.1.1151 causes problems * too many strlen() calls in getchar.c * :hi completion may complete to wrong value * Unix Makefile does not support Brazilian lang for the installer * Vim9: finding imported scripts can be further improved * preview-window does not scroll correctly * Vim9: wrong context being used when evaluating class member * multi-line completion has wrong indentation for last line * no way to create raw strings from a blob * illegal memory access when putting a register * Misplaced comment in readfile() * filetype: m17ndb files are not detected * [fifo] is not displayed when editing a fifo * cmdline completion for :hi is too simplistic * ins_str() is inefficient by calling STRLEN() * Match highlighting marks a buffer region as changed * 'suffixesadd' doesn't work with multiple items * filetype: Guile init file not recognized * filetype: xkb files not recognized everywhere * Mark positions wrong after triggering multiline completion * potential out-of-memory issue in search.c * 'listchars' 'precedes' is not drawn on Tabs. * missing out-of-memory test in buf_write() * patch 9.1.1119 caused a regression with imports * preinsert text is not cleaned up correctly * patch 9.1.1121 used a wrong way to handle enter * cannot loop through pum menu with multiline items * No test for 'listchars' 'precedes' with double-width char * popup hi groups not falling back to defaults * too many strlen() calls in findfile.c * Enter does not insert newline with 'noselect' * Vim9: Not able to use an autoloaded class from another autoloaded script * Vim9: super not supported in lambda expressions * [security]: use-after-free in str_to_reg() * enabling termguicolors automatically confuses users * Inconsistencies in get_next_or_prev_match() * Vim9: variable not found in transitive import * cmdexpand.c hard to read * 'smoothscroll' gets stuck with 'listchars' 'eol' * cannot loop through completion menu with fuzzy * Vim9: no support for protected new() method * CI: using Ubuntu 22.04 Github runners * if_perl: still some compile errors with Perl 5.38 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1191-1 Released: Thu Apr 10 06:57:45 2025 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1183663,1193173,1211547,1213291,1214713,1216049,1216146,1216147,1216150,1216151,1216228,1216229,1216230,1216231,1216232,1216233,1216241,1216388,1216522,1216827,1217287,1218201,1218282,1218324,1218812,1218814,1219241,1219639,1222021,1222650,1222896,1227127,1228265,1230371,1231396,1231423,1231838,1233726 This update for supportutils fixes the following issues: - Version update 3.2.10, bugfixing. + Collect firewalld configuration + Ignore tasks/threads to prevent collecting duplicate data (bsc#1230371). + openldap2_5 support for SLES (bsc#1231838). + Added dbus_info for dbus.txt (bsc#1222650). + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221). + Corrected display issues (bsc#1231396, bsc#1217287). + NFS takes too long, showmount times out (bsc#1231423). + Merged sle15 and master branches (bsc#1233726, PED-11669). + Extended scaling for performance (bsc#1214713). + Corrected SLE Micro version (bsc#1219241). + Check nvidida-persistenced state (bsc#1219639). + Corrected podman .ID error (bsc#1218812). + Remove duplicate non-root podman users (bsc#1218814). + Fixed smart disk error (bsc#1218282). + Fixed ipvsadm logic error (bsc#1218324). + Correctly detects Xen Dom0 (bsc#1218201). + Inhibit the conversion of port numbers to port names for network files. + powerpc: collect rtas_errd.log and lp_diag.log log files. + Get list of pam.d files. + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547). + Optimize lsof usage (bsc#1183663). + Added mokutil commands for secureboot. + ipset - List entries for all sets. + Added nvme-stas configuration to nvme.txt (bsc#1216049). + Collects zypp history file (bsc#1216522). + Collect HA related rpm package versions in ha.txt + Change -x OPTION to really be exclude only + Fixed kernel and added user live patching (PED-4524). + Fixed plugins creating empty files (bsc#1216388). + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173). + Added supportutils to current (PED-4456). + Changed config directory to /etc/supportutuils for all conf and header.txt (bsc#1216232). + Fixed supportconfig using external test command (bsc#1216150) and kdump, analyzevmcore errors (bsc#1216146). + Support has been removed for scplugin.rc, use supportconfig.rc (bsc#1216241). + Remove check_service function from supportconfig.rc (bsc#1216231). + Removed older versions of SLES_VER (bsc#1216147). + Added timed command to fs-files.txt (bsc#1216827). + Cron and At are replaced with systemd.timer (bsc#1216229). + Offers apparmor or selinux based on configuration (bsc#1216233). + Filted proc access errors (bsc#1216151). + Remove all SuSE-release references (bsc#1216228). + Remove references to /etc/init.d (bsc#1216230). + Add capability in supportconfig to insert configs in summary.xml from command line option (bsc#1222021). + file sanitizing improvement request for boot (bsc#1227127). + Add 'read_values -s' output to supportconfig on s390x (bsc#1228265). + Usability enhancement for supportconfig (PED-8211). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1192-1 Released: Thu Apr 10 08:40:02 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1223330,1239663 This update for hwinfo fixes the following issues: - Avoid reporting of spurious usb storage devices (bsc#1223330) - Do not overdo usb device de-duplication (bsc#1239663) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1193-1 Released: Thu Apr 10 10:01:36 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1234452 This update for apparmor fixes the following issue: - Allow dovecot-auth to execute unix check password from /sbin, not only from /usr/bin (bsc#1234452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1195-1 Released: Thu Apr 10 15:47:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1193629,1197227,1207034,1207186,1207878,1209262,1209547,1209788,1210647,1213167,1225742,1231375,1233479,1233557,1233558,1234464,1235528,1237029,1237530,1237875,1237877,1237890,1237918,1238911,1238919,1239016,1239036,1239061,1239126,1239452,1239454,1239968,1239969,1240133,1240195,1240205,1240207,1240208,1240210,1240212,1240213,1240218,1240220,1240227,1240229,1240231,1240242,1240245,1240247,1240250,1240254,1240256,1240264,1240266,1240272,1240275,1240276,1240278,1240279,1240280,1240281,1240282,1240283,1240284,1240286,1240288,1240290,1240292,1240293,1240297,1240304,1240308,1240309,1240317,1240318,1240322,CVE-2017-5753,CVE-2021-4454,CVE-2022-1016,CVE-2022-49053,CVE-2022-49293,CVE-2022-49465,CVE-2022-49650,CVE-2022-49739,CVE-2022-49746,CVE-2022-49748,CVE-2022-49751,CVE-2022-49753,CVE-2022-49755,CVE-2022-49759,CVE-2023-0179,CVE-2023-1652,CVE-2023-2162,CVE-2023-3567,CVE-2023-52930,CVE-2023-52933,CVE-2023-52935,CVE-2023-52939,CVE-2023-52941,CVE-2023-52973,CVE-2023-52974,CVE-2023- 52975,CVE-2023-52976,CVE-2023-52979,CVE-2023-52983,CVE-2023-52984,CVE-2023-52988,CVE-2023-52989,CVE-2023-52992,CVE-2023-52993,CVE-2023-53000,CVE-2023-53005,CVE-2023-53006,CVE-2023-53007,CVE-2023-53008,CVE-2023-53010,CVE-2023-53015,CVE-2023-53016,CVE-2023-53019,CVE-2023-53023,CVE-2023-53024,CVE-2023-53025,CVE-2023-53026,CVE-2023-53028,CVE-2023-53029,CVE-2023-53030,CVE-2023-53033,CVE-2024-50290,CVE-2024-53063,CVE-2024-53064,CVE-2024-56651,CVE-2024-58083,CVE-2025-21693,CVE-2025-21714,CVE-2025-21732,CVE-2025-21753,CVE-2025-21772,CVE-2025-21839 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49053: scsi: target: tcmu: Fix possible page UAF (bsc#1237918). - CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled (bsc#1238919). - CVE-2022-49739: gfs2: Always check inode size of inline inodes (bsc#1240207). - CVE-2023-52935: mm/khugepaged: fix ->anon_vma race (bsc#1240276). - CVE-2024-53064: idpf: fix idpf_vc_core_init error path (bsc#1233558 bsc#1234464). - CVE-2024-56651: can: hi311x: hi3110_can_ist(): fix potential use-after-free (bsc#1235528). - CVE-2024-58083: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (bsc#1239036). - CVE-2025-21693: mm: zswap: properly synchronize freeing resources during CPU hotunplug (bsc#1237029). - CVE-2025-21714: RDMA/mlx5: Fix implicit ODP use after free (bsc#1237890). - CVE-2025-21732: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (bsc#1237877). - CVE-2025-21753: btrfs: fix use-after-free when attempting to join an aborted transaction (bsc#1237875). - CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238911). The following non-security bugs were fixed: - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid (bsc#1237530). - RDMA/mana_ib: Prefer struct_size over open coded arithmetic (bsc#1239016). - RDMA/mana_ib: Use v2 version of cfg_rx_steer_req to enable RX coalescing (bsc#1239016). - RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes) - btrfs: defrag: do not use merged extent map for their generation check (bsc#1239968). - btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1239968). - btrfs: fix extent map merging not happening for adjacent extents (bsc#1239968). - btrfs: send: allow cloning non-aligned extent if it ends at i_size (bsc#1239969). - btrfs: send: fix invalid clone operation for file that got its size decreased (bsc#1239969). - gfs2: Fix inode height consistency check (git-fixes). - mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove() (bsc#1239126). - mm: zswap: move allocations during CPU init outside the lock (git-fixes). - net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2 (bsc#1239016). - net: mana: Allow variable size indirection table (bsc#1239016). - net: mana: Avoid open coded arithmetic (bsc#1239016). - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup (bsc#1240195). - net: mana: Support holes in device list reply msg (bsc#1240133). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1201-1 Released: Fri Apr 11 12:15:58 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: - CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused by stack overflow by resolving use of recursion (bsc#1239618) Other fixes: - version update to 2.7.1 (jsc#PED-12500) Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 #935 #937 Autotools: Make generated CMake files look for libexpat. at SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1217-1 Released: Sun Apr 13 12:16:40 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1240343 This update for ca-certificates-mozilla fixes the following issues: - Reenable the distrusted certs for now. as these only distrust 'new issued' certs starting after a certain date, while old certs should still work. (bsc#1240343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1242-1 Released: Mon Apr 14 12:43:18 2025 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1235481,1236033 This update for aaa_base fixes the following issues: - SP6 logrotate and rcsyslog binary (bsc#1236033) - Update detection for systemd in rc.status - Mountpoint for cgroup changed with cgroup2 - If a user switches the login shell respect the already set PATH environment (bsc#1235481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1292-1 Released: Wed Apr 16 09:49:17 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Version update 2025b * New zone for Aysen Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches for philippines historical data and china tzdata ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1345-1 Released: Thu Apr 17 17:14:27 2025 Summary: Security update for containerd Type: security Severity: moderate References: 1239749,CVE-2024-40635 This update for containerd fixes the following issues: - CVE-2024-40635: Fixed integer overflow in User ID handling (bsc#1239749) Other fixes: - Update to containerd v1.7.27. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1354-1 Released: Tue Apr 22 05:14:53 2025 Summary: Recommended update for iproute2 Type: recommended Severity: moderate References: 1234383 This update for iproute2 fixes the following issues: - Avoid false cgroup warnings (bsc#1234383) ----------------------------------------------------------------- Advisory ID: 38402 Released: Fri Apr 25 11:05:30 2025 Summary: Recommended update for freetype2 Type: recommended Severity: important References: This update for freetype2 fixes the following issue: - enable brotli support (jsc#PED-12258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1381-1 Released: Mon Apr 28 09:37:03 2025 Summary: Security update for cifs-utils Type: security Severity: moderate References: 1239680,CVE-2025-2312 This update for cifs-utils fixes the following issues: - CVE-2025-2312: Fixed cifs.upcall making an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1413-1 Released: Wed Apr 30 08:59:04 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1435-1 Released: Fri May 2 12:39:10 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1486-1 Released: Tue May 6 12:00:21 2025 Summary: Recommended update for apparmor Type: recommended Severity: important References: 1232234,1234452 This update for apparmor fixes the following issues: - Allow pam_unix to execute unix_chkpwd with abi/3.0 (bsc#1234452, bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1549-1 Released: Wed May 14 11:06:26 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1576-1 Released: Mon May 19 06:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1228634,1232533,1241012,1241045,CVE-2025-32728 This update for openssh fixes the following issues: - Security issues fixed: * CVE-2025-32728: Fixed a logic error in DisableForwarding option (bsc#1241012) - Other bugs fixed: * Allow KEX hashes greater than 256 bits (bsc#1241045) * Fixed hostname being left out of the audit output (bsc#1228634) * Fixed failures with very large MOTDs (bsc#1232533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1580-1 Released: Mon May 19 15:11:59 2025 Summary: Recommended update for librdkafka Type: recommended Severity: important References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain conditions (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1599-1 Released: Tue May 20 12:52:43 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1627-1 Released: Wed May 21 12:01:48 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1201855,1230771,1238471,1238512,1238747,1238865,1239968,1240188,1240195,1240553,1240747,1240835,1241280,1241371,1241421,1241433,1241541,CVE-2021-47671,CVE-2022-49741,CVE-2024-46784,CVE-2025-21726,CVE-2025-21785,CVE-2025-21791,CVE-2025-21812,CVE-2025-21886,CVE-2025-22004,CVE-2025-22020,CVE-2025-22045,CVE-2025-22055,CVE-2025-22097 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2025-21726: padata: avoid UAF for reorder_work (bsc#1238865). - CVE-2025-21785: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (bsc#1238747). - CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out() (bsc#1238512). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22020: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (bsc#1241280). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). - CVE-2025-22097: drm/vkms: Fix use after free and double free on init error (bsc#1241541). The following non-security bugs were fixed: - scsi: smartpqi: Add ctrl ready timeout module parameter (jsc#PED-1557, bsc#1201855, bsc#1240553). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1632-1 Released: Wed May 21 12:04:19 2025 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1642-1 Released: Wed May 21 16:31:58 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - RpmPkgSigCheck_test: Exchange the test package signingkey - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS - Strip a mediahandler tag from baseUrl querystrings. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - Package preloader that concurrently downloads files. - BuildRequires: libzypp-devel >= 17.36.4. - refresh: add --include-all-archs - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1691-1 Released: Fri May 23 13:07:30 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1240648 This update for hwinfo fixes the following issues: - Version update v21.88 - Fix network card detection on aarch64 (bsc#1240648). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1779-1 Released: Fri May 30 15:38:55 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,1243284,CVE-2025-47268 This update for iputils fixes the following issues: Security fixes: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300). Other bug fixes: - Fixed incorrect IPV4 TTL value when using SOCK_DGRAM on big endian systems (bsc#1243284). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1825-1 Released: Thu Jun 5 16:38:39 2025 Summary: Recommended update for google-guest-agent Type: recommended Severity: moderate References: 1243254,1243505 This update for google-guest-agent fixes the following issues: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) - Make sure agent added connections are activated by NM - Wrap NSS cache refresh in a goroutine - Wicked: Only reload interfaces for which configurations are written or changed. - Add AuthorizedKeysCompat to windows packaging - Remove error messages from gce_workload_cert_refresh and metadata script runner - Update guest-logging-go dependency - Add 'created-by' metadata, and pass it as option to logging library - Re-enable disabled services if the core plugin was enabled - Enable guest services on package upgrade - Fix core plugin path - Fix package build issues - Fix dependencies ran go mod tidy -v - Bundle compat metadata script runner binary in package - Bump golang.org/x/net from 0.27.0 to 0.36.0 - Update startup/shutdown services to launch compat manager - Bundle new gce metadata script runner binary in agent package - Revert 'Revert bundling new binaries in the package' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1836-1 Released: Mon Jun 9 16:11:28 2025 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1240869 This update for cloud-netconfig fixes the following issues: - Add support for creating IPv6 default route in GCE (bsc#1240869) - Minor fix when looking up IPv6 default route ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2025-1 Released: Thu Jun 19 15:17:49 2025 Summary: Recommended update for google-guest-configs Type: recommended Severity: important References: 1241112 This update for google-guest-configs fixes the following issues: - Check that %{_sysconfdir}/sysconfig/network/ifcfg-eth0 actually exists before making any modifications to it (bsc#1241112) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2103-1 Released: Wed Jun 25 10:26:23 2025 Summary: Recommended update for cifs-utils Type: recommended Severity: important References: 1243488 This update for cifs-utils fixes the following issues: - Add patches: * Fix cifs.mount with krb5 auth (bsc#1243488) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2149-1 Released: Fri Jun 27 07:21:48 2025 Summary: Security update for google-osconfig-agent Type: security Severity: important References: 1239948,1244304,1244503,CVE-2024-45339 This update for google-osconfig-agent fixes the following issues: - Update to version 20250416.02 (bsc#1244304, bsc#1244503) * defaultSleeper: tolerate 10% difference to reduce test flakiness * Add output of some packagemanagers to the testdata - from version 20250416.01 * Refactor OS Info package - from version 20250416.00 * Report RPM inventory as YUM instead of empty SoftwarePackage when neither Zypper nor YUM are installed. - from version 20250414.00 * Update hash computation algorithm - Update to version 20250320.00 * Bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 - from version 20250318.00 * Bump go.opentelemetry.io/otel/sdk/metric from 1.32.0 to 1.35.0 - from version 20250317.02 * Bump cel.dev/expr from 0.18.0 to 0.22.0 * Bump github.com/golang/glog from 1.2.3 to 1.2.4 in the go_modules group - from version 20250317.01 * Bump cloud.google.com/go/logging from 1.12.0 to 1.13.0 - from version 20250317.00 * Add tests for retryutil package. - from version 20250306.00 * Update OWNERS - from version 20250206.01 * Use separate counters for pre- and post-patch reboots. - from version 20250206.00 * Update owners - from version 20250203.00 * Fix the vet errors for contants in logging - from version 20250122.00 * change available package check - from version 20250121.00 * Fix Inventory reporting e2e tests. - from version 20250120.00 * fix e2e tests - Add -buildmode=pie to go build command line (bsc#1239948) - merged upstream - Renumber patches ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2178-1 Released: Mon Jun 30 19:53:34 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2235-1 Released: Mon Jul 7 14:08:03 2025 Summary: Recommended update for haveged Type: recommended Severity: moderate References: 1165294,1222296 This update for haveged fixes the following issues: - Add patch files introducing the '--once' flag (bsc#1222296, bsc#1165294) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2262-1 Released: Thu Jul 10 00:23:39 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206886,1206887,1208542,1209292,1209556,1209684,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213946,1214991,1218470,1232649,1234887,1235100,1237981,1238032,1240177,1240802,1241525,1241526,1241640,1241648,1242147,1242150,1242151,1242154,1242157,1242158,1242164,1242165,1242169,1242215,1242218,1242219,1242222,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242241,1242244,1242245,1242248,1242261,1242264,1242265,1242270,1242276,1242279,1242280,1242281,1242282,1242284,1242285,1242289,1242294,1242305,1242312,1242320,1242338,1242352,1242353,1242355,1242357,1242358,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1242377,1242378,1242380,1242382,1242385,1242387,1242389,1242391,1242392,1242394,1242398,1242399,1242402,1242403,1242409,1242411,1242415,1242416,1242421,1242422,1242426,1242428,1242440,1242443,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1 242464,1242467,1242469,1242473,1242478,1242481,1242484,1242489,1242493,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242743,1242744,1242745,1242746,1242747,1242749,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243649,1243660,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49110,CVE-2022-49139,CVE-2022-49767,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49775,CVE-2022-49776,CVE-2022-49777,CVE-2022-49779,CVE-2022-49783,CVE-2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49 821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2022-49892,CVE-2022-49900,CVE-2022-49905,CVE-2022-49906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49931,CVE-2023-1990,CVE-2023-53035,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53051,CVE-2023-53052,CVE-2023-53054,CVE- 2023-53056,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53096,CVE-2023-53098,CVE-2023-53099,CVE-2023-53100,CVE-2023-53101,CVE-2023-53106,CVE-2023-53108,CVE-2023-53111,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-53168,CVE-2024-56558,CVE-2025-21888,CVE-2025-21999,CVE-2025-22056,CVE-2025-22060,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37789,CVE-2025-37948,CVE-2025-37963 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49110: netfilter: conntrack: revisit gc autotuning (bsc#1237981). - CVE-2022-49139: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (bsc#1238032). - CVE-2022-49767: 9p/trans_fd: always use O_NONBLOCK read/write (bsc#1242493). - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2022-49858: octeontx2-pf: Fix SQE threshold checking (bsc#1242589). - CVE-2023-53058: net/mlx5: E-Switch, Fix an Oops in error handling code (bsc#1242237). - CVE-2023-53060: igb: revert rtnl_lock() that causes deadlock (bsc#1242241). - CVE-2023-53064: iavf: Fix hang on reboot with ice (bsc#1242222). - CVE-2023-53066: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info (bsc#1242227). - CVE-2023-53079: net/mlx5: Fix steering rules cleanup (bsc#1242765). - CVE-2023-53114: i40e: Fix kernel crash during reboot when adapter is in recovery mode (bsc#1242398). - CVE-2023-53134: bnxt_en: Avoid order-5 memory allocation for TPA data (bsc#1242380) - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21888: RDMA/mlx5: Fix a WARN during dereg_mr for DM type (bsc#1240177). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). The following non-security bugs were fixed: - Refresh fixes for cBPF issue (bsc#1242778) - Remove debug flavor (bsc#1243919). - Update metadata and put them into the sorted part of the series - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2263-1 Released: Thu Jul 10 07:25:48 2025 Summary: Recommended update for google-guest-oslogin Type: recommended Severity: important References: 1243997 This update for google-guest-oslogin fixes the following issues: - Override upstream version to address upgrade problems (bsc#1243997) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2289-1 Released: Fri Jul 11 13:12:28 2025 Summary: Security update for docker Type: security Severity: moderate References: 1239765,1240150,1241830,1242114,1243833,1244035,CVE-2025-0495,CVE-2025-22872 This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2326-1 Released: Wed Jul 16 08:37:51 2025 Summary: Security update for xen Type: security Severity: important References: 1027519,1234282,1238043,1238896,1243117,1244644,1246112,CVE-2024-28956,CVE-2024-36350,CVE-2024-36357,CVE-2024-53241,CVE-2025-1713,CVE-2025-27465 This update for xen fixes the following issues: Security fixes: - CVE-2024-28956: Fixed Intel CPU: Indirect Target Selection (ITS) (XSA-469) (bsc#1243117) - CVE-2024-53241: Fixed Xen hypercall page unsafe against speculative attacks (XSA-466) (bsc#1234282) - CVE-2025-1713: Fixed deadlock potential with VT-d and legacy PCI device pass-through (XSA-467) (bsc#1238043) - CVE-2024-36350, CVE-2024-36357: More AMD transient execution attacks (bsc#1246112, XSA-471) - CVE-2025-27465: Incorrect stubs exception handling for flags recovery (bsc#1244644, XSA-470) Other fixes: - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2431-1 Released: Mon Jul 21 13:23:37 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated - apparmor-abstractions-3.0.4-150400.5.18.1 updated - apparmor-parser-3.0.4-150400.5.18.1 updated - bash-sh-4.4-150400.27.3.2 updated - bash-4.4-150400.27.3.2 updated - bind-utils-9.16.50-150400.5.46.1 updated - ca-certificates-mozilla-2.74-150200.41.1 updated - cifs-utils-6.15-150400.3.15.1 updated - cloud-netconfig-gce-1.15-150000.25.26.1 added - containerd-ctr-1.7.27-150000.123.1 updated - containerd-1.7.27-150000.123.1 updated - coreutils-8.32-150400.9.9.1 updated - crypto-policies-20210917.c9d86d1-150400.3.8.1 updated - curl-8.0.1-150400.5.62.1 updated - docker-28.2.2_ce-150000.227.1 updated - findutils-4.8.0-150300.3.3.2 updated - glibc-locale-base-2.31-150300.95.1 updated - glibc-locale-2.31-150300.95.1 updated - glibc-2.31-150300.95.1 updated - google-dracut-config-0.0.4-150300.7.9.2 added - google-guest-agent-20250506.01-150000.1.63.1 updated - google-guest-configs-20241205.00-150400.13.22.1 updated - google-guest-oslogin-20240311.01-150000.1.53.1 updated - google-osconfig-agent-20250416.02-150000.1.50.1 updated - grub2-i386-pc-2.06-150400.11.60.1 updated - grub2-x86_64-efi-2.06-150400.11.60.1 updated - grub2-2.06-150400.11.60.1 updated - haveged-1.9.14-150400.3.8.1 updated - hwdata-0.394-150000.3.77.2 updated - hwinfo-21.88-150400.3.18.1 updated - iproute2-5.14-150400.3.3.1 updated - iputils-20211215-150400.3.22.1 updated - jq-1.6-150000.3.6.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - kernel-default-5.14.21-150400.24.167.1 updated - krb5-1.19.2-150400.3.15.1 updated - libapparmor1-3.0.4-150400.5.18.1 updated - libaugeas0-1.12.0-150400.3.8.1 updated - libavahi-client3-0.8-150400.7.20.1 updated - libavahi-common3-0.8-150400.7.20.1 updated - libblkid1-2.37.2-150400.8.35.2 updated - libcom_err2-1.46.4-150400.3.9.2 updated - libcryptsetup12-2.4.3-150400.3.6.2 updated - libcurl4-8.0.1-150400.5.62.1 updated - libexpat1-2.7.1-150400.3.28.1 updated - libfdisk1-2.37.2-150400.8.35.2 updated - libfreetype6-2.10.4-150000.4.22.1 updated - libgcc_s1-14.2.0+git10526-150000.1.6.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgnutls30-3.7.3-150400.4.47.1 updated - libhavege2-1.9.14-150400.3.8.1 updated - libjq1-1.6-150000.3.6.1 updated - libmount1-2.37.2-150400.8.35.2 updated - libncurses6-6.1-150000.5.30.1 updated - libopeniscsiusr0_2_0-2.1.7-150400.39.14.1 updated - libopenssl1_1-1.1.1l-150400.7.78.1 updated - libpcap1-1.10.1-150400.3.6.2 updated - libprocps8-3.3.17-150000.7.42.1 updated - libpython3_6m1_0-3.6.15-150300.10.84.1 updated - librdkafka1-0.11.6-150000.1.11.1 updated - libreadline7-7.0-150400.27.3.2 updated - libsmartcols1-2.37.2-150400.8.35.2 updated - libsolv-tools-base-0.7.32-150400.3.35.1 updated - libsolv-tools-0.7.32-150400.3.35.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - libstdc++6-14.2.0+git10526-150000.1.6.1 updated - libsystemd0-249.17-150400.8.46.1 updated - libtasn1-6-4.13-150000.4.11.1 updated - libtasn1-4.13-150000.4.11.1 updated - libudev1-249.17-150400.8.46.1 updated - libuuid1-2.37.2-150400.8.35.2 updated - libxml2-2-2.9.14-150400.5.44.1 updated - libzypp-17.37.5-150400.3.126.1 updated - login_defs-4.8.1-150400.10.24.1 updated - logrotate-3.18.1-150400.3.10.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - open-iscsi-2.1.7-150400.39.14.1 updated - openssh-clients-8.4p1-150300.3.49.1 updated - openssh-common-8.4p1-150300.3.49.1 updated - openssh-server-8.4p1-150300.3.49.1 updated - openssh-8.4p1-150300.3.49.1 updated - openssl-1_1-1.1.1l-150400.7.78.1 updated - pam-config-1.1-150200.3.14.1 updated - pam-1.3.0-150000.6.83.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - procps-3.3.17-150000.7.42.1 updated - python3-base-3.6.15-150300.10.84.1 updated - python3-bind-9.16.50-150400.5.46.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - python3-3.6.15-150300.10.84.1 updated - rsyslog-module-relp-8.2306.0-150400.5.33.1 updated - rsyslog-8.2306.0-150400.5.33.1 updated - runc-1.2.6-150000.73.2 updated - shadow-4.8.1-150400.10.24.1 updated - shim-15.8-150300.4.23.1 updated - socat-1.8.0.0-150400.14.6.1 updated - sudo-1.9.9-150400.4.39.1 updated - supportutils-3.2.10-150300.7.35.36.4 updated - suse-build-key-12.0-150000.8.58.1 updated - suseconnect-ng-1.13.0-150400.3.42.1 updated - systemd-sysvinit-249.17-150400.8.46.1 updated - systemd-249.17-150400.8.46.1 updated - terminfo-base-6.1-150000.5.30.1 updated - terminfo-6.1-150000.5.30.1 updated - timezone-2025b-150000.75.34.2 updated - udev-249.17-150400.8.46.1 updated - util-linux-systemd-2.37.2-150400.8.35.2 updated - util-linux-2.37.2-150400.8.35.2 updated - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - wget-1.20.3-150000.3.29.1 updated - wicked-service-0.6.77-150400.3.36.1 updated - wicked-0.6.77-150400.3.36.1 updated - xen-libs-4.16.7_02-150400.4.72.1 updated - xxd-9.1.1406-150000.5.75.1 added - zypper-1.14.90-150400.3.85.3 updated - e2fsprogs-1.46.4-150400.3.6.2 removed - libext2fs2-1.46.4-150400.3.6.2 removed - libxslt1-1.1.34-150400.3.3.1 removed - python-instance-billing-flavor-check-0.0.6-150400.1.11.7 removed - python3-apipkg-1.4-150000.3.6.1 removed - python3-asn1crypto-0.24.0-3.2.1 removed - python3-certifi-2018.1.18-150000.3.3.1 removed - python3-cffi-1.13.2-3.2.5 removed - python3-chardet-3.0.4-150000.5.3.1 removed - python3-cryptography-3.3.2-150400.23.1 removed - python3-cssselect-1.0.3-150400.3.7.4 removed - python3-idna-2.6-150000.3.3.1 removed - python3-iniconfig-1.1.1-150000.1.11.1 removed - python3-lxml-4.7.1-150200.3.12.1 removed - python3-py-1.10.0-150100.5.12.1 removed - python3-pyOpenSSL-21.0.0-150400.7.62 removed - python3-pyasn1-0.4.2-150000.3.5.1 removed - python3-pycparser-2.17-3.2.1 removed - python3-requests-2.25.1-150300.3.12.2 removed - python3-urllib3-1.25.10-150300.4.12.1 removed From sle-container-updates at lists.suse.com Wed Jul 23 20:06:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:06:43 +0200 (CEST) Subject: SUSE-IU-2025:2022-1: Security update of suse-sles-15-sp4-chost-byos-v20250721-x86_64-gen2 Message-ID: <20250723200643.0B131FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20250721-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2022-1 Image Tags : suse-sles-15-sp4-chost-byos-v20250721-x86_64-gen2:20250721 Image Release : Severity : important Type : security References : 1027519 1065729 1095485 1112822 1118783 1122013 1123008 1135257 1135263 1135592 1144282 1157117 1157190 1159460 1162705 1162707 1165294 1170891 1173139 1178486 1179031 1179032 1180814 1183663 1183682 1184350 1185010 1185551 1187939 1188441 1189788 1190336 1190358 1190428 1190768 1190786 1192020 1193173 1193629 1193629 1193629 1193629 1194111 1194765 1194869 1194869 1194904 1195823 1196261 1196444 1196516 1196894 1197158 1197174 1197227 1197246 1197302 1197331 1197472 1197661 1197926 1198017 1198019 1198021 1198240 1198577 1198660 1199657 1199853 1200045 1200571 1200807 1200809 1200810 1200824 1200825 1200871 1200872 1201193 1201218 1201323 1201381 1201610 1201855 1202672 1202711 1202712 1202771 1202774 1202778 1202781 1203360 1203617 1203699 1203769 1204171 1204171 1204549 1204569 1204619 1204705 1204720 1205282 1205796 1206006 1206048 1206049 1206051 1206073 1206132 1206188 1206258 1206344 1206649 1206886 1206887 1207034 1207157 1207158 1207186 1207593 1207640 1207878 1208542 1208995 1209262 1209290 1209292 1209547 1209556 1209684 1209788 1209798 1210050 1210337 1210382 1210449 1210627 1210647 1210763 1210767 1210959 1211263 1211465 1211547 1212476 1213012 1213013 1213034 1213094 1213096 1213167 1213291 1213946 1214290 1214713 1214715 1214915 1214991 1215304 1216049 1216091 1216091 1216146 1216147 1216150 1216151 1216223 1216223 1216228 1216229 1216230 1216231 1216232 1216233 1216241 1216388 1216522 1216813 1216827 1216834 1217070 1217287 1217339 1217761 1218069 1218201 1218282 1218324 1218470 1218562 1218644 1218812 1218814 1219007 1219031 1219241 1219454 1219639 1219680 1220262 1220382 1220382 1220718 1220724 1220946 1221202 1221309 1221326 1221601 1221645 1221757 1222021 1222044 1222296 1222453 1222590 1222650 1222878 1222896 1223191 1223330 1223384 1223524 1223600 1223824 1223958 1224105 1224700 1225189 1225272 1225336 1225451 1225462 1225611 1225742 1225742 1226586 1226666 1227127 1227216 1227233 1227237 1227355 1227378 1227487 1227807 1227832 1227999 1228020 1228114 1228265 1228324 1228337 1228434 1228466 1228466 1228466 1228483 1228489 1228516 1228553 1228574 1228575 1228576 1228634 1228647 1228661 1228708 1228718 1228743 1228776 1228779 1228780 1228801 1228866 1228959 1228966 1229014 1229028 1229042 1229106 1229292 1229345 1229400 1229407 1229452 1229454 1229454 1229456 1229476 1229500 1229503 1229506 1229507 1229508 1229509 1229510 1229512 1229516 1229522 1229526 1229528 1229531 1229533 1229535 1229536 1229537 1229540 1229544 1229554 1229555 1229555 1229556 1229557 1229565 1229566 1229568 1229581 1229596 1229598 1229603 1229604 1229608 1229611 1229612 1229613 1229614 1229617 1229619 1229620 1229622 1229623 1229624 1229625 1229626 1229628 1229629 1229630 1229631 1229633 1229635 1229636 1229637 1229638 1229639 1229641 1229642 1229643 1229645 1229657 1229662 1229664 1229685 1229707 1229745 1229792 1229806 1229808 1229822 1229947 1230015 1230078 1230092 1230145 1230220 1230227 1230229 1230245 1230267 1230267 1230272 1230294 1230316 1230331 1230333 1230366 1230371 1230398 1230413 1230429 1230434 1230442 1230454 1230507 1230516 1230600 1230620 1230625 1230697 1230697 1230715 1230767 1230771 1230795 1230894 1230903 1230906 1230911 1230912 1230972 1230984 1231016 1231016 1231043 1231060 1231073 1231185 1231191 1231193 1231195 1231197 1231200 1231203 1231229 1231293 1231328 1231348 1231375 1231375 1231396 1231423 1231472 1231502 1231610 1231646 1231661 1231673 1231795 1231829 1231833 1231838 1231846 1231847 1231861 1231883 1231885 1231887 1231888 1231890 1231892 1231893 1231895 1231896 1231897 1231929 1231936 1231937 1231938 1231939 1231940 1231941 1231942 1231958 1231960 1231961 1231962 1231972 1231976 1231979 1231987 1231988 1231991 1231992 1231995 1231996 1231997 1232001 1232005 1232006 1232007 1232024 1232024 1232025 1232026 1232033 1232035 1232036 1232037 1232038 1232039 1232067 1232069 1232070 1232071 1232097 1232108 1232119 1232120 1232123 1232133 1232136 1232145 1232150 1232163 1232165 1232170 1232172 1232174 1232187 1232224 1232229 1232234 1232234 1232237 1232241 1232260 1232262 1232281 1232282 1232286 1232304 1232312 1232383 1232395 1232418 1232424 1232432 1232436 1232436 1232458 1232519 1232528 1232533 1232542 1232579 1232622 1232624 1232649 1232860 1232905 1232907 1232919 1232919 1232928 1232999 1233070 1233070 1233112 1233117 1233214 1233282 1233293 1233307 1233307 1233393 1233420 1233453 1233456 1233463 1233468 1233479 1233479 1233490 1233491 1233499 1233555 1233557 1233557 1233558 1233561 1233606 1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616 1233617 1233642 1233642 1233726 1233773 1233819 1233977 1234025 1234068 1234089 1234128 1234154 1234273 1234281 1234282 1234282 1234383 1234452 1234452 1234464 1234690 1234708 1234749 1234752 1234798 1234809 1234846 1234853 1234853 1234884 1234887 1234891 1234891 1234896 1234921 1234931 1234958 1234960 1234963 1234963 1235004 1235035 1235054 1235054 1235056 1235061 1235061 1235073 1235073 1235100 1235134 1235140 1235217 1235220 1235224 1235230 1235246 1235249 1235430 1235433 1235441 1235451 1235466 1235480 1235481 1235507 1235521 1235528 1235584 1235598 1235606 1235636 1235645 1235695 1235723 1235751 1235759 1235764 1235814 1235818 1235920 1235969 1236033 1236136 1236151 1236282 1236316 1236317 1236384 1236460 1236481 1236588 1236590 1236596 1236619 1236628 1236661 1236675 1236677 1236705 1236757 1236758 1236760 1236761 1236779 1236820 1236842 1236878 1236939 1236974 1236983 1237002 1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014 1237025 1237028 1237029 1237040 1237044 1237137 1237139 1237172 1237230 1237294 1237316 1237335 1237363 1237367 1237370 1237418 1237521 1237530 1237587 1237693 1237718 1237721 1237722 1237723 1237724 1237725 1237726 1237727 1237728 1237729 1237734 1237735 1237736 1237737 1237738 1237739 1237740 1237742 1237743 1237745 1237746 1237748 1237751 1237752 1237753 1237755 1237759 1237761 1237763 1237766 1237767 1237768 1237774 1237775 1237778 1237779 1237780 1237782 1237783 1237784 1237785 1237786 1237787 1237788 1237789 1237795 1237797 1237798 1237807 1237808 1237810 1237812 1237813 1237814 1237815 1237817 1237818 1237821 1237823 1237824 1237826 1237827 1237829 1237831 1237835 1237836 1237837 1237839 1237840 1237845 1237846 1237865 1237868 1237872 1237875 1237877 1237890 1237892 1237903 1237904 1237916 1237918 1237922 1237925 1237926 1237929 1237931 1237932 1237933 1237937 1237939 1237940 1237941 1237942 1237946 1237949 1237951 1237952 1237954 1237955 1237957 1237958 1237959 1237960 1237961 1237963 1237965 1237966 1237967 1237968 1237969 1237970 1237971 1237973 1237975 1237976 1237978 1237979 1237981 1237983 1237984 1237986 1237987 1237990 1237996 1237997 1237998 1237999 1238000 1238003 1238006 1238007 1238010 1238011 1238012 1238013 1238014 1238016 1238017 1238018 1238019 1238021 1238022 1238024 1238030 1238032 1238033 1238036 1238037 1238041 1238043 1238046 1238047 1238071 1238077 1238079 1238080 1238089 1238090 1238091 1238092 1238096 1238097 1238099 1238103 1238105 1238106 1238108 1238110 1238111 1238112 1238113 1238115 1238116 1238120 1238123 1238125 1238126 1238127 1238131 1238134 1238135 1238138 1238139 1238140 1238142 1238144 1238146 1238147 1238149 1238150 1238155 1238156 1238157 1238158 1238162 1238166 1238167 1238168 1238169 1238170 1238171 1238172 1238175 1238176 1238177 1238180 1238181 1238183 1238184 1238228 1238229 1238231 1238234 1238235 1238236 1238238 1238239 1238241 1238242 1238243 1238244 1238246 1238247 1238248 1238249 1238253 1238255 1238256 1238257 1238260 1238262 1238263 1238264 1238266 1238267 1238268 1238269 1238270 1238271 1238272 1238274 1238275 1238276 1238277 1238278 1238279 1238281 1238282 1238283 1238284 1238286 1238287 1238288 1238289 1238292 1238293 1238295 1238298 1238301 1238302 1238306 1238307 1238308 1238309 1238311 1238313 1238315 1238326 1238327 1238328 1238331 1238333 1238334 1238336 1238337 1238338 1238339 1238343 1238345 1238372 1238373 1238374 1238376 1238377 1238381 1238382 1238383 1238386 1238387 1238388 1238389 1238390 1238391 1238392 1238393 1238394 1238395 1238396 1238397 1238400 1238410 1238411 1238413 1238415 1238416 1238417 1238418 1238419 1238420 1238423 1238428 1238429 1238430 1238431 1238432 1238433 1238434 1238435 1238436 1238437 1238440 1238441 1238442 1238443 1238444 1238445 1238446 1238447 1238453 1238454 1238458 1238459 1238462 1238463 1238465 1238467 1238469 1238471 1238512 1238533 1238536 1238538 1238539 1238540 1238543 1238545 1238546 1238556 1238557 1238599 1238600 1238601 1238602 1238605 1238612 1238615 1238617 1238618 1238619 1238621 1238623 1238625 1238626 1238630 1238631 1238632 1238633 1238635 1238636 1238638 1238639 1238640 1238641 1238642 1238643 1238645 1238646 1238647 1238650 1238653 1238654 1238655 1238662 1238663 1238664 1238666 1238668 1238705 1238707 1238710 1238712 1238718 1238719 1238721 1238722 1238727 1238729 1238747 1238750 1238787 1238789 1238792 1238799 1238804 1238805 1238808 1238809 1238811 1238814 1238815 1238816 1238817 1238818 1238819 1238821 1238823 1238825 1238830 1238834 1238835 1238836 1238838 1238865 1238867 1238868 1238869 1238870 1238871 1238878 1238879 1238889 1238892 1238893 1238896 1238897 1238898 1238899 1238902 1238911 1238916 1238919 1238925 1238930 1238933 1238936 1238937 1238938 1238939 1238943 1238945 1238948 1238949 1238950 1238951 1238952 1238954 1238956 1238957 1239001 1239004 1239012 1239016 1239035 1239036 1239040 1239041 1239051 1239060 1239061 1239070 1239071 1239073 1239076 1239109 1239115 1239126 1239185 1239322 1239452 1239454 1239465 1239543 1239602 1239618 1239663 1239680 1239749 1239765 1239809 1239909 1239968 1239968 1239969 1240009 1240132 1240133 1240150 1240177 1240188 1240195 1240195 1240205 1240207 1240208 1240210 1240212 1240213 1240218 1240220 1240227 1240229 1240231 1240242 1240245 1240247 1240250 1240254 1240256 1240264 1240266 1240272 1240275 1240276 1240278 1240279 1240280 1240281 1240282 1240283 1240284 1240286 1240288 1240290 1240292 1240293 1240297 1240304 1240308 1240309 1240317 1240318 1240322 1240343 1240343 1240385 1240529 1240553 1240648 1240747 1240802 1240835 1240869 1240897 1241012 1241020 1241045 1241078 1241189 1241280 1241371 1241421 1241433 1241453 1241463 1241525 1241526 1241541 1241551 1241640 1241648 1241678 1241830 1242114 1242147 1242150 1242151 1242154 1242157 1242158 1242164 1242165 1242169 1242215 1242218 1242219 1242222 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242241 1242244 1242245 1242248 1242261 1242264 1242265 1242270 1242276 1242279 1242280 1242281 1242282 1242284 1242285 1242289 1242294 1242300 1242305 1242312 1242320 1242338 1242352 1242353 1242355 1242357 1242358 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242382 1242385 1242387 1242389 1242391 1242392 1242394 1242398 1242399 1242402 1242403 1242409 1242411 1242415 1242416 1242421 1242422 1242426 1242428 1242440 1242443 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242467 1242469 1242473 1242478 1242481 1242484 1242489 1242493 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242743 1242744 1242745 1242746 1242747 1242749 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1242842 1242844 1243047 1243117 1243133 1243226 1243226 1243284 1243313 1243317 1243450 1243488 1243649 1243660 1243737 1243767 1243772 1243833 1243887 1243901 1243919 1244035 1244039 1244079 1244105 1244509 1244554 1244557 1244590 1244644 1244700 1244933 1245274 1245309 1245310 1245311 1245314 1246112 CVE-2017-5753 CVE-2021-31879 CVE-2021-4441 CVE-2021-4453 CVE-2021-4454 CVE-2021-47202 CVE-2021-47416 CVE-2021-47534 CVE-2021-47631 CVE-2021-47632 CVE-2021-47633 CVE-2021-47635 CVE-2021-47636 CVE-2021-47637 CVE-2021-47638 CVE-2021-47639 CVE-2021-47641 CVE-2021-47642 CVE-2021-47643 CVE-2021-47644 CVE-2021-47645 CVE-2021-47646 CVE-2021-47647 CVE-2021-47648 CVE-2021-47649 CVE-2021-47650 CVE-2021-47651 CVE-2021-47652 CVE-2021-47653 CVE-2021-47654 CVE-2021-47656 CVE-2021-47657 CVE-2021-47659 CVE-2021-47671 CVE-2022-0168 CVE-2022-0995 CVE-2022-1016 CVE-2022-1048 CVE-2022-1184 CVE-2022-2977 CVE-2022-29900 CVE-2022-29901 CVE-2022-3303 CVE-2022-3435 CVE-2022-3435 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-4382 CVE-2022-45934 CVE-2022-48664 CVE-2022-48868 CVE-2022-48869 CVE-2022-48870 CVE-2022-48871 CVE-2022-48872 CVE-2022-48873 CVE-2022-48875 CVE-2022-48878 CVE-2022-48879 CVE-2022-48880 CVE-2022-48890 CVE-2022-48891 CVE-2022-48896 CVE-2022-48898 CVE-2022-48899 CVE-2022-48903 CVE-2022-48904 CVE-2022-48905 CVE-2022-48907 CVE-2022-48909 CVE-2022-48911 CVE-2022-48912 CVE-2022-48913 CVE-2022-48914 CVE-2022-48915 CVE-2022-48916 CVE-2022-48917 CVE-2022-48918 CVE-2022-48919 CVE-2022-48921 CVE-2022-48923 CVE-2022-48924 CVE-2022-48925 CVE-2022-48926 CVE-2022-48927 CVE-2022-48928 CVE-2022-48929 CVE-2022-48930 CVE-2022-48931 CVE-2022-48932 CVE-2022-48934 CVE-2022-48935 CVE-2022-48937 CVE-2022-48938 CVE-2022-48941 CVE-2022-48942 CVE-2022-48943 CVE-2022-48944 CVE-2022-48945 CVE-2022-48946 CVE-2022-48947 CVE-2022-48948 CVE-2022-48949 CVE-2022-48951 CVE-2022-48953 CVE-2022-48954 CVE-2022-48955 CVE-2022-48956 CVE-2022-48959 CVE-2022-48960 CVE-2022-48961 CVE-2022-48962 CVE-2022-48967 CVE-2022-48968 CVE-2022-48969 CVE-2022-48970 CVE-2022-48971 CVE-2022-48972 CVE-2022-48973 CVE-2022-48975 CVE-2022-48977 CVE-2022-48978 CVE-2022-48981 CVE-2022-48985 CVE-2022-48987 CVE-2022-48988 CVE-2022-48991 CVE-2022-48992 CVE-2022-48994 CVE-2022-48995 CVE-2022-48997 CVE-2022-48999 CVE-2022-49000 CVE-2022-49002 CVE-2022-49003 CVE-2022-49005 CVE-2022-49006 CVE-2022-49007 CVE-2022-49010 CVE-2022-49011 CVE-2022-49012 CVE-2022-49014 CVE-2022-49015 CVE-2022-49016 CVE-2022-49019 CVE-2022-49021 CVE-2022-49022 CVE-2022-49023 CVE-2022-49024 CVE-2022-49025 CVE-2022-49026 CVE-2022-49027 CVE-2022-49028 CVE-2022-49029 CVE-2022-49031 CVE-2022-49032 CVE-2022-49035 CVE-2022-49043 CVE-2022-49044 CVE-2022-49050 CVE-2022-49051 CVE-2022-49053 CVE-2022-49054 CVE-2022-49055 CVE-2022-49058 CVE-2022-49059 CVE-2022-49060 CVE-2022-49061 CVE-2022-49063 CVE-2022-49065 CVE-2022-49066 CVE-2022-49073 CVE-2022-49074 CVE-2022-49076 CVE-2022-49078 CVE-2022-49080 CVE-2022-49082 CVE-2022-49083 CVE-2022-49084 CVE-2022-49085 CVE-2022-49086 CVE-2022-49088 CVE-2022-49089 CVE-2022-49090 CVE-2022-49091 CVE-2022-49092 CVE-2022-49093 CVE-2022-49095 CVE-2022-49096 CVE-2022-49097 CVE-2022-49098 CVE-2022-49099 CVE-2022-49100 CVE-2022-49102 CVE-2022-49103 CVE-2022-49104 CVE-2022-49105 CVE-2022-49106 CVE-2022-49107 CVE-2022-49109 CVE-2022-49110 CVE-2022-49111 CVE-2022-49112 CVE-2022-49113 CVE-2022-49114 CVE-2022-49115 CVE-2022-49116 CVE-2022-49118 CVE-2022-49119 CVE-2022-49120 CVE-2022-49121 CVE-2022-49122 CVE-2022-49126 CVE-2022-49128 CVE-2022-49129 CVE-2022-49130 CVE-2022-49131 CVE-2022-49132 CVE-2022-49135 CVE-2022-49137 CVE-2022-49139 CVE-2022-49145 CVE-2022-49147 CVE-2022-49148 CVE-2022-49151 CVE-2022-49153 CVE-2022-49154 CVE-2022-49155 CVE-2022-49156 CVE-2022-49157 CVE-2022-49158 CVE-2022-49159 CVE-2022-49160 CVE-2022-49162 CVE-2022-49163 CVE-2022-49164 CVE-2022-49165 CVE-2022-49174 CVE-2022-49175 CVE-2022-49176 CVE-2022-49177 CVE-2022-49179 CVE-2022-49180 CVE-2022-49182 CVE-2022-49185 CVE-2022-49187 CVE-2022-49188 CVE-2022-49189 CVE-2022-49193 CVE-2022-49194 CVE-2022-49196 CVE-2022-49199 CVE-2022-49200 CVE-2022-49201 CVE-2022-49206 CVE-2022-49208 CVE-2022-49212 CVE-2022-49213 CVE-2022-49214 CVE-2022-49216 CVE-2022-49217 CVE-2022-49218 CVE-2022-49221 CVE-2022-49222 CVE-2022-49224 CVE-2022-49226 CVE-2022-49227 CVE-2022-49232 CVE-2022-49235 CVE-2022-49236 CVE-2022-49239 CVE-2022-49241 CVE-2022-49242 CVE-2022-49243 CVE-2022-49244 CVE-2022-49246 CVE-2022-49247 CVE-2022-49248 CVE-2022-49249 CVE-2022-49250 CVE-2022-49251 CVE-2022-49252 CVE-2022-49253 CVE-2022-49254 CVE-2022-49256 CVE-2022-49257 CVE-2022-49258 CVE-2022-49259 CVE-2022-49260 CVE-2022-49261 CVE-2022-49262 CVE-2022-49263 CVE-2022-49264 CVE-2022-49265 CVE-2022-49266 CVE-2022-49268 CVE-2022-49269 CVE-2022-49270 CVE-2022-49271 CVE-2022-49272 CVE-2022-49273 CVE-2022-49274 CVE-2022-49275 CVE-2022-49276 CVE-2022-49277 CVE-2022-49278 CVE-2022-49279 CVE-2022-49280 CVE-2022-49281 CVE-2022-49283 CVE-2022-49285 CVE-2022-49286 CVE-2022-49287 CVE-2022-49288 CVE-2022-49290 CVE-2022-49291 CVE-2022-49292 CVE-2022-49293 CVE-2022-49294 CVE-2022-49295 CVE-2022-49297 CVE-2022-49298 CVE-2022-49299 CVE-2022-49300 CVE-2022-49301 CVE-2022-49302 CVE-2022-49304 CVE-2022-49305 CVE-2022-49307 CVE-2022-49308 CVE-2022-49309 CVE-2022-49310 CVE-2022-49311 CVE-2022-49312 CVE-2022-49313 CVE-2022-49314 CVE-2022-49315 CVE-2022-49316 CVE-2022-49319 CVE-2022-49320 CVE-2022-49321 CVE-2022-49322 CVE-2022-49323 CVE-2022-49326 CVE-2022-49327 CVE-2022-49328 CVE-2022-49331 CVE-2022-49332 CVE-2022-49335 CVE-2022-49336 CVE-2022-49337 CVE-2022-49339 CVE-2022-49341 CVE-2022-49342 CVE-2022-49343 CVE-2022-49345 CVE-2022-49346 CVE-2022-49347 CVE-2022-49348 CVE-2022-49349 CVE-2022-49350 CVE-2022-49351 CVE-2022-49352 CVE-2022-49354 CVE-2022-49356 CVE-2022-49357 CVE-2022-49367 CVE-2022-49368 CVE-2022-49370 CVE-2022-49371 CVE-2022-49373 CVE-2022-49375 CVE-2022-49376 CVE-2022-49377 CVE-2022-49378 CVE-2022-49379 CVE-2022-49381 CVE-2022-49382 CVE-2022-49384 CVE-2022-49385 CVE-2022-49386 CVE-2022-49389 CVE-2022-49392 CVE-2022-49394 CVE-2022-49396 CVE-2022-49397 CVE-2022-49398 CVE-2022-49399 CVE-2022-49400 CVE-2022-49402 CVE-2022-49404 CVE-2022-49407 CVE-2022-49409 CVE-2022-49410 CVE-2022-49411 CVE-2022-49412 CVE-2022-49413 CVE-2022-49414 CVE-2022-49416 CVE-2022-49418 CVE-2022-49421 CVE-2022-49422 CVE-2022-49424 CVE-2022-49426 CVE-2022-49427 CVE-2022-49429 CVE-2022-49430 CVE-2022-49431 CVE-2022-49432 CVE-2022-49433 CVE-2022-49434 CVE-2022-49435 CVE-2022-49437 CVE-2022-49438 CVE-2022-49440 CVE-2022-49441 CVE-2022-49442 CVE-2022-49443 CVE-2022-49444 CVE-2022-49445 CVE-2022-49447 CVE-2022-49448 CVE-2022-49449 CVE-2022-49451 CVE-2022-49453 CVE-2022-49455 CVE-2022-49459 CVE-2022-49460 CVE-2022-49462 CVE-2022-49463 CVE-2022-49465 CVE-2022-49466 CVE-2022-49467 CVE-2022-49468 CVE-2022-49472 CVE-2022-49473 CVE-2022-49474 CVE-2022-49475 CVE-2022-49477 CVE-2022-49478 CVE-2022-49480 CVE-2022-49481 CVE-2022-49482 CVE-2022-49486 CVE-2022-49487 CVE-2022-49488 CVE-2022-49489 CVE-2022-49490 CVE-2022-49491 CVE-2022-49492 CVE-2022-49493 CVE-2022-49494 CVE-2022-49495 CVE-2022-49498 CVE-2022-49501 CVE-2022-49502 CVE-2022-49503 CVE-2022-49504 CVE-2022-49505 CVE-2022-49506 CVE-2022-49507 CVE-2022-49508 CVE-2022-49509 CVE-2022-49512 CVE-2022-49514 CVE-2022-49515 CVE-2022-49517 CVE-2022-49519 CVE-2022-49520 CVE-2022-49521 CVE-2022-49522 CVE-2022-49523 CVE-2022-49524 CVE-2022-49525 CVE-2022-49526 CVE-2022-49527 CVE-2022-49532 CVE-2022-49534 CVE-2022-49535 CVE-2022-49536 CVE-2022-49537 CVE-2022-49541 CVE-2022-49542 CVE-2022-49544 CVE-2022-49545 CVE-2022-49546 CVE-2022-49549 CVE-2022-49551 CVE-2022-49555 CVE-2022-49556 CVE-2022-49559 CVE-2022-49562 CVE-2022-49563 CVE-2022-49564 CVE-2022-49566 CVE-2022-49568 CVE-2022-49569 CVE-2022-49570 CVE-2022-49579 CVE-2022-49581 CVE-2022-49583 CVE-2022-49584 CVE-2022-49591 CVE-2022-49592 CVE-2022-49603 CVE-2022-49605 CVE-2022-49606 CVE-2022-49607 CVE-2022-49609 CVE-2022-49610 CVE-2022-49611 CVE-2022-49613 CVE-2022-49615 CVE-2022-49616 CVE-2022-49617 CVE-2022-49618 CVE-2022-49621 CVE-2022-49623 CVE-2022-49625 CVE-2022-49626 CVE-2022-49627 CVE-2022-49628 CVE-2022-49631 CVE-2022-49634 CVE-2022-49640 CVE-2022-49641 CVE-2022-49642 CVE-2022-49643 CVE-2022-49644 CVE-2022-49645 CVE-2022-49646 CVE-2022-49647 CVE-2022-49648 CVE-2022-49649 CVE-2022-49650 CVE-2022-49652 CVE-2022-49653 CVE-2022-49656 CVE-2022-49657 CVE-2022-49661 CVE-2022-49663 CVE-2022-49665 CVE-2022-49667 CVE-2022-49668 CVE-2022-49670 CVE-2022-49671 CVE-2022-49672 CVE-2022-49673 CVE-2022-49674 CVE-2022-49675 CVE-2022-49676 CVE-2022-49677 CVE-2022-49678 CVE-2022-49679 CVE-2022-49680 CVE-2022-49683 CVE-2022-49685 CVE-2022-49687 CVE-2022-49688 CVE-2022-49693 CVE-2022-49695 CVE-2022-49699 CVE-2022-49700 CVE-2022-49701 CVE-2022-49703 CVE-2022-49704 CVE-2022-49705 CVE-2022-49707 CVE-2022-49708 CVE-2022-49710 CVE-2022-49711 CVE-2022-49712 CVE-2022-49713 CVE-2022-49714 CVE-2022-49715 CVE-2022-49716 CVE-2022-49719 CVE-2022-49720 CVE-2022-49721 CVE-2022-49722 CVE-2022-49723 CVE-2022-49724 CVE-2022-49725 CVE-2022-49726 CVE-2022-49729 CVE-2022-49730 CVE-2022-49731 CVE-2022-49733 CVE-2022-49739 CVE-2022-49741 CVE-2022-49746 CVE-2022-49748 CVE-2022-49751 CVE-2022-49753 CVE-2022-49755 CVE-2022-49759 CVE-2022-49767 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49783 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49931 CVE-2023-0179 CVE-2023-1192 CVE-2023-1652 CVE-2023-1990 CVE-2023-2162 CVE-2023-2166 CVE-2023-28327 CVE-2023-28410 CVE-2023-3567 CVE-2023-4016 CVE-2023-45142 CVE-2023-47108 CVE-2023-50782 CVE-2023-52489 CVE-2023-52572 CVE-2023-52766 CVE-2023-52800 CVE-2023-52881 CVE-2023-52893 CVE-2023-52894 CVE-2023-52896 CVE-2023-52898 CVE-2023-52900 CVE-2023-52901 CVE-2023-52905 CVE-2023-52907 CVE-2023-52911 CVE-2023-52919 CVE-2023-52922 CVE-2023-52930 CVE-2023-52933 CVE-2023-52935 CVE-2023-52939 CVE-2023-52941 CVE-2023-52973 CVE-2023-52974 CVE-2023-52975 CVE-2023-52976 CVE-2023-52979 CVE-2023-52983 CVE-2023-52984 CVE-2023-52988 CVE-2023-52989 CVE-2023-52992 CVE-2023-52993 CVE-2023-53000 CVE-2023-53005 CVE-2023-53006 CVE-2023-53007 CVE-2023-53008 CVE-2023-53010 CVE-2023-53015 CVE-2023-53016 CVE-2023-53019 CVE-2023-53023 CVE-2023-53024 CVE-2023-53025 CVE-2023-53026 CVE-2023-53028 CVE-2023-53029 CVE-2023-53030 CVE-2023-53033 CVE-2023-53035 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53051 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53106 CVE-2023-53108 CVE-2023-53111 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2023-6270 CVE-2024-10041 CVE-2024-10041 CVE-2024-10524 CVE-2024-11053 CVE-2024-11168 CVE-2024-11168 CVE-2024-11187 CVE-2024-12133 CVE-2024-12243 CVE-2024-13176 CVE-2024-2201 CVE-2024-2201 CVE-2024-23337 CVE-2024-23650 CVE-2024-26782 CVE-2024-27043 CVE-2024-28956 CVE-2024-29018 CVE-2024-29018 CVE-2024-31143 CVE-2024-31145 CVE-2024-31146 CVE-2024-35949 CVE-2024-36350 CVE-2024-36357 CVE-2024-40635 CVE-2024-40910 CVE-2024-41009 CVE-2024-41011 CVE-2024-41062 CVE-2024-41087 CVE-2024-41087 CVE-2024-41087 CVE-2024-41092 CVE-2024-41110 CVE-2024-41110 CVE-2024-41965 CVE-2024-42077 CVE-2024-42098 CVE-2024-42126 CVE-2024-42145 CVE-2024-42229 CVE-2024-42230 CVE-2024-42232 CVE-2024-42240 CVE-2024-42271 CVE-2024-42301 CVE-2024-43790 CVE-2024-43802 CVE-2024-43853 CVE-2024-43854 CVE-2024-43861 CVE-2024-43882 CVE-2024-43883 CVE-2024-44932 CVE-2024-44938 CVE-2024-44946 CVE-2024-44947 CVE-2024-44947 CVE-2024-44964 CVE-2024-45003 CVE-2024-45013 CVE-2024-45016 CVE-2024-45021 CVE-2024-45026 CVE-2024-45306 CVE-2024-45310 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-45817 CVE-2024-45818 CVE-2024-45819 CVE-2024-46674 CVE-2024-46716 CVE-2024-46774 CVE-2024-46784 CVE-2024-46813 CVE-2024-46814 CVE-2024-46815 CVE-2024-46816 CVE-2024-46817 CVE-2024-46818 CVE-2024-46849 CVE-2024-47081 CVE-2024-47668 CVE-2024-47674 CVE-2024-47684 CVE-2024-47706 CVE-2024-47747 CVE-2024-47748 CVE-2024-47757 CVE-2024-49860 CVE-2024-49867 CVE-2024-49925 CVE-2024-49930 CVE-2024-49936 CVE-2024-49945 CVE-2024-49960 CVE-2024-49969 CVE-2024-49974 CVE-2024-49982 CVE-2024-49991 CVE-2024-49995 CVE-2024-50017 CVE-2024-50047 CVE-2024-50089 CVE-2024-50115 CVE-2024-50115 CVE-2024-50125 CVE-2024-50127 CVE-2024-50128 CVE-2024-50154 CVE-2024-50154 CVE-2024-50199 CVE-2024-50205 CVE-2024-50208 CVE-2024-50259 CVE-2024-50264 CVE-2024-50267 CVE-2024-50274 CVE-2024-50279 CVE-2024-50290 CVE-2024-50290 CVE-2024-50301 CVE-2024-50302 CVE-2024-50602 CVE-2024-52533 CVE-2024-52616 CVE-2024-53061 CVE-2024-53063 CVE-2024-53063 CVE-2024-53064 CVE-2024-53068 CVE-2024-53095 CVE-2024-53095 CVE-2024-53104 CVE-2024-53135 CVE-2024-53142 CVE-2024-53144 CVE-2024-53146 CVE-2024-53156 CVE-2024-53166 CVE-2024-53168 CVE-2024-53173 CVE-2024-53173 CVE-2024-53177 CVE-2024-53179 CVE-2024-53206 CVE-2024-53214 CVE-2024-53239 CVE-2024-53239 CVE-2024-53240 CVE-2024-53241 CVE-2024-53241 CVE-2024-54661 CVE-2024-54680 CVE-2024-56171 CVE-2024-56326 CVE-2024-5642 CVE-2024-56539 CVE-2024-56539 CVE-2024-56548 CVE-2024-56548 CVE-2024-56558 CVE-2024-56570 CVE-2024-56598 CVE-2024-56600 CVE-2024-56601 CVE-2024-56602 CVE-2024-56604 CVE-2024-56605 CVE-2024-56605 CVE-2024-56619 CVE-2024-56623 CVE-2024-56631 CVE-2024-56642 CVE-2024-56645 CVE-2024-56648 CVE-2024-56650 CVE-2024-56651 CVE-2024-56658 CVE-2024-56661 CVE-2024-56664 CVE-2024-56704 CVE-2024-56737 CVE-2024-56759 CVE-2024-57791 CVE-2024-57792 CVE-2024-57798 CVE-2024-57849 CVE-2024-57893 CVE-2024-57897 CVE-2024-57948 CVE-2024-57996 CVE-2024-58014 CVE-2024-58083 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8176 CVE-2024-8805 CVE-2024-8805 CVE-2024-9287 CVE-2024-9681 CVE-2025-0167 CVE-2025-0395 CVE-2025-0495 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-0725 CVE-2025-0938 CVE-2025-1118 CVE-2025-1125 CVE-2025-1215 CVE-2025-1713 CVE-2025-21690 CVE-2025-21692 CVE-2025-21693 CVE-2025-21699 CVE-2025-21714 CVE-2025-21718 CVE-2025-21726 CVE-2025-21732 CVE-2025-21753 CVE-2025-21772 CVE-2025-21780 CVE-2025-21785 CVE-2025-21791 CVE-2025-21812 CVE-2025-21839 CVE-2025-21886 CVE-2025-21888 CVE-2025-21999 CVE-2025-22004 CVE-2025-22020 CVE-2025-22045 CVE-2025-22055 CVE-2025-22056 CVE-2025-22060 CVE-2025-22097 CVE-2025-22134 CVE-2025-22868 CVE-2025-22869 CVE-2025-22872 CVE-2025-2312 CVE-2025-23138 CVE-2025-23145 CVE-2025-24014 CVE-2025-24528 CVE-2025-24928 CVE-2025-2588 CVE-2025-26465 CVE-2025-27113 CVE-2025-27363 CVE-2025-27465 CVE-2025-27516 CVE-2025-29087 CVE-2025-29088 CVE-2025-29768 CVE-2025-32414 CVE-2025-32415 CVE-2025-32462 CVE-2025-32728 CVE-2025-3277 CVE-2025-3360 CVE-2025-37785 CVE-2025-37789 CVE-2025-37948 CVE-2025-37963 CVE-2025-40909 CVE-2025-4373 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 CVE-2025-4877 CVE-2025-4878 CVE-2025-48964 CVE-2025-49794 CVE-2025-49796 CVE-2025-5278 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6018 CVE-2025-6020 CVE-2025-6021 CVE-2025-6170 ----------------------------------------------------------------- The container suse-sles-15-sp4-chost-byos-v20250721-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1335-1 Released: Tue Jul 17 10:13:39 2018 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1095485 This update for cloud-netconfig fixes the following issues: - Make interface names in Azure persistent. (bsc#1095485) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:529-1 Released: Fri Mar 1 13:46:51 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1112822,1118783,1122013,1123008 This update for cloud-netconfig provides the following fixes: - Run cloud-netconfig periodically. (bsc#1118783, bsc#1122013) - Do not treat eth0 special with regard to routing policies. (bsc#1123008) - Reduce the timeout on metadata read. (bsc#1112822) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1560-1 Released: Wed Jun 19 08:57:17 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135257,1135263 This update for cloud-netconfig fixes the following issues: - cloud-netconfig will now pause and retry if API call throttling is detected in Azure (bsc#1135257, bsc#1135263) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:31-1 Released: Mon Feb 24 10:36:36 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135592,1144282,1157117,1157190 This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1: + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:637-1 Released: Wed Mar 11 11:29:56 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1162705,1162707 This update for cloud-netconfig fixes the following issues: - Copy routes from the default routing table. (bsc#1162705, bsc#1162707) On multi-NIC systems, cloud-netconfig creates separate routing tables with different default routes, so packets get routed via the network interfaces associated with the source IP address. Systems may have additional routing in place and in that case cloud-netconfig's NIC specific routing may bypass those routes. - Make the key CLOUD_NETCONFIG_MANAGE enable by default. Any network interface that has been configured automatically via cloud-netconfig has a configuration file associated. If the value is set to 'NO' (or the pair is removed altogether), cloud-netconfig will not handle secondary IPv4 addresses and routing policies for the associated network interface. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3619-1 Released: Tue Dec 15 13:41:16 2020 Summary: Recommended update for cloud-netconfig, google-guest-agent Type: recommended Severity: moderate References: 1159460,1178486,1179031,1179032 This update for cloud-netconfig, google-guest-agent fixes the following issues: cloud-netconfig: - Update to version 1.5: + Add support for GCE (bsc#1159460, bsc#1178486, jsc#ECO-2800) + Improve default gateway determination google-guest-agent: - Update to version 20201026.00 * remove old unused workflow files * fallback to IP for metadata * getPasswd: Check full prefix of line for username - dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files to allow manual configuration and compatibility with cloud-netconfig. (bsc#1159460, bsc#1178486) - Update to version 20200929.00 * correct varname * don't call dhclient -x on network setup * add instance id dir override * update agent systemd service file * typo, change to noadjfile * add gaohannk to OWNERS * remove illfelder from OWNERS * Add all license files to packages ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:167-1 Released: Mon Jan 24 18:16:24 2022 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1187939 This update for cloud-netconfig fixes the following issues: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:658-1 Released: Wed Mar 8 10:51:10 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1199853,1204549 This update for cloud-netconfig fixes the following issues: - Update to version 1.7: + Overhaul policy routing setup + Support alias IPv4 ranges + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3637-1 Released: Mon Sep 18 13:02:23 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1214715 This update for cloud-netconfig fixes the following issues: - Update to version 1.8: - Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:630-1 Released: Tue Feb 27 09:14:49 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1218069,1219007 This update for cloud-netconfig fixes the following issues: - Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) - Drop package dependency on sysconfig-netconfig - Improve log level handling - Support IPv6 IMDS endpoint in EC2 (bsc#1218069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:781-1 Released: Wed Mar 6 15:05:13 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1219454,1220718 This update for cloud-netconfig fixes the following issues: - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:869-1 Released: Wed Mar 13 10:48:51 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1221202 This update for cloud-netconfig fixes the following issues: - Update to version 1.12 (bsc#1221202) * If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1085-1 Released: Tue Apr 2 11:24:09 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1221757 This update for cloud-netconfig fixes the following issues: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3234-1 Released: Fri Sep 13 08:49:43 2024 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1217761,1228866 This update for grub2 fixes the following issues: - Support powerpc net boot installation when secure boot is enabled (bsc#1217761, bsc#1228866) - Improved check for disk device when looking for PReP partition ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3238-1 Released: Fri Sep 13 11:56:14 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1229476 This update for util-linux fixes the following issue: - Skip aarch64 decode path for rest of the architectures (bsc#1229476). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3300-1 Released: Wed Sep 18 14:27:53 2024 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1229028 This update for ncurses fixes the following issues: - Allow the terminal description based on static fallback entries to be freed (bsc#1229028) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3330-1 Released: Thu Sep 19 09:42:12 2024 Summary: Recommended update for suseconnect-ng Type: recommended Severity: important References: 1229014,1230229 This update for suseconnect-ng fixes the following issue: - Set the filesystem root on zypper when given (bsc#1230229, bsc#1229014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3408-1 Released: Tue Sep 24 08:39:14 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1193629,1194111,1194765,1194869,1196261,1196516,1196894,1198017,1203360,1206006,1206258,1207158,1216834,1221326,1221645,1223191,1224105,1227832,1228020,1228114,1228466,1228489,1228516,1228576,1228718,1228801,1228959,1229042,1229292,1229400,1229454,1229500,1229503,1229506,1229507,1229508,1229509,1229510,1229512,1229516,1229522,1229526,1229528,1229531,1229533,1229535,1229536,1229537,1229540,1229544,1229554,1229557,1229565,1229566,1229568,1229581,1229598,1229603,1229604,1229608,1229611,1229612,1229613,1229614,1229617,1229619,1229620,1229622,1229623,1229624,1229625,1229626,1229628,1229629,1229630,1229631,1229635,1229636,1229637,1229638,1229639,1229641,1229642,1229643,1229645,1229657,1229664,1229707,1229792,1230245,1230413,CVE-2021-4441,CVE-2022-4382,CVE-2022-48868,CVE-2022-48869,CVE-2022-48870,CVE-2022-48871,CVE-2022-48872,CVE-2022-48873,CVE-2022-48875,CVE-2022-48878,CVE-2022-48880,CVE-2022-48890,CVE-2022-48891,CVE-2022-48896,CVE-2022-48898,CVE-2022-48899,CVE-2022-48903,CVE- 2022-48904,CVE-2022-48905,CVE-2022-48907,CVE-2022-48909,CVE-2022-48912,CVE-2022-48913,CVE-2022-48914,CVE-2022-48915,CVE-2022-48916,CVE-2022-48917,CVE-2022-48918,CVE-2022-48919,CVE-2022-48921,CVE-2022-48924,CVE-2022-48925,CVE-2022-48926,CVE-2022-48927,CVE-2022-48928,CVE-2022-48929,CVE-2022-48930,CVE-2022-48931,CVE-2022-48932,CVE-2022-48934,CVE-2022-48935,CVE-2022-48937,CVE-2022-48938,CVE-2022-48941,CVE-2022-48942,CVE-2022-48943,CVE-2023-52489,CVE-2023-52893,CVE-2023-52894,CVE-2023-52896,CVE-2023-52898,CVE-2023-52900,CVE-2023-52901,CVE-2023-52905,CVE-2023-52907,CVE-2023-52911,CVE-2024-40910,CVE-2024-41009,CVE-2024-41011,CVE-2024-41062,CVE-2024-41087,CVE-2024-42077,CVE-2024-42126,CVE-2024-42230,CVE-2024-42232,CVE-2024-42271,CVE-2024-43853,CVE-2024-43861,CVE-2024-43882,CVE-2024-43883,CVE-2024-44938,CVE-2024-44947,CVE-2024-45003 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-41062: Sync sock recv cb and release (bsc#1228576). - CVE-2024-44947: Initialize beyond-EOF page contents before setting uptodate (bsc#1229454). - CVE-2024-43883: Do not drop references before new references are gained (bsc#1229707). - CVE-2024-43861: Fix memory leak for not ip packets (bsc#1229500). - CVE-2023-52489: Fix race in accessing memory_section->usage (bsc#1221326). - CVE-2024-44938: Fix shift-out-of-bounds in dbDiscardAG (bsc#1229792). - CVE-2024-41087: Fix double free on error (CVE-2024-41087,bsc#1228466). - CVE-2024-43882: Fixed ToCToU between perm check and set-uid/gid usage. (bsc#1229503) - CVE-2022-48935: Fixed an unregister flowtable hooks on netns exit (bsc#1229619) - CVE-2022-48912: Fix use-after-free in __nf_register_net_hook() (bsc#1229641) - CVE-2024-42271: Fixed a use after free in iucv_sock_close(). (bsc#1229400) - CVE-2024-42232: Fixed a race between delayed_work() and ceph_monc_stop(). (bsc#1228959) - CVE-2024-40910: Fix refcount imbalance on inbound connections (bsc#1227832). - CVE-2024-41009: Fix overrunning reservations in ringbuf (bsc#1228020). - CVE-2024-45003: Don't evict inode under the inode lru traversing context (bsc#1230245). The following non-security bugs were fixed: - Bluetooth: L2CAP: Fix deadlock (git-fixes). - mm, kmsan: fix infinite recursion due to RCU critical section (git-fixes). - mm: prevent derefencing NULL ptr in pfn_section_valid() (git-fixes). - Revert 'mm: prevent derefencing NULL ptr in pfn_section_valid()' (bsc#1230413). - Revert 'mm, kmsan: fix infinite recursion due to RCU critical section' (bsc#1230413). - Revert 'mm/sparsemem: fix race in accessing memory_section->usage' (bsc#1230413). - nvme_core: scan namespaces asynchronously (bsc#1224105). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3423-1 Released: Tue Sep 24 17:25:33 2024 Summary: Security update for xen Type: security Severity: important References: 1222453,1227355,1228574,1228575,1230366,CVE-2024-2201,CVE-2024-31143,CVE-2024-31145,CVE-2024-31146,CVE-2024-45817 This update for xen fixes the following issues: - CVE-2024-2201: Mitigation for Native Branch History Injection (XSA-456, bsc#1222453) - CVE-2024-31143: Fixed double unlock in x86 guest IRQ handling (XSA-458, bsc#1227355) - CVE-2024-31145: Fixed error handling in x86 IOMMU identity mapping (XSA-460, bsc#1228574) - CVE-2024-31146: Fixed PCI device pass-through with shared resources (XSA-461, bsc#1228575) - CVE-2024-45817: Fixed a deadlock in vlapic_error (XSA-462, bsc#1230366) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3451-1 Released: Thu Sep 26 09:10:50 2024 Summary: Recommended update for pam-config Type: recommended Severity: moderate References: 1227216 This update for pam-config fixes the following issues: - Improved check for existence of modules (bsc#1227216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3470-1 Released: Fri Sep 27 14:34:46 2024 Summary: Security update for python3 Type: security Severity: important References: 1227233,1227378,1227999,1228780,1229596,1230227,CVE-2024-5642,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592 This update for python3 fixes the following issues: - CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module (bsc#1228780). - CVE-2024-5642: Fixed buffer overread when NPN is used and invalid values are sent to the OpenSSL API (bsc#1227233). - CVE-2024-7592: Fixed Email header injection due to unquoted newlines (bsc#1229596). - CVE-2024-6232: excessive backtracking when parsing tarfile headers leads to ReDoS. (bsc#1230227) Bug fixes: - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999). - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). - Remove %suse_update_desktop_file macro as it is not useful any more. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3477-1 Released: Fri Sep 27 15:22:22 2024 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1230516 This update for curl fixes the following issue: - Make special characters in URL work with aws-sigv4 (bsc#1230516). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3485-1 Released: Fri Sep 27 19:54:13 2024 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1228647,1230267 This update for libzypp, zypper fixes the following issues: - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - Fix wrong numbers used in CommitSummary skipped/failed messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3487-1 Released: Fri Sep 27 19:56:02 2024 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: This update for logrotate fixes the following issues: - Backport 'ignoreduplicates' configuration flag (jsc#PED-10366) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3503-1 Released: Tue Oct 1 16:13:07 2024 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1228661 This update for glibc fixes the following issue: - fix memory malloc problem: Initiate tcache shutdown even without allocations (bsc#1228661). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3527-1 Released: Fri Oct 4 15:27:07 2024 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1230145 This update for e2fsprogs fixes the following issue: - resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3530-1 Released: Fri Oct 4 15:43:33 2024 Summary: Recommended update for libpcap Type: recommended Severity: moderate References: 1230894 This update for libpcap fixes the following issue: - enable rdma support (bsc#1230894). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3547-1 Released: Tue Oct 8 16:06:05 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1216223,1223600,1223958,1225272,1227487,1228466,1229407,1229633,1229662,1229947,1230015,1230398,1230434,1230507,1230767,1231016,CVE-2022-48911,CVE-2022-48923,CVE-2022-48944,CVE-2022-48945,CVE-2024-41087,CVE-2024-42301,CVE-2024-44946,CVE-2024-45021,CVE-2024-46674,CVE-2024-46774 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-48911: kabi: add __nf_queue_get_refs() for kabi compliance. (bsc#1229633). - CVE-2022-48923: btrfs: prevent copying too big compressed lzo segment (bsc#1229662) - CVE-2024-41087: Fix double free on error (bsc#1228466). - CVE-2024-42301: Fix the array out-of-bounds risk (bsc#1229407). - CVE-2024-44946: kcm: Serialise kcm_sendmsg() for the same socket (bsc#1230015). - CVE-2024-45021: memcg_write_event_control(): fix a user-triggerable oops (bsc#1230434). - CVE-2024-46674: usb: dwc3: st: fix probed platform device ref count on probe error path (bsc#1230507). The following non-security bugs were fixed: - blk-mq: add helper for checking if one CPU is mapped to specified hctx (bsc#1223600). - blk-mq: do not schedule block kworker on isolated CPUs (bsc#1223600). - kabi: add __nf_queue_get_refs() for kabi compliance. - scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223). - scsi: smartpqi: Expose SAS address for SATA drives (bsc#1223958). - SUNRPC: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272 bsc#1231016). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3580-1 Released: Thu Oct 10 08:39:49 2024 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1229555 This update for wicked fixes the following issue: - compat-suse: fix dummy interfaces configuration with `INTERFACETYPE=dummy` (bsc#1229555). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3593-1 Released: Thu Oct 10 18:43:13 2024 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1231229 This update for rsyslog fixes the following issue: - fix PreserveFQDN option before daemon is restarted (bsc#1231229) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3597-1 Released: Fri Oct 11 10:39:52 2024 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1227807 This update for bash fixes the following issues: - Load completion file eveh if a brace expansion is in the command line included (bsc#1227807). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3659-1 Released: Wed Oct 16 15:12:47 2024 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1188441,1210959,1214915,1219031,1220724,1221601 This update for gcc14 fixes the following issues: This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474) The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc14 compilers use: - install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages. - override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages. For a full changelog with all new GCC14 features, check out https://gcc.gnu.org/gcc-14/changes.html - Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Remove timezone Recommends from the libstdc++6 package. [bsc#1221601] - Revert libgccjit dependency change. [bsc#1220724] - Fix libgccjit-devel dependency, a newer shared library is OK. - Fix libgccjit dependency, the corresponding compiler isn't required. - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031] - Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3727-1 Released: Fri Oct 18 15:04:09 2024 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1230912,1231043 This update for libzypp fixes the following issues: - Send unescaped colons in header values. According to the STOMP protocol, it would be correct to escape colon here but the practice broke plugin receivers that didn't expect this. The incompatiblity affected customers who were running spacewalk-repo-sync and experienced issues when accessing the cloud URL. [bsc#1231043] - Fix hang in curl code with no network connection. [bsc#1230912] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3865-1 Released: Fri Nov 1 16:10:37 2024 Summary: Recommended update for gcc14 Type: recommended Severity: moderate References: 1231833 This update for gcc14 fixes the following issues: - Fixed parsing timezone tzdata 2024b [gcc#116657 bsc#1231833] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3868-1 Released: Fri Nov 1 16:15:26 2024 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1231829 This update for suse-build-key fixes the following issues: - Also include the GPG key from the current build project to allow Staging testing without production keys, but only in staging. (bsc#1231829) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3872-1 Released: Fri Nov 1 16:20:29 2024 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-1_1 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3879-1 Released: Fri Nov 1 17:04:25 2024 Summary: Security update for python3 Type: security Severity: moderate References: 1230906,1232241,CVE-2024-9287 This update for python3 fixes the following issues: Security fixes: - CVE-2024-9287: properly quote path names provided when creating a virtual environment (bsc#1232241) Other fixes: - Drop .pyc files from docdir for reproducible builds (bsc#1230906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3890-1 Released: Mon Nov 4 10:14:19 2024 Summary: Recommended update for wget Type: recommended Severity: moderate References: 1204720,1231661 This update for wget fixes the following issues: - wget incorrectly truncates long filenames (bsc#1231661). - wget dies writing too long filenames (bsc#1204720). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3897-1 Released: Mon Nov 4 12:08:56 2024 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1228337,1230972 This update for shadow fixes the following issues: - Add useradd warnings when requested UID is outside the default range (bsc#1230972) - Chage -d date vs passwd -S output is off by one (bsc#1228337) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3902-1 Released: Mon Nov 4 13:15:51 2024 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1210382,1230316 This update for shim fixes the following issues: - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3926-1 Released: Wed Nov 6 11:15:25 2024 Summary: Security update for curl Type: security Severity: moderate References: 1232528,CVE-2024-9681 This update for curl fixes the following issues: - CVE-2024-9681: Fixed HSTS subdomain overwrites parent cache entry (bsc#1232528) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3930-1 Released: Thu Nov 7 06:11:20 2024 Summary: Recommended update for wicked Type: recommended Severity: important References: 1229555,1229745,1230911,1231060 This update for wicked fixes the following issues: - Update to version 0.6.77 - compat-suse: use iftype in sysctl handling (bsc#1230911) - Always generate the ipv4/ipv6 true|false node - Inherit all, default and interface sysctl settings also for loopback, except for use_tempaddr and accept_dad - Consider only interface specific accept_redirects sysctl settings - Adopt ifsysctl(5) manual page with wicked specific behavior - route: fix family and destination processing (bsc#1231060) - man: improve wicked-config(5) file description - dhcp4: add ignore-rfc3927-1-6 wicked-config(5) option - team: set arp link watcher interval default to 1s - systemd: use `BindsTo=dbus.service` in favor of `Requisite=` (bsc#1229745) - compat-suse: fix use of deprecated `INTERFACETYPE=dummy` (bsc#1229555) - arp: don't set target broadcast hardware address - dbus: don't memcpy empty/NULL array value - ethtool: fix leak and free pause data in ethtool_free ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4035-1 Released: Mon Nov 18 16:22:57 2024 Summary: Security update for expat Type: security Severity: moderate References: 1232579,CVE-2024-50602 This update for expat fixes the following issues: - CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4044-1 Released: Mon Nov 25 08:28:17 2024 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update to v0.389: * Update pci, usb and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4046-1 Released: Mon Nov 25 09:25:58 2024 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1230984 This update for rsyslog fixes the following issue: - restart daemon after update at the end of the transaction (bsc#1230984) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4065-1 Released: Tue Nov 26 11:10:58 2024 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1233499 This update for crypto-policies ships the missing crypto-policies scripts to SUSE Linux Enterprise Micro, which allows configuration of the policies. (bsc#1233499) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4078-1 Released: Wed Nov 27 13:53:14 2024 Summary: Security update for glib2 Type: security Severity: important References: 1233282,CVE-2024-52533 This update for glib2 fixes the following issues: - CVE-2024-52533: Fixed a single byte buffer overflow (bsc#1233282). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4116-1 Released: Fri Nov 29 17:06:06 2024 Summary: Security update for xen Type: security Severity: important References: 1232542,1232622,1232624,CVE-2024-45818,CVE-2024-45819 This update for xen fixes the following issues: - CVE-2024-45818: Fixed deadlock in x86 HVM standard VGA handling (XSA-463) (bsc#1232622). - CVE-2024-45819: Fixed libxl data leaks to PVH guests via ACPI tables (XSA-464) (bsc#1232624). Bug fixes: - Remove usage of net-tools-deprecated from supportconfig plugin (bsc#1232542). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4131-1 Released: Mon Dec 2 10:59:56 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1204171,1205796,1206188,1206344,1209290,1210449,1210627,1213034,1216223,1216813,1218562,1220382,1223384,1223524,1223824,1225189,1225336,1225611,1226666,1228743,1229345,1229452,1229454,1229456,1229556,1230429,1230442,1230454,1230600,1230620,1230715,1230903,1231016,1231073,1231191,1231193,1231195,1231197,1231200,1231203,1231293,1231375,1231502,1231673,1231861,1231883,1231885,1231887,1231888,1231890,1231892,1231893,1231895,1231896,1231897,1231929,1231936,1231937,1231938,1231939,1231940,1231941,1231942,1231958,1231960,1231961,1231962,1231972,1231976,1231979,1231987,1231988,1231991,1231992,1231995,1231996,1231997,1232001,1232005,1232006,1232007,1232025,1232026,1232033,1232035,1232036,1232037,1232038,1232039,1232067,1232069,1232070,1232071,1232097,1232108,1232119,1232120,1232123,1232133,1232136,1232145,1232150,1232163,1232165,1232170,1232172,1232174,1232224,1232229,1232237,1232260,1232262,1232281,1232282,1232286,1232304,1232383,1232395,1232418,1232424,1232432,1232436,1232519,1 233117,CVE-2021-47416,CVE-2021-47534,CVE-2022-3435,CVE-2022-45934,CVE-2022-48664,CVE-2022-48879,CVE-2022-48946,CVE-2022-48947,CVE-2022-48948,CVE-2022-48949,CVE-2022-48951,CVE-2022-48953,CVE-2022-48954,CVE-2022-48955,CVE-2022-48956,CVE-2022-48959,CVE-2022-48960,CVE-2022-48961,CVE-2022-48962,CVE-2022-48967,CVE-2022-48968,CVE-2022-48969,CVE-2022-48970,CVE-2022-48971,CVE-2022-48972,CVE-2022-48973,CVE-2022-48975,CVE-2022-48977,CVE-2022-48978,CVE-2022-48981,CVE-2022-48985,CVE-2022-48987,CVE-2022-48988,CVE-2022-48991,CVE-2022-48992,CVE-2022-48994,CVE-2022-48995,CVE-2022-48997,CVE-2022-48999,CVE-2022-49000,CVE-2022-49002,CVE-2022-49003,CVE-2022-49005,CVE-2022-49006,CVE-2022-49007,CVE-2022-49010,CVE-2022-49011,CVE-2022-49012,CVE-2022-49014,CVE-2022-49015,CVE-2022-49016,CVE-2022-49019,CVE-2022-49021,CVE-2022-49022,CVE-2022-49023,CVE-2022-49024,CVE-2022-49025,CVE-2022-49026,CVE-2022-49027,CVE-2022-49028,CVE-2022-49029,CVE-2022-49031,CVE-2022-49032,CVE-2023-2166,CVE-2023-28327,CVE-2023-52766,CV E-2023-52800,CVE-2023-52881,CVE-2023-52919,CVE-2023-6270,CVE-2024-27043,CVE-2024-42145,CVE-2024-43854,CVE-2024-44947,CVE-2024-45013,CVE-2024-45016,CVE-2024-45026,CVE-2024-46716,CVE-2024-46813,CVE-2024-46814,CVE-2024-46815,CVE-2024-46816,CVE-2024-46817,CVE-2024-46818,CVE-2024-46849,CVE-2024-47668,CVE-2024-47674,CVE-2024-47684,CVE-2024-47706,CVE-2024-47747,CVE-2024-47748,CVE-2024-49860,CVE-2024-49867,CVE-2024-49925,CVE-2024-49930,CVE-2024-49936,CVE-2024-49945,CVE-2024-49960,CVE-2024-49969,CVE-2024-49974,CVE-2024-49982,CVE-2024-49991,CVE-2024-49995,CVE-2024-50047,CVE-2024-50208 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-43854: Initialize integrity buffer to zero before writing it to media (bsc#1229345) - CVE-2024-49925: fbdev: efifb: Register sysfs groups through driver core (bsc#1232224) - CVE-2024-49945: net/ncsi: Disable the ncsi work before freeing the associated structure (bsc#1232165). - CVE-2024-50208: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (bsc#1233117). - CVE-2022-48879: efi: fix NULL-deref in init error path (bsc#1229556). - CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1231893). - CVE-2022-48959: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() (bsc#1231976). - CVE-2022-48960: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() (bsc#1231979). - CVE-2022-48962: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() (bsc#1232286). - CVE-2022-48991: mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma (bsc#1232070). - CVE-2022-49015: net: hsr: Fix potential use-after-free (bsc#1231938). - CVE-2024-45013: nvme: move stopping keep-alive into nvme_uninit_ctrl() (bsc#1230442). - CVE-2024-45016: netem: fix return value if duplicate enqueue fails (bsc#1230429). - CVE-2024-45026: s390/dasd: fix error recovery leading to data corruption on ESE devices (bsc#1230454). - CVE-2024-46716: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor (bsc#1230715). - CVE-2024-46813: drm/amd/display: Check link_index before accessing dc->links (bsc#1231191). - CVE-2024-46814: drm/amd/display: Check msg_id before processing transcation (bsc#1231193). - CVE-2024-46815: drm/amd/display: Check num_valid_sets before accessing reader_wm_sets (bsc#1231195). - CVE-2024-46816: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links (bsc#1231197). - CVE-2024-46817: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (bsc#1231200). - CVE-2024-46818: drm/amd/display: Check gpio_id before used as array index (bsc#1231203). - CVE-2024-46849: ASoC: meson: axg-card: fix 'use-after-free' (bsc#1231073). - CVE-2024-47668: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (bsc#1231502). - CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case (bsc#1231673). - CVE-2024-47684: tcp: check skb is non-NULL in tcp_rto_delta_us() (bsc#1231987). - CVE-2024-47706: block, bfq: fix possible UAF for bfqq->bic with merge chain (bsc#1231942). - CVE-2024-47747: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition (bsc#1232145). - CVE-2024-47748: vhost_vdpa: assign irq bypass producer token correctly (bsc#1232174). - CVE-2024-49860: ACPI: sysfs: validate return type of _STR method (bsc#1231861). - CVE-2024-49930: wifi: ath11k: fix array out-of-bound access in SoC stats (bsc#1232260). - CVE-2024-49936: net/xen-netback: prevent UAF in xenvif_flush_hash() (bsc#1232424). - CVE-2024-49960: ext4: fix timer use-after-free on failed mount (bsc#1232395). - CVE-2024-49969: drm/amd/display: Fix index out of bounds in DCN30 color transformation (bsc#1232519). - CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232383). - CVE-2024-49991: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer (bsc#1232282). - CVE-2024-49995: tipc: guard against string buffer overrun (bsc#1232432). - CVE-2024-50047: smb: client: fix UAF in async decryption (bsc#1232418). The following non-security bugs were fixed: - NFSv3: only use NFS timeout for MOUNT when protocols are compatible (bsc#1231016). - PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666). - RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page (bsc#1232036). - bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (bsc#1231375). - dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). - initramfs: avoid filename buffer overrun (bsc#1232436). - ipv6: blackhole_netdev needs snmp6 counters (bsc#1216813). - ipv6: give an IPv6 dev to blackhole_netdev (bsc#1216813). - net: mana: Fix the extra HZ in mana_hwc_send_request (bsc#1232033). - x86/kexec: Add EFI config table identity mapping for kexec kernel (bsc#1220382). - x86/mm/ident_map: Use gbpages only where full GB page should be mapped (bsc#1220382). - xfrm: set dst dev to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4138-1 Released: Mon Dec 2 13:29:57 2024 Summary: Security update for wget Type: security Severity: moderate References: 1233773,CVE-2024-10524 This update for wget fixes the following issues: - CVE-2024-10524: Fixed SSRF via shorthand HTTP URL (bsc#1233773) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4168-1 Released: Wed Dec 4 11:51:48 2024 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1230625,1231846 This update for vim fixes the following issues: - Update from vim-9.1.0330 to vim-9.1.0836 (bsc#1230625, bsc#1230625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4184-1 Released: Thu Dec 5 06:00:20 2024 Summary: Recommended update for suseconnect-ng Type: recommended Severity: moderate References: 1231185,1231328 This update for suseconnect-ng fixes the following issues: - Integrating uptime-tracker - Honor auto-import-gpg-keys flag on migration (bsc#1231328) - Only send labels if targetting SCC - Skip the docker auth generation on RMT (bsc#1231185) - Add --set-labels to register command to set labels at registration time on SCC - Add a new function to display suse-uptime-tracker version - Add a command to show the info being gathered ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4193-1 Released: Thu Dec 5 12:01:40 2024 Summary: Security update for python3 Type: security Severity: low References: 1231795,1233307,CVE-2024-11168 This update for python3 fixes the following issues: - CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307) Other fixes: - Remove -IVendor/ from python-config (bsc#1231795) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4201-1 Released: Thu Dec 5 14:49:22 2024 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1225451,1233393 This update for libsolv, libzypp, zypper fixes the following issues: - Fix replaces_installed_package using the wrong solvable id when checking the noupdate map - Make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard - Add rpm_query_idarray query function - Support rpm's 'orderwithrequires' dependency - BuildCache: Don't try to retrieve missing raw metadata if no permission to write the cache (bsc#1225451) - RepoManager: Throw RepoNoPermissionException if the user has no permission to update(write) the caches (bsc#1225451) - The 20MB download limit must not apply to non-metadata files like package URLs provided via the CLI (bsc#1233393) - Don't try to download missing raw metadata if cache is not writable (bsc#1225451) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4302-1 Released: Thu Dec 12 09:51:03 2024 Summary: Security update for socat Type: security Severity: moderate References: 1225462,CVE-2024-54661 This update for socat fixes the following issues: - CVE-2024-54661: Fixed arbitrary file overwrite via predictable /tmp directory (bsc#1225462) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4338-1 Released: Tue Dec 17 08:18:46 2024 Summary: Recommended update for systemd Type: recommended Severity: important References: 1230272,1231610 This update for systemd fixes the following issues: - core/unit: increase the NameOwnerChanged/GetNameOwner timeout to the unit's start timeout (bsc#1230272) - core/unit: add get_timeout_start_usec in UnitVTable and define it for service - sd-bus: make bus_add_match_full accept timeout - udev-builtin-path_id: SAS wide ports must have num_phys > 1 (bsc#1231610) - sd-device: add helper to read a unsigned int attribute ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4346-1 Released: Tue Dec 17 09:32:22 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1218644,1220382,1221309,1222590,1229808,1230220,1231646,1232187,1232312,1232860,1232907,1232919,1232928,1233070,1233214,1233293,1233453,1233456,1233463,1233468,1233479,1233490,1233491,1233555,1233557,1233561,1233977,CVE-2023-52922,CVE-2024-26782,CVE-2024-44932,CVE-2024-44964,CVE-2024-47757,CVE-2024-50017,CVE-2024-50089,CVE-2024-50115,CVE-2024-50125,CVE-2024-50127,CVE-2024-50154,CVE-2024-50205,CVE-2024-50259,CVE-2024-50264,CVE-2024-50267,CVE-2024-50274,CVE-2024-50279,CVE-2024-50290,CVE-2024-50301,CVE-2024-50302,CVE-2024-53061,CVE-2024-53063,CVE-2024-53068 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-26782: mptcp: fix double-free on socket dismantle (bsc#1222590). - CVE-2024-44932: idpf: fix UAFs when destroying the queues (bsc#1229808). - CVE-2024-44964: idpf: fix memory leaks and crashes while performing a soft reset (bsc#1230220). - CVE-2024-47757: nilfs2: fix potential oob read in nilfs_btree_check_delete() (bsc#1232187). - CVE-2024-50089: unicode: Do not special case ignorable code points (bsc#1232860). - CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1232919). - CVE-2024-50125: Bluetooth: SCO: Fix UAF on sco_sock_timeout (bsc#1232928). - CVE-2024-50127: net: sched: fix use-after-free in taprio_change() (bsc#1232907). - CVE-2024-50154: tcp: Fix use-after-free of nreq in reqsk_timer_handler() (bsc#1233070). - CVE-2024-50205: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() (bsc#1233293). - CVE-2024-50259: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() (bsc#1233214). - CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233453). - CVE-2024-50267: USB: serial: io_edgeport: fix use after free in debug printk (bsc#1233456). - CVE-2024-50274: idpf: avoid vport access in idpf_get_link_ksettings (bsc#1233463). - CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233468). - CVE-2024-50290: media: cx24116: prevent overflows on SNR calculus (bsc#1233479). - CVE-2024-50301: security/keys: fix slab-out-of-bounds in key_task_permission (bsc#1233490). - CVE-2024-50302: HID: core: zero-initialize the report buffer (bsc#1233491). - CVE-2024-53061: media: s5p-jpeg: prevent buffer overflows (bsc#1233555). - CVE-2024-53063: media: dvbdev: prevent the risk of out of memory access (bsc#1233557). - CVE-2024-53068: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() (bsc#1233561). The following non-security bugs were fixed: - Update config files (bsc#1218644). - Update config files. Enabled IDPF for ARM64 (bsc#1221309) - kernel-binary: Enable livepatch package only when livepatch is enabled Otherwise the filelist may be empty failing the build (bsc#1218644). - mm/memory: add non-anonymous page check in the copy_present_page() (bsc#1231646). - rpm/scripts: Remove obsolete Symbols.list Symbols.list is not longer needed by the new klp-convert implementation. (bsc#1218644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4359-1 Released: Tue Dec 17 14:19:32 2024 Summary: Security update for curl Type: security Severity: moderate References: 1234068,CVE-2024-11053 This update for curl fixes the following issues: - CVE-2024-11053: Fixed password leak in curl used for the first host to the followed-to host under certain circumstances (bsc#1234068) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4360-1 Released: Tue Dec 17 15:35:28 2024 Summary: Security update for docker Type: security Severity: important References: 1217070,1228324,1228553,1229806,1230294,1230331,1230333,1231348,1232999,1233819,CVE-2023-45142,CVE-2023-47108,CVE-2024-41110 This update for docker fixes the following issues: - Update docker-buildx to v0.19.2. See upstream changelog online at . Some notable changelogs from the last update: * * - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 > /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 > /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. - Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819 - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Allow a parallel docker-stable RPM to exists in repositories. - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at - Allow users to disable SUSE secrets support by setting DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. (bsc#1231348) - Mark docker-buildx as required since classic 'docker build' has been deprecated since Docker 23.0. (bsc#1230331) - Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate package, but with docker-stable it will be necessary to maintain the packages together and it makes more sense to have them live in the same OBS package. (bsc#1230333) - Update to Docker 26.1.5-ce. See upstream changelog online at bsc#1230294 - This update includes fixes for: * CVE-2024-41110. bsc#1228324 * CVE-2023-47108. bsc#1217070 bsc#1229806 * CVE-2023-45142. bsc#1228553 bsc#1229806 - Update to Docker 26.1.4-ce. See upstream changelog online at - Update to Docker 26.1.0-ce. See upstream changelog online at - Update --add-runtime to point to correct binary path. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4363-1 Released: Tue Dec 17 16:12:41 2024 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update v0.390 * Update pci and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-feature-2024:4377-1 Released: Thu Dec 19 07:10:53 2024 Summary: Feature update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: feature Severity: low References: 1232024 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Add amazon-dracut-config, google-dracut-config, microsoft-dracut-config to Public Cloud 15-SP[3-6] channels (bsc#1232024) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4378-1 Released: Thu Dec 19 08:23:55 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1203617 This update for aaa_base fixes the following issues: - Added Midnigh Commander helpers for tcsh and bash resources (bsc#1203617) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:4386-1 Released: Thu Dec 19 15:04:16 2024 Summary: Security update for avahi Type: security Severity: moderate References: 1226586,1233420,CVE-2024-52616 This update for avahi fixes the following issues: - CVE-2024-52616: Fixed Avahi Wide-Area DNS Predictable Transaction IDs (bsc#1233420) Other fixes: - no longer supply bogus services to callbacks (bsc#1226586). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4404-1 Released: Fri Dec 20 16:43:28 2024 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1234749 This update for libzypp fixes the following issues: - Url: queryparams without value should not have a trailing '=' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4410-1 Released: Mon Dec 23 12:19:40 2024 Summary: Recommended update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: recommended Severity: moderate References: 1234708 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Fix support level to L3 (bsc#1234708) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:29-1 Released: Tue Jan 7 11:41:20 2025 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1234809,CVE-2024-56326 This update for python-Jinja2 fixes the following issues: - CVE-2024-56326: Fixed sandbox breakout through indirect reference to format method (bsc#1234809) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:73-1 Released: Mon Jan 13 07:10:00 2025 Summary: Recommended update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config Type: recommended Severity: moderate References: 1232024 This update for amazon-dracut-config, google-dracut-config, microsoft-dracut-config fixes the following issues: - Add amazon-dracut-config, google-dracut-config, microsoft-dracut-config to MicroOS 5.1, 5.2 and Micro 5.3, 5.4, 5.5 channels (bsc#1232024) - Move dracut config files to usr/lib/ dir - Add provides and conflicts on generic name dracut-instance-change-config - Rename config for nvme for consistency ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:76-1 Released: Mon Jan 13 10:42:05 2025 Summary: Recommended update for containerd Type: recommended Severity: moderate References: This update for containerd fixes the following issues: containerd was updated from version 1.7.21 to 1.7.23: - Changes in version 1.7.23: * Highlights: + Added error definition aliases + Allow proxy plugins to have capabilities + Revert a previous errdefs package migration * Container Runtime Interface (CRI): + Added check for CNI plugins before tearing down pod network * Image Distribution: + Fixed the race condition during GC of snapshots when client retries * Full Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.23 - Changes in version 1.7.22: * Highlights: + Build and Release Toolchain + Updated Go (go1.22.7 and go1.23.1) * Container Runtime Interface (CRI): + Added a fix for decreasing cumulative stats * Runtime: + Fixed bug where init exits were being dropped + Update runc binary to 1.1.14 * Full Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.22 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:148-1 Released: Thu Jan 16 17:00:45 2025 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1234273 This update for cryptsetup fixes the following issue: - luksFormat succeeds despite creating corrupt device (bsc#1234273). * Add a better warning if luksFormat ends with image without any space for data. * Print warning early if LUKS container is too small for activation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:196-1 Released: Tue Jan 21 09:34:32 2025 Summary: Security update for dhcp Type: security Severity: moderate References: 1192020 This update for dhcp fixes the following issues: - Fixed dhcp not starting in case group nogroup is missing (bsc#1192020) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:203-1 Released: Tue Jan 21 14:58:16 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1170891,1173139,1185010,1190358,1190428,1209798,1215304,1222878,1228466,1230697,1232436,1233070,1233642,1234281,1234282,1234846,1234853,1234891,1234921,1234960,1234963,1235004,1235035,1235054,1235056,1235061,1235073,1235220,1235224,1235246,1235507,CVE-2021-47202,CVE-2022-49035,CVE-2024-41087,CVE-2024-50154,CVE-2024-53095,CVE-2024-53142,CVE-2024-53146,CVE-2024-53156,CVE-2024-53173,CVE-2024-53179,CVE-2024-53206,CVE-2024-53214,CVE-2024-53239,CVE-2024-53240,CVE-2024-53241,CVE-2024-56539,CVE-2024-56548,CVE-2024-56570,CVE-2024-56598,CVE-2024-56604,CVE-2024-56605,CVE-2024-56619,CVE-2024-8805 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-41087: Fix double free on error (bsc#1228466). - CVE-2024-53095: smb: client: Fix use-after-free of network namespace (bsc#1233642). - CVE-2024-53146: NFSD: Prevent a potential integer overflow (bsc#1234853). - CVE-2024-53156: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (bsc#1234846). - CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234891). - CVE-2024-53179: smb: client: fix use-after-free of signing key (bsc#1234921). - CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235004). - CVE-2024-53239: ALSA: 6fire: Release resources at card release (bsc#1235054). - CVE-2024-53240: xen/netfront: fix crash when removing device (bsc#1234281). - CVE-2024-53241: x86/xen: use new hypercall functions instead of hypercall page (XSA-466 bsc#1234282). - CVE-2024-56539: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() (bsc#1234963). - CVE-2024-56548: hfsplus: do not query the device logical block size multiple times (bsc#1235073). - CVE-2024-56570: ovl: Filter invalid inodes with missing lookup function (bsc#1235035). - CVE-2024-56598: jfs: array-index-out-of-bounds fix in dtReadFirst (bsc#1235220). - CVE-2024-56604: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() (bsc#1235056). - CVE-2024-56605: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() (bsc#1235061). - CVE-2024-56619: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() (bsc#1235224). - CVE-2024-8805: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE (bsc#1230697). The following non-security bugs were fixed: - Drop a couple of block layer git-fixes (bsc#1170891 bsc#1173139) - KVM: x86: fix sending PV IPI (git-fixes). - fixup 'rpm: support gz and zst compression methods' once more (bsc#1190428, bsc#1190358) - idpf: add support for SW triggered interrupts (bsc#1235507). - idpf: enable WB_ON_ITR (bsc#1235507). - idpf: trigger SW interrupt when exiting wb_on_itr mode (bsc#1235507). - kernel-binary: do not BuildIgnore m4. It is actually needed for regenerating zconf when it is not up-to-date due to merge. - net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024 (bsc#1235246). - rpm/kernel-binary.spec.in: Fix build regression The previous fix forgot to take over grep -c option that broke the conditional expression - scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error (git-fixes). - smb: client: fix TCP timers deadlock after rmmod (git-fixes) [hcarvalho: this fixes issue discussed in bsc#1233642]. - supported.conf: add bsc1185010 dependency - supported.conf: hyperv_drm (jsc#sle-19733) - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes). - x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes). - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes). - x86/fpu: Remove unused supervisor only offsets (git-fixes). - x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes). - x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes). - x86/mce: Allow instrumentation during task work queueing (git-fixes). - x86/mce: Mark mce_end() noinstr (git-fixes). - x86/mce: Mark mce_panic() noinstr (git-fixes). - x86/mce: Mark mce_read_aux() noinstr (git-fixes). - x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes). - x86/sgx: Free backing memory after faulting the enclave page (git-fixes). - x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes). - x86/uaccess: Move variable into switch case statement (git-fixes). - x86: Annotate call_on_stack() (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:218-1 Released: Wed Jan 22 04:33:35 2025 Summary: Optional update for augeas Type: optional Severity: moderate References: This update ships the augeas commandline tool and the augeas-lenses to SUSE Linux Enterprise Micro 5.5. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2025:223-1 Released: Wed Jan 22 12:30:52 2025 Summary: Feature update for zypper, libzypp Type: feature Severity: low References: This update for zypper, libzypp fixes the following issues: - info: Allow to query a specific version (jsc#PED-11268) To query for a specific version simply append '-' or '--' to the '' pattern. Note that the edition part must always match exactly. - version 1.14.79 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:287-1 Released: Wed Jan 29 16:24:46 2025 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1212476,1219680,1227237 This update for cloud-init fixes the following issues: - remove dependency on /usr/bin/python3 via using the macros (bsc#1212476). + Brute force approach to skip renames if the device is already present - cloud-init: Wait for udev once if we cannot find the expected MAC (bsc#1227237). - cloud-init: rename devices below VLAN fails again/on SLES 15 SP5 (bsc#1219680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:341-1 Released: Mon Feb 3 17:33:00 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1236460,CVE-2022-49043 This update for libxml2 fixes the following issues: - CVE-2022-49043: Fixed a use-after-free in xmlXIncludeAddNode. (bsc#1236460) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:343-1 Released: Mon Feb 3 18:03:52 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for krb5 fixes the following issues: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:349-1 Released: Tue Feb 4 09:34:30 2025 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-1_1 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:361-1 Released: Wed Feb 5 11:00:36 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1216091,1229106,1232458,1234752,1235636 This update for libzypp, zypper fixes the following issues: - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cached there (bsc#1232458) - Fix missing UID checks in repomanager workflow - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp - Fix 'zypper ps' when running in incus container (bsc#1229106) Should apply to lxc and lxd containers as well - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - lr: Show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo - Refresh: restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:366-1 Released: Wed Feb 5 11:57:42 2025 Summary: Security update for wget Type: security Severity: moderate References: 1185551,1230795,CVE-2021-31879 This update for wget fixes the following issues: - CVE-2021-31879: Authorization header disclosed upon redirects to different origins. (bsc#1185551) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:370-1 Released: Wed Feb 5 16:33:28 2025 Summary: Security update for curl Type: security Severity: moderate References: 1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:384-1 Released: Fri Feb 7 14:00:26 2025 Summary: Security update for bind Type: security Severity: important References: 1236596,CVE-2024-11187 This update for bind fixes the following issues: - CVE-2024-11187: Fixes CPU exhaustion caused by many records in the additional section (bsc#1236596) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:507-1 Released: Thu Feb 13 12:08:43 2025 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1206132,1207157,1235606 This update for open-iscsi fixes the following issues: - Fix device discovery failure on systems with a large number of devices (bsc#1235606). - Fix issue with yast restarting iscsid service without restarting the iscsid socket, this upsets systemd and it is already fixed in upstream (bsc#1206132). - Branched SLE-15-SP3 from Factory. No longer in sync with Tumbleweed. - Backported upstream commit, which sets 'safe_logout' and 'startup' in iscsid.conf (bsc#1207157). - Updated year in SPEC file ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:548-1 Released: Fri Feb 14 11:19:24 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1236878,CVE-2024-12133 This update for libtasn1 fixes the following issues: - CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes quadratic time to complete. (bsc#1236878) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:554-1 Released: Fri Feb 14 16:10:40 2025 Summary: Security update for python3 Type: security Severity: moderate References: 1236705,CVE-2025-0938 This update for python3 fixes the following issues: - CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse. (bsc#1236705) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:562-1 Released: Mon Feb 17 12:43:41 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:576-1 Released: Tue Feb 18 13:49:58 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1230697,1231847,1233112,1233642,1234025,1234690,1234884,1234896,1234931,1235134,1235217,1235230,1235249,1235430,1235433,1235441,1235451,1235466,1235480,1235521,1235584,1235645,1235723,1235759,1235764,1235814,1235818,1235920,1235969,1236628,CVE-2024-50199,CVE-2024-53095,CVE-2024-53104,CVE-2024-53144,CVE-2024-53166,CVE-2024-53177,CVE-2024-54680,CVE-2024-56600,CVE-2024-56601,CVE-2024-56602,CVE-2024-56623,CVE-2024-56631,CVE-2024-56642,CVE-2024-56645,CVE-2024-56648,CVE-2024-56650,CVE-2024-56658,CVE-2024-56661,CVE-2024-56664,CVE-2024-56704,CVE-2024-56759,CVE-2024-57791,CVE-2024-57792,CVE-2024-57798,CVE-2024-57849,CVE-2024-57893,CVE-2024-57897,CVE-2024-8805 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-50199: mm/swapfile: skip HugeTLB pages for unuse_vma (bsc#1233112). - CVE-2024-53104: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (bsc#1234025). - CVE-2024-53166: block, bfq: fix bfqq uaf in bfq_limit_depth() (bsc#1234884). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-56600: net: inet6: do not leave a dangling sk pointer in inet6_create() (bsc#1235217). - CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inet_create() (bsc#1235230). - CVE-2024-56602: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() (bsc#1235521). - CVE-2024-56623: scsi: qla2xxx: Fix use after free on unload (bsc#1235466). - CVE-2024-56631: scsi: sg: Fix slab-use-after-free read in sg_release() (bsc#1235480). - CVE-2024-56642: tipc: Fix use-after-free of kernel socket in cleanup_bearer() (bsc#1235433). - CVE-2024-56645: can: j1939: j1939_session_new(): fix skb reference counting (bsc#1235134). - CVE-2024-56648: net: hsr: avoid potential out-of-bound access in fill_frame_info() (bsc#1235451). - CVE-2024-56650: netfilter: x_tables: fix LED ID check in led_tg_check() (bsc#1235430). - CVE-2024-56658: net: defer final 'struct net' free in netns dismantle (bsc#1235441). - CVE-2024-56664: bpf, sockmap: Fix race between element replace and close() (bsc#1235249). - CVE-2024-56704: 9p/xen: fix release of IRQ (bsc#1235584). - CVE-2024-56759: btrfs: fix use-after-free when COWing tree bock and tracing is enabled (bsc#1235645). - CVE-2024-57791: net/smc: check return value of sock_recvmsg when draining clc data (bsc#1235759). - CVE-2024-57792: power: supply: gpio-charger: Fix set charge current limits (bsc#1235764). - CVE-2024-57798: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (bsc#1235818). - CVE-2024-57849: s390/cpum_sf: Handle CPU hotplug remove during sampling (bsc#1235814). - CVE-2024-57893: ALSA: seq: oss: Fix races at processing SysEx messages (bsc#1235920). - CVE-2024-57897: drm/amdkfd: Correct the migration DMA map direction (bsc#1235969). The following non-security bugs were fixed: - NFS: Adjust the amount of readahead performed by NFS readdir (bsc#1231847). - NFS: Do not flush the readdir cache in nfs_dentry_iput() (bsc#1231847). - NFS: Improve heuristic for readdirplus (bsc#1231847). - NFS: Trigger the 'ls -l' readdir heuristic sooner (bsc#1231847). - tipc: fix NULL deref in cleanup_bearer() (bsc#1235433). - x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0 (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:588-1 Released: Wed Feb 19 08:30:14 2025 Summary: Security update for grub2 Type: security Severity: important References: 1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125 This update for grub2 fixes the following issues: - CVE-2024-45781: Fixed strcpy overflow in ufs. (bsc#1233617) - CVE-2024-56737: Fixed a heap-based buffer overflow in hfs. (bsc#1234958) - CVE-2024-45782: Fixed strcpy overflow in hfs. (bsc#1233615) - CVE-2024-45780: Fixed an overflow in tar/cpio. (bsc#1233614) - CVE-2024-45783: Fixed a refcount overflow in hfsplus. (bsc#1233616) - CVE-2024-45774: Fixed a heap overflow in JPEG parser. (bsc#1233609) - CVE-2024-45775: Fixed a missing NULL check in extcmd parser. (bsc#1233610) - CVE-2024-45776: Fixed an overflow in .MO file handling. (bsc#1233612) - CVE-2024-45777: Fixed an integer overflow in gettext. (bsc#1233613) - CVE-2024-45778: Fixed bfs filesystem by removing it from lockdown capable modules. (bsc#1233606) - CVE-2024-45779: Fixed a heap overflow in bfs. (bsc#1233608) - CVE-2025-0624: Fixed an out-of-bounds write during the network boot process. (bsc#1236316) - CVE-2025-0622: Fixed a use-after-free when handling hooks during module unload in command/gpg . (bsc#1236317) - CVE-2025-0690: Fixed an integer overflow that may lead to an out-of-bounds write through the read command. (bsc#1237012) - CVE-2025-1118: Fixed an issue where the dump command was not being blocked when grub was in lockdown mode. (bsc#1237013) - CVE-2025-0677: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in ufs. (bsc#1237002) - CVE-2025-0684: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in reiserfs. (bsc#1237008) - CVE-2025-0685: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in jfs. (bsc#1237009) - CVE-2025-0686: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in romfs. (bsc#1237010) - CVE-2025-0689: Fixed a heap-based buffer overflow in udf that may lead to arbitrary code execution. (bsc#1237011) - CVE-2025-1125: Fixed an integer overflow that may lead to an out-of-bounds write in hfs. (bsc#1237014) - CVE-2025-0678: Fixed an integer overflow that may lead to an out-of-bounds write in squash4. (bsc#1237006) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:605-1 Released: Thu Feb 20 15:42:48 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1237040,CVE-2025-26465 This update for openssh fixes the following issues: - CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:678-1 Released: Mon Feb 24 11:59:54 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1228434,1236384,1236820,1236939,1236983 This update for libzypp, zypper fixes the following issues: - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps' - Fix Repoverification plugin not being executed - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Deprecate RepoReports we do not trigger - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939) - New system-architecture command (bsc#1236384) - Change versioncmp command to return exit code according to the comparison result ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:721-1 Released: Wed Feb 26 10:06:07 2025 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: This update for open-iscsi fixes the following issues: - Moved this patch upstream, so now it's part of the diff file and is no longer needed here ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:724-1 Released: Wed Feb 26 14:30:20 2025 Summary: Security update for vim Type: security Severity: moderate References: 1229685,1229822,1230078,1235695,1236151,1237137,CVE-2024-43790,CVE-2024-43802,CVE-2024-45306,CVE-2025-1215,CVE-2025-22134,CVE-2025-24014 This update for vim fixes the following issues: Update to version 9.1.1101: - CVE-2024-43790: possible out-of-bounds read when performing a search command (bsc#1229685). - CVE-2024-43802: heap buffer overflow due to incorrect flushing of the typeahead buffer (bsc#1229822). - CVE-2024-45306: heap buffer overflow when cursor position is invalid (bsc#1230078). - CVE-2025-22134: heap buffer overflow when switching to other buffers using the :all command with active visual mode (bsc#1235695). - CVE-2025-24014: NULL pointer dereference may lead to segmentation fault when in silent Ex mode (bsc#1236151). - CVE-2025-1215: memory corruption when manipulating the --log argument (bsc#1237137). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:741-1 Released: Fri Feb 28 11:15:50 2025 Summary: Security update for procps Type: security Severity: important References: 1214290,1236842,CVE-2023-4016 This update for procps fixes the following issues: - Integer overflow due to incomplete fix for CVE-2023-4016 can lead to segmentation fault in ps command when pid argument has a leading space (bsc#1236842, bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:748-1 Released: Fri Feb 28 17:14:02 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363). - CVE-2025-24928: stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370). - CVE-2025-27113: NULL pointer dereference in xmlPatMatch in pattern.c (bsc#1237418). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:765-1 Released: Mon Mar 3 09:44:13 2025 Summary: Security update for gnutls Type: security Severity: moderate References: 1236974,CVE-2024-12243 This update for gnutls fixes the following issues: - CVE-2024-12243: quadratic complexity of DER input decoding in libtasn1 can lead to a DoS (bsc#1236974). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:776-1 Released: Tue Mar 4 15:55:35 2025 Summary: Security update for docker Type: security Severity: moderate References: 1234089,1237335,CVE-2024-29018 This update for docker fixes the following issues: Update to Docker 27.5.1-ce (bsc#1237335): - CVE-2024-29018: External DNS requests from 'internal' networks could lead to data exfiltration (bsc#1234089). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:830-1 Released: Tue Mar 11 09:55:10 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Update to 2025a: * Paraguay adopts permanent -03 starting spring 2024 * Improve pre-1991 data for the Philippines * Etc/Unknown is now reserved * Improve historical data for Mexico, Mongolia, and Portugal * System V names are now obsolescent * The main data form now uses %z * The code now conforms to RFC 8536 for early timestamps * Support POSIX.1-2024, which removes asctime_r and ctime_r * Assume POSIX.2-1992 or later for shell scripts * SUPPORT_C89 now defaults to 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:835-1 Released: Tue Mar 11 11:57:43 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1208995,1220946,1224700,1225742,1232905,1232919,1234154,1234853,1234891,1234963,1235054,1235061,1235073,1236661,1236675,1236677,1236757,1236758,1236760,1236761,1237025,1237028,1237139,1237316,1237693,1238033,CVE-2022-49080,CVE-2023-1192,CVE-2023-52572,CVE-2024-35949,CVE-2024-50115,CVE-2024-50128,CVE-2024-53135,CVE-2024-53173,CVE-2024-53239,CVE-2024-56539,CVE-2024-56548,CVE-2024-56605,CVE-2024-57948,CVE-2025-21690,CVE-2025-21692,CVE-2025-21699 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238033). - CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1224700). - CVE-2024-50128: net: wwan: fix global oob in wwan_rtnl_policy (bsc#1232905). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-57948: mac802154: check local interfaces before deleting sdata list (bsc#1236677). - CVE-2025-21690: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service (bsc#1237025). - CVE-2025-21692: net: sched: fix ets qdisc OOB Indexing (bsc#1237028). - CVE-2025-21699: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag (bsc#1237139). The following non-security bugs were fixed: - idpf: call set_real_num_queues in idpf_open (bsc#1236661 bsc#1237316). - ipv4/tcp: do not use per netns ctl sockets (bsc#1237693). - net: mana: Add get_link and get_link_ksettings in ethtool (bsc#1236761). - net: mana: Cleanup 'mana' debugfs dir after cleanup of all children (bsc#1236760). - net: mana: Enable debugfs files for MANA device (bsc#1236758). - net: netvsc: Update default VMBus channels (bsc#1236757). - scsi: storvsc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (git-fixes). - x86/kvm: fix is_stale_page_fault() (bsc#1236675). - x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes). - x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:839-1 Released: Tue Mar 11 13:12:01 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1189788,1216091,1236481,1237044 This update for libzypp, zypper fixes the following issues: - Disable zypp.conf:download.use_deltarpm by default Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) - Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Annonunce --root in commands not launching a Target (bsc#1237044) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:931-1 Released: Wed Mar 19 11:06:47 2025 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1237865 This update for grub2 fixes the following issues: - Fix zfs.mo not found message when booting on legacy BIOS (bsc#1237865) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:998-1 Released: Tue Mar 25 03:07:02 2025 Summary: Security update for freetype2 Type: security Severity: important References: 1239465,CVE-2025-27363 This update for freetype2 fixes the following issues: - CVE-2025-27363: Fixed out-of-bounds write when attempting to parse font subglyph structures related to TrueType GX and variable font files (bsc#1239465). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1004-1 Released: Tue Mar 25 09:42:38 2025 Summary: Security update for python-Jinja2 Type: security Severity: moderate References: 1238879,CVE-2025-27516 This update for python-Jinja2 fixes the following issues: - CVE-2025-27516: Fixed sandbox breakout through attr filter selecting format method (bsc#1238879) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1027-1 Released: Wed Mar 26 13:11:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1180814,1183682,1190336,1190768,1190786,1193629,1194869,1194904,1195823,1196444,1197158,1197174,1197246,1197302,1197331,1197472,1197661,1197926,1198019,1198021,1198240,1198577,1198660,1199657,1200045,1200571,1200807,1200809,1200810,1200824,1200825,1200871,1200872,1201193,1201218,1201323,1201381,1201610,1202672,1202711,1202712,1202771,1202774,1202778,1202781,1203699,1203769,1204171,1206048,1206049,1207593,1207640,1210050,1211263,1217339,1228483,1228708,1228779,1228966,1237521,1237718,1237721,1237722,1237723,1237724,1237725,1237726,1237727,1237728,1237729,1237734,1237735,1237736,1237737,1237738,1237739,1237740,1237742,1237743,1237745,1237746,1237748,1237751,1237752,1237753,1237755,1237759,1237761,1237763,1237766,1237767,1237768,1237774,1237775,1237778,1237779,1237780,1237782,1237783,1237784,1237785,1237786,1237787,1237788,1237789,1237795,1237797,1237798,1237807,1237808,1237810,1237812,1237813,1237814,1237815,1237817,1237818,1237821,1237823,1237824,1237826,1237827,1 237829,1237831,1237835,1237836,1237837,1237839,1237840,1237845,1237846,1237868,1237872,1237892,1237903,1237904,1237916,1237922,1237925,1237926,1237929,1237931,1237932,1237933,1237937,1237939,1237940,1237941,1237942,1237946,1237951,1237952,1237954,1237955,1237957,1237958,1237959,1237960,1237961,1237963,1237965,1237966,1237967,1237968,1237969,1237970,1237971,1237973,1237975,1237976,1237978,1237979,1237983,1237984,1237986,1237987,1237990,1237996,1237997,1237998,1237999,1238000,1238003,1238006,1238007,1238010,1238011,1238012,1238013,1238014,1238016,1238017,1238018,1238019,1238021,1238022,1238024,1238030,1238036,1238037,1238041,1238046,1238047,1238071,1238077,1238079,1238080,1238089,1238090,1238091,1238092,1238096,1238097,1238099,1238103,1238105,1238106,1238108,1238110,1238111,1238112,1238113,1238115,1238116,1238120,1238123,1238125,1238126,1238127,1238131,1238134,1238135,1238138,1238139,1238140,1238142,1238144,1238146,1238147,1238149,1238150,1238155,1238156,1238157,1238158,1238162,123816 6,1238167,1238168,1238169,1238170,1238171,1238172,1238175,1238176,1238177,1238180,1238181,1238183,1238184,1238228,1238229,1238231,1238234,1238235,1238236,1238238,1238239,1238241,1238242,1238243,1238244,1238246,1238247,1238248,1238249,1238253,1238255,1238256,1238257,1238260,1238262,1238263,1238264,1238266,1238267,1238268,1238269,1238270,1238271,1238272,1238274,1238275,1238276,1238277,1238278,1238279,1238281,1238282,1238283,1238284,1238286,1238287,1238288,1238289,1238292,1238293,1238295,1238298,1238301,1238302,1238306,1238307,1238308,1238309,1238311,1238313,1238326,1238327,1238328,1238331,1238333,1238334,1238336,1238337,1238338,1238339,1238343,1238345,1238372,1238373,1238374,1238376,1238377,1238381,1238382,1238383,1238386,1238387,1238388,1238389,1238390,1238391,1238392,1238393,1238394,1238395,1238396,1238397,1238400,1238410,1238411,1238413,1238415,1238416,1238417,1238418,1238419,1238420,1238423,1238428,1238429,1238430,1238431,1238432,1238433,1238434,1238435,1238436,1238437,1238440,123 8441,1238442,1238443,1238444,1238445,1238446,1238447,1238453,1238454,1238458,1238459,1238462,1238463,1238465,1238467,1238469,1238533,1238536,1238538,1238539,1238540,1238543,1238545,1238546,1238556,1238557,1238599,1238600,1238601,1238602,1238605,1238612,1238615,1238617,1238618,1238619,1238621,1238623,1238625,1238626,1238630,1238631,1238632,1238633,1238635,1238636,1238638,1238639,1238640,1238641,1238642,1238643,1238645,1238646,1238647,1238650,1238653,1238654,1238655,1238662,1238663,1238664,1238666,1238668,1238705,1238707,1238710,1238712,1238718,1238719,1238721,1238722,1238727,1238729,1238750,1238787,1238789,1238792,1238799,1238804,1238805,1238808,1238809,1238811,1238814,1238815,1238816,1238817,1238818,1238819,1238821,1238823,1238825,1238830,1238834,1238835,1238836,1238838,1238867,1238868,1238869,1238870,1238871,1238878,1238889,1238892,1238893,1238897,1238898,1238899,1238902,1238916,1238925,1238930,1238933,1238936,1238937,1238938,1238939,1238943,1238945,1238948,1238949,1238950,1238951, 1238952,1238954,1238956,1238957,1239001,1239004,1239035,1239040,1239041,1239051,1239060,1239070,1239071,1239073,1239076,1239109,1239115,CVE-2021-4453,CVE-2021-47631,CVE-2021-47632,CVE-2021-47633,CVE-2021-47635,CVE-2021-47636,CVE-2021-47637,CVE-2021-47638,CVE-2021-47639,CVE-2021-47641,CVE-2021-47642,CVE-2021-47643,CVE-2021-47644,CVE-2021-47645,CVE-2021-47646,CVE-2021-47647,CVE-2021-47648,CVE-2021-47649,CVE-2021-47650,CVE-2021-47651,CVE-2021-47652,CVE-2021-47653,CVE-2021-47654,CVE-2021-47656,CVE-2021-47657,CVE-2021-47659,CVE-2022-0168,CVE-2022-0995,CVE-2022-1048,CVE-2022-1184,CVE-2022-2977,CVE-2022-29900,CVE-2022-29901,CVE-2022-3303,CVE-2022-3435,CVE-2022-49044,CVE-2022-49050,CVE-2022-49051,CVE-2022-49054,CVE-2022-49055,CVE-2022-49058,CVE-2022-49059,CVE-2022-49060,CVE-2022-49061,CVE-2022-49063,CVE-2022-49065,CVE-2022-49066,CVE-2022-49073,CVE-2022-49074,CVE-2022-49076,CVE-2022-49078,CVE-2022-49082,CVE-2022-49083,CVE-2022-49084,CVE-2022-49085,CVE-2022-49086,CVE-2022-49088,CVE-2022-49089 ,CVE-2022-49090,CVE-2022-49091,CVE-2022-49092,CVE-2022-49093,CVE-2022-49095,CVE-2022-49096,CVE-2022-49097,CVE-2022-49098,CVE-2022-49099,CVE-2022-49100,CVE-2022-49102,CVE-2022-49103,CVE-2022-49104,CVE-2022-49105,CVE-2022-49106,CVE-2022-49107,CVE-2022-49109,CVE-2022-49111,CVE-2022-49112,CVE-2022-49113,CVE-2022-49114,CVE-2022-49115,CVE-2022-49116,CVE-2022-49118,CVE-2022-49119,CVE-2022-49120,CVE-2022-49121,CVE-2022-49122,CVE-2022-49126,CVE-2022-49128,CVE-2022-49129,CVE-2022-49130,CVE-2022-49131,CVE-2022-49132,CVE-2022-49135,CVE-2022-49137,CVE-2022-49145,CVE-2022-49147,CVE-2022-49148,CVE-2022-49151,CVE-2022-49153,CVE-2022-49154,CVE-2022-49155,CVE-2022-49156,CVE-2022-49157,CVE-2022-49158,CVE-2022-49159,CVE-2022-49160,CVE-2022-49162,CVE-2022-49163,CVE-2022-49164,CVE-2022-49165,CVE-2022-49174,CVE-2022-49175,CVE-2022-49176,CVE-2022-49177,CVE-2022-49179,CVE-2022-49180,CVE-2022-49182,CVE-2022-49185,CVE-2022-49187,CVE-2022-49188,CVE-2022-49189,CVE-2022-49193,CVE-2022-49194,CVE-2022-49196,CVE-20 22-49199,CVE-2022-49200,CVE-2022-49201,CVE-2022-49206,CVE-2022-49208,CVE-2022-49212,CVE-2022-49213,CVE-2022-49214,CVE-2022-49216,CVE-2022-49217,CVE-2022-49218,CVE-2022-49221,CVE-2022-49222,CVE-2022-49224,CVE-2022-49226,CVE-2022-49227,CVE-2022-49232,CVE-2022-49235,CVE-2022-49236,CVE-2022-49239,CVE-2022-49241,CVE-2022-49242,CVE-2022-49243,CVE-2022-49244,CVE-2022-49246,CVE-2022-49247,CVE-2022-49248,CVE-2022-49249,CVE-2022-49250,CVE-2022-49251,CVE-2022-49252,CVE-2022-49253,CVE-2022-49254,CVE-2022-49256,CVE-2022-49257,CVE-2022-49258,CVE-2022-49259,CVE-2022-49260,CVE-2022-49261,CVE-2022-49262,CVE-2022-49263,CVE-2022-49264,CVE-2022-49265,CVE-2022-49266,CVE-2022-49268,CVE-2022-49269,CVE-2022-49270,CVE-2022-49271,CVE-2022-49272,CVE-2022-49273,CVE-2022-49274,CVE-2022-49275,CVE-2022-49276,CVE-2022-49277,CVE-2022-49278,CVE-2022-49279,CVE-2022-49280,CVE-2022-49281,CVE-2022-49283,CVE-2022-49285,CVE-2022-49286,CVE-2022-49287,CVE-2022-49288,CVE-2022-49290,CVE-2022-49291,CVE-2022-49292,CVE-2022-4929 4,CVE-2022-49295,CVE-2022-49297,CVE-2022-49298,CVE-2022-49299,CVE-2022-49300,CVE-2022-49301,CVE-2022-49302,CVE-2022-49304,CVE-2022-49305,CVE-2022-49307,CVE-2022-49308,CVE-2022-49309,CVE-2022-49310,CVE-2022-49311,CVE-2022-49312,CVE-2022-49313,CVE-2022-49314,CVE-2022-49315,CVE-2022-49316,CVE-2022-49319,CVE-2022-49320,CVE-2022-49321,CVE-2022-49322,CVE-2022-49323,CVE-2022-49326,CVE-2022-49327,CVE-2022-49328,CVE-2022-49331,CVE-2022-49332,CVE-2022-49335,CVE-2022-49336,CVE-2022-49337,CVE-2022-49339,CVE-2022-49341,CVE-2022-49342,CVE-2022-49343,CVE-2022-49345,CVE-2022-49346,CVE-2022-49347,CVE-2022-49348,CVE-2022-49349,CVE-2022-49350,CVE-2022-49351,CVE-2022-49352,CVE-2022-49354,CVE-2022-49356,CVE-2022-49357,CVE-2022-49367,CVE-2022-49368,CVE-2022-49370,CVE-2022-49371,CVE-2022-49373,CVE-2022-49375,CVE-2022-49376,CVE-2022-49377,CVE-2022-49378,CVE-2022-49379,CVE-2022-49381,CVE-2022-49382,CVE-2022-49384,CVE-2022-49385,CVE-2022-49386,CVE-2022-49389,CVE-2022-49392,CVE-2022-49394,CVE-2022-49396,CVE-2 022-49397,CVE-2022-49398,CVE-2022-49399,CVE-2022-49400,CVE-2022-49402,CVE-2022-49404,CVE-2022-49407,CVE-2022-49409,CVE-2022-49410,CVE-2022-49411,CVE-2022-49412,CVE-2022-49413,CVE-2022-49414,CVE-2022-49416,CVE-2022-49418,CVE-2022-49421,CVE-2022-49422,CVE-2022-49424,CVE-2022-49426,CVE-2022-49427,CVE-2022-49429,CVE-2022-49430,CVE-2022-49431,CVE-2022-49432,CVE-2022-49433,CVE-2022-49434,CVE-2022-49435,CVE-2022-49437,CVE-2022-49438,CVE-2022-49440,CVE-2022-49441,CVE-2022-49442,CVE-2022-49443,CVE-2022-49444,CVE-2022-49445,CVE-2022-49447,CVE-2022-49448,CVE-2022-49449,CVE-2022-49451,CVE-2022-49453,CVE-2022-49455,CVE-2022-49459,CVE-2022-49460,CVE-2022-49462,CVE-2022-49463,CVE-2022-49466,CVE-2022-49467,CVE-2022-49468,CVE-2022-49472,CVE-2022-49473,CVE-2022-49474,CVE-2022-49475,CVE-2022-49477,CVE-2022-49478,CVE-2022-49480,CVE-2022-49481,CVE-2022-49482,CVE-2022-49486,CVE-2022-49487,CVE-2022-49488,CVE-2022-49489,CVE-2022-49490,CVE-2022-49491,CVE-2022-49492,CVE-2022-49493,CVE-2022-49494,CVE-2022-494 95,CVE-2022-49498,CVE-2022-49501,CVE-2022-49502,CVE-2022-49503,CVE-2022-49504,CVE-2022-49505,CVE-2022-49506,CVE-2022-49507,CVE-2022-49508,CVE-2022-49509,CVE-2022-49512,CVE-2022-49514,CVE-2022-49515,CVE-2022-49517,CVE-2022-49519,CVE-2022-49520,CVE-2022-49521,CVE-2022-49522,CVE-2022-49523,CVE-2022-49524,CVE-2022-49525,CVE-2022-49526,CVE-2022-49527,CVE-2022-49532,CVE-2022-49534,CVE-2022-49535,CVE-2022-49536,CVE-2022-49537,CVE-2022-49541,CVE-2022-49542,CVE-2022-49544,CVE-2022-49545,CVE-2022-49546,CVE-2022-49549,CVE-2022-49551,CVE-2022-49555,CVE-2022-49556,CVE-2022-49559,CVE-2022-49562,CVE-2022-49563,CVE-2022-49564,CVE-2022-49566,CVE-2022-49568,CVE-2022-49569,CVE-2022-49570,CVE-2022-49579,CVE-2022-49581,CVE-2022-49583,CVE-2022-49584,CVE-2022-49591,CVE-2022-49592,CVE-2022-49603,CVE-2022-49605,CVE-2022-49606,CVE-2022-49607,CVE-2022-49609,CVE-2022-49610,CVE-2022-49611,CVE-2022-49613,CVE-2022-49615,CVE-2022-49616,CVE-2022-49617,CVE-2022-49618,CVE-2022-49621,CVE-2022-49623,CVE-2022-49625,CVE- 2022-49626,CVE-2022-49627,CVE-2022-49628,CVE-2022-49631,CVE-2022-49634,CVE-2022-49640,CVE-2022-49641,CVE-2022-49642,CVE-2022-49643,CVE-2022-49644,CVE-2022-49645,CVE-2022-49646,CVE-2022-49647,CVE-2022-49648,CVE-2022-49649,CVE-2022-49652,CVE-2022-49653,CVE-2022-49656,CVE-2022-49657,CVE-2022-49661,CVE-2022-49663,CVE-2022-49665,CVE-2022-49667,CVE-2022-49668,CVE-2022-49670,CVE-2022-49671,CVE-2022-49672,CVE-2022-49673,CVE-2022-49674,CVE-2022-49675,CVE-2022-49676,CVE-2022-49677,CVE-2022-49678,CVE-2022-49679,CVE-2022-49680,CVE-2022-49683,CVE-2022-49685,CVE-2022-49687,CVE-2022-49688,CVE-2022-49693,CVE-2022-49695,CVE-2022-49699,CVE-2022-49700,CVE-2022-49701,CVE-2022-49703,CVE-2022-49704,CVE-2022-49705,CVE-2022-49707,CVE-2022-49708,CVE-2022-49710,CVE-2022-49711,CVE-2022-49712,CVE-2022-49713,CVE-2022-49714,CVE-2022-49715,CVE-2022-49716,CVE-2022-49719,CVE-2022-49720,CVE-2022-49721,CVE-2022-49722,CVE-2022-49723,CVE-2022-49724,CVE-2022-49725,CVE-2022-49726,CVE-2022-49729,CVE-2022-49730,CVE-2022-49 731,CVE-2022-49733,CVE-2023-28410,CVE-2024-2201,CVE-2024-41092,CVE-2024-42098,CVE-2024-42229,CVE-2024-42240,CVE-2024-57996,CVE-2024-58014,CVE-2025-21718,CVE-2025-21780 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-2201: Fixed information leak in x86/BHI (bsc#1217339). - CVE-2024-41092: drm/i915/gt: Fix potential UAF by revoke of fence registers (bsc#1228483). - CVE-2024-42098: crypto: ecdh - explicitly zeroize private_key (bsc#1228779). - CVE-2024-42229: crypto: aead,cipher - zeroize key buffer after use (bsc#1228708). - CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239076). - CVE-2024-58014: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (bsc#1239109). - CVE-2025-21718: net: rose: fix timer races against user threads (bsc#1239073). - CVE-2025-21780: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (bsc#1239115). The following non-security bugs were fixed: - initcall_blacklist: Does not allow kernel_lockdown be blacklisted (bsc#1237521). - x86/bhi: Avoid warning in #DB handler due to BHI mitigation (git-fixes). - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES (git-fixes). - x86/bugs: Fix BHI documentation (git-fixes). - x86/bugs: Fix BHI handling of RRSBA (git-fixes). - x86/bugs: Fix BHI retpoline check (git-fixes). - x86/bugs: Fix return type of spectre_bhi_state() (git-fixes). - x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1034-1 Released: Thu Mar 27 07:50:58 2025 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1235140 This update for python-azure-agent fixes the following issues: - Update to version 2.12.04 (bsc#1235140) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1035-1 Released: Thu Mar 27 10:34:01 2025 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1236779,1237294 This update for suse-build-key fixes the following issues: - Changed and extented the SUSE Linux Enterprise 15 and 16 signing keys to use SHA256 GPG UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1056-1 Released: Fri Mar 28 18:06:22 2025 Summary: Security update for python3 Type: security Severity: moderate References: 1233307,CVE-2024-11168 This update for python3 fixes the following issues: - CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses (bsc#1233307). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1062-1 Released: Mon Mar 31 10:45:08 2025 Summary: Security update for docker, docker-stable Type: security Severity: important References: 1237367,1239185,1239322,CVE-2024-23650,CVE-2024-29018,CVE-2024-41110,CVE-2025-22868,CVE-2025-22869 This update for docker, docker-stable fixes the following issues: - CVE-2025-22868: Fixed unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239185). - CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322). Other fixes: - Make container-selinux requirement conditional on selinux-policy (bsc#1237367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1130-1 Released: Thu Apr 3 15:08:55 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1234798,1240009,1240343 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: - Removed: * SwissSign Silver CA - G2 - Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): - Removed: * SecureSign RootCA11 * Security Communication RootCA3 - Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1160-1 Released: Mon Apr 7 17:28:43 2025 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1235751 vim was updated to 9.1.1176. Changes: * wrong indent when expanding multiple lines * inconsistent behaviour with exclusive selection and motion commands * filetype: ABNF files are not detected * [security]: overflow with 'nostartofline' and Ex command in tag file * wildmenu highlighting in popup can be improved * using global variable for get_insert()/get_lambda_name() * wrong flags passed down to nextwild() * mark '] wrong after copying text object * command-line auto-completion hard with wildmenu * diff: regression with multi-file diff blocks * [security]: code execution with tar.vim and special crafted tar files * $MYVIMDIR is set too late * completion popup not cleared in cmdline * preinsert requires bot 'menu' and 'menuone' to be set * Ctrl-Y does not work well with 'preinsert' when completing items * $MYVIMDIR may not always be set * :verbose set has wrong file name with :compiler! * command completion wrong for input() * Mode message not cleared after :silent message * Vim9: not able to use autoload class accross scripts * build error on Haiku * Patch v9.1.1151 causes problems * too many strlen() calls in getchar.c * :hi completion may complete to wrong value * Unix Makefile does not support Brazilian lang for the installer * Vim9: finding imported scripts can be further improved * preview-window does not scroll correctly * Vim9: wrong context being used when evaluating class member * multi-line completion has wrong indentation for last line * no way to create raw strings from a blob * illegal memory access when putting a register * Misplaced comment in readfile() * filetype: m17ndb files are not detected * [fifo] is not displayed when editing a fifo * cmdline completion for :hi is too simplistic * ins_str() is inefficient by calling STRLEN() * Match highlighting marks a buffer region as changed * 'suffixesadd' doesn't work with multiple items * filetype: Guile init file not recognized * filetype: xkb files not recognized everywhere * Mark positions wrong after triggering multiline completion * potential out-of-memory issue in search.c * 'listchars' 'precedes' is not drawn on Tabs. * missing out-of-memory test in buf_write() * patch 9.1.1119 caused a regression with imports * preinsert text is not cleaned up correctly * patch 9.1.1121 used a wrong way to handle enter * cannot loop through pum menu with multiline items * No test for 'listchars' 'precedes' with double-width char * popup hi groups not falling back to defaults * too many strlen() calls in findfile.c * Enter does not insert newline with 'noselect' * Vim9: Not able to use an autoloaded class from another autoloaded script * Vim9: super not supported in lambda expressions * [security]: use-after-free in str_to_reg() * enabling termguicolors automatically confuses users * Inconsistencies in get_next_or_prev_match() * Vim9: variable not found in transitive import * cmdexpand.c hard to read * 'smoothscroll' gets stuck with 'listchars' 'eol' * cannot loop through completion menu with fuzzy * Vim9: no support for protected new() method * CI: using Ubuntu 22.04 Github runners * if_perl: still some compile errors with Perl 5.38 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1191-1 Released: Thu Apr 10 06:57:45 2025 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1183663,1193173,1211547,1213291,1214713,1216049,1216146,1216147,1216150,1216151,1216228,1216229,1216230,1216231,1216232,1216233,1216241,1216388,1216522,1216827,1217287,1218201,1218282,1218324,1218812,1218814,1219241,1219639,1222021,1222650,1222896,1227127,1228265,1230371,1231396,1231423,1231838,1233726 This update for supportutils fixes the following issues: - Version update 3.2.10, bugfixing. + Collect firewalld configuration + Ignore tasks/threads to prevent collecting duplicate data (bsc#1230371). + openldap2_5 support for SLES (bsc#1231838). + Added dbus_info for dbus.txt (bsc#1222650). + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221). + Corrected display issues (bsc#1231396, bsc#1217287). + NFS takes too long, showmount times out (bsc#1231423). + Merged sle15 and master branches (bsc#1233726, PED-11669). + Extended scaling for performance (bsc#1214713). + Corrected SLE Micro version (bsc#1219241). + Check nvidida-persistenced state (bsc#1219639). + Corrected podman .ID error (bsc#1218812). + Remove duplicate non-root podman users (bsc#1218814). + Fixed smart disk error (bsc#1218282). + Fixed ipvsadm logic error (bsc#1218324). + Correctly detects Xen Dom0 (bsc#1218201). + Inhibit the conversion of port numbers to port names for network files. + powerpc: collect rtas_errd.log and lp_diag.log log files. + Get list of pam.d files. + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547). + Optimize lsof usage (bsc#1183663). + Added mokutil commands for secureboot. + ipset - List entries for all sets. + Added nvme-stas configuration to nvme.txt (bsc#1216049). + Collects zypp history file (bsc#1216522). + Collect HA related rpm package versions in ha.txt + Change -x OPTION to really be exclude only + Fixed kernel and added user live patching (PED-4524). + Fixed plugins creating empty files (bsc#1216388). + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173). + Added supportutils to current (PED-4456). + Changed config directory to /etc/supportutuils for all conf and header.txt (bsc#1216232). + Fixed supportconfig using external test command (bsc#1216150) and kdump, analyzevmcore errors (bsc#1216146). + Support has been removed for scplugin.rc, use supportconfig.rc (bsc#1216241). + Remove check_service function from supportconfig.rc (bsc#1216231). + Removed older versions of SLES_VER (bsc#1216147). + Added timed command to fs-files.txt (bsc#1216827). + Cron and At are replaced with systemd.timer (bsc#1216229). + Offers apparmor or selinux based on configuration (bsc#1216233). + Filted proc access errors (bsc#1216151). + Remove all SuSE-release references (bsc#1216228). + Remove references to /etc/init.d (bsc#1216230). + Add capability in supportconfig to insert configs in summary.xml from command line option (bsc#1222021). + file sanitizing improvement request for boot (bsc#1227127). + Add 'read_values -s' output to supportconfig on s390x (bsc#1228265). + Usability enhancement for supportconfig (PED-8211). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1192-1 Released: Thu Apr 10 08:40:02 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1223330,1239663 This update for hwinfo fixes the following issues: - Avoid reporting of spurious usb storage devices (bsc#1223330) - Do not overdo usb device de-duplication (bsc#1239663) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1193-1 Released: Thu Apr 10 10:01:36 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1234452 This update for apparmor fixes the following issue: - Allow dovecot-auth to execute unix check password from /sbin, not only from /usr/bin (bsc#1234452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1195-1 Released: Thu Apr 10 15:47:35 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1193629,1197227,1207034,1207186,1207878,1209262,1209547,1209788,1210647,1213167,1225742,1231375,1233479,1233557,1233558,1234464,1235528,1237029,1237530,1237875,1237877,1237890,1237918,1238911,1238919,1239016,1239036,1239061,1239126,1239452,1239454,1239968,1239969,1240133,1240195,1240205,1240207,1240208,1240210,1240212,1240213,1240218,1240220,1240227,1240229,1240231,1240242,1240245,1240247,1240250,1240254,1240256,1240264,1240266,1240272,1240275,1240276,1240278,1240279,1240280,1240281,1240282,1240283,1240284,1240286,1240288,1240290,1240292,1240293,1240297,1240304,1240308,1240309,1240317,1240318,1240322,CVE-2017-5753,CVE-2021-4454,CVE-2022-1016,CVE-2022-49053,CVE-2022-49293,CVE-2022-49465,CVE-2022-49650,CVE-2022-49739,CVE-2022-49746,CVE-2022-49748,CVE-2022-49751,CVE-2022-49753,CVE-2022-49755,CVE-2022-49759,CVE-2023-0179,CVE-2023-1652,CVE-2023-2162,CVE-2023-3567,CVE-2023-52930,CVE-2023-52933,CVE-2023-52935,CVE-2023-52939,CVE-2023-52941,CVE-2023-52973,CVE-2023-52974,CVE-2023- 52975,CVE-2023-52976,CVE-2023-52979,CVE-2023-52983,CVE-2023-52984,CVE-2023-52988,CVE-2023-52989,CVE-2023-52992,CVE-2023-52993,CVE-2023-53000,CVE-2023-53005,CVE-2023-53006,CVE-2023-53007,CVE-2023-53008,CVE-2023-53010,CVE-2023-53015,CVE-2023-53016,CVE-2023-53019,CVE-2023-53023,CVE-2023-53024,CVE-2023-53025,CVE-2023-53026,CVE-2023-53028,CVE-2023-53029,CVE-2023-53030,CVE-2023-53033,CVE-2024-50290,CVE-2024-53063,CVE-2024-53064,CVE-2024-56651,CVE-2024-58083,CVE-2025-21693,CVE-2025-21714,CVE-2025-21732,CVE-2025-21753,CVE-2025-21772,CVE-2025-21839 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49053: scsi: target: tcmu: Fix possible page UAF (bsc#1237918). - CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled (bsc#1238919). - CVE-2022-49739: gfs2: Always check inode size of inline inodes (bsc#1240207). - CVE-2023-52935: mm/khugepaged: fix ->anon_vma race (bsc#1240276). - CVE-2024-53064: idpf: fix idpf_vc_core_init error path (bsc#1233558 bsc#1234464). - CVE-2024-56651: can: hi311x: hi3110_can_ist(): fix potential use-after-free (bsc#1235528). - CVE-2024-58083: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (bsc#1239036). - CVE-2025-21693: mm: zswap: properly synchronize freeing resources during CPU hotunplug (bsc#1237029). - CVE-2025-21714: RDMA/mlx5: Fix implicit ODP use after free (bsc#1237890). - CVE-2025-21732: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (bsc#1237877). - CVE-2025-21753: btrfs: fix use-after-free when attempting to join an aborted transaction (bsc#1237875). - CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238911). The following non-security bugs were fixed: - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid (bsc#1237530). - RDMA/mana_ib: Prefer struct_size over open coded arithmetic (bsc#1239016). - RDMA/mana_ib: Use v2 version of cfg_rx_steer_req to enable RX coalescing (bsc#1239016). - RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes) - btrfs: defrag: do not use merged extent map for their generation check (bsc#1239968). - btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1239968). - btrfs: fix extent map merging not happening for adjacent extents (bsc#1239968). - btrfs: send: allow cloning non-aligned extent if it ends at i_size (bsc#1239969). - btrfs: send: fix invalid clone operation for file that got its size decreased (bsc#1239969). - gfs2: Fix inode height consistency check (git-fixes). - mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove() (bsc#1239126). - mm: zswap: move allocations during CPU init outside the lock (git-fixes). - net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2 (bsc#1239016). - net: mana: Allow variable size indirection table (bsc#1239016). - net: mana: Avoid open coded arithmetic (bsc#1239016). - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup (bsc#1240195). - net: mana: Support holes in device list reply msg (bsc#1240133). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1201-1 Released: Fri Apr 11 12:15:58 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: - CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused by stack overflow by resolving use of recursion (bsc#1239618) Other fixes: - version update to 2.7.1 (jsc#PED-12500) Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 #935 #937 Autotools: Make generated CMake files look for libexpat. at SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1217-1 Released: Sun Apr 13 12:16:40 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1240343 This update for ca-certificates-mozilla fixes the following issues: - Reenable the distrusted certs for now. as these only distrust 'new issued' certs starting after a certain date, while old certs should still work. (bsc#1240343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1242-1 Released: Mon Apr 14 12:43:18 2025 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1235481,1236033 This update for aaa_base fixes the following issues: - SP6 logrotate and rcsyslog binary (bsc#1236033) - Update detection for systemd in rc.status - Mountpoint for cgroup changed with cgroup2 - If a user switches the login shell respect the already set PATH environment (bsc#1235481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1292-1 Released: Wed Apr 16 09:49:17 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Version update 2025b * New zone for Aysen Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches for philippines historical data and china tzdata ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1345-1 Released: Thu Apr 17 17:14:27 2025 Summary: Security update for containerd Type: security Severity: moderate References: 1239749,CVE-2024-40635 This update for containerd fixes the following issues: - CVE-2024-40635: Fixed integer overflow in User ID handling (bsc#1239749) Other fixes: - Update to containerd v1.7.27. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1354-1 Released: Tue Apr 22 05:14:53 2025 Summary: Recommended update for iproute2 Type: recommended Severity: moderate References: 1234383 This update for iproute2 fixes the following issues: - Avoid false cgroup warnings (bsc#1234383) ----------------------------------------------------------------- Advisory ID: 38402 Released: Fri Apr 25 11:05:30 2025 Summary: Recommended update for freetype2 Type: recommended Severity: important References: This update for freetype2 fixes the following issue: - enable brotli support (jsc#PED-12258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1381-1 Released: Mon Apr 28 09:37:03 2025 Summary: Security update for cifs-utils Type: security Severity: moderate References: 1239680,CVE-2025-2312 This update for cifs-utils fixes the following issues: - CVE-2025-2312: Fixed cifs.upcall making an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1413-1 Released: Wed Apr 30 08:59:04 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1435-1 Released: Fri May 2 12:39:10 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1486-1 Released: Tue May 6 12:00:21 2025 Summary: Recommended update for apparmor Type: recommended Severity: important References: 1232234,1234452 This update for apparmor fixes the following issues: - Allow pam_unix to execute unix_chkpwd with abi/3.0 (bsc#1234452, bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1549-1 Released: Wed May 14 11:06:26 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1576-1 Released: Mon May 19 06:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1228634,1232533,1241012,1241045,CVE-2025-32728 This update for openssh fixes the following issues: - Security issues fixed: * CVE-2025-32728: Fixed a logic error in DisableForwarding option (bsc#1241012) - Other bugs fixed: * Allow KEX hashes greater than 256 bits (bsc#1241045) * Fixed hostname being left out of the audit output (bsc#1228634) * Fixed failures with very large MOTDs (bsc#1232533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1580-1 Released: Mon May 19 15:11:59 2025 Summary: Recommended update for librdkafka Type: recommended Severity: important References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain conditions (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1599-1 Released: Tue May 20 12:52:43 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1627-1 Released: Wed May 21 12:01:48 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1201855,1230771,1238471,1238512,1238747,1238865,1239968,1240188,1240195,1240553,1240747,1240835,1241280,1241371,1241421,1241433,1241541,CVE-2021-47671,CVE-2022-49741,CVE-2024-46784,CVE-2025-21726,CVE-2025-21785,CVE-2025-21791,CVE-2025-21812,CVE-2025-21886,CVE-2025-22004,CVE-2025-22020,CVE-2025-22045,CVE-2025-22055,CVE-2025-22097 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2025-21726: padata: avoid UAF for reorder_work (bsc#1238865). - CVE-2025-21785: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (bsc#1238747). - CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out() (bsc#1238512). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22020: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (bsc#1241280). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). - CVE-2025-22097: drm/vkms: Fix use after free and double free on init error (bsc#1241541). The following non-security bugs were fixed: - scsi: smartpqi: Add ctrl ready timeout module parameter (jsc#PED-1557, bsc#1201855, bsc#1240553). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1632-1 Released: Wed May 21 12:04:19 2025 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1642-1 Released: Wed May 21 16:31:58 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - build both static and dynamic libraries on new suse distros - support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set. - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} >= 0.7.32. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - RpmPkgSigCheck_test: Exchange the test package signingkey - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS - Strip a mediahandler tag from baseUrl querystrings. - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - Package preloader that concurrently downloads files. - BuildRequires: libzypp-devel >= 17.36.4. - refresh: add --include-all-archs - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1691-1 Released: Fri May 23 13:07:30 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1240648 This update for hwinfo fixes the following issues: - Version update v21.88 - Fix network card detection on aarch64 (bsc#1240648). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1779-1 Released: Fri May 30 15:38:55 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,1243284,CVE-2025-47268 This update for iputils fixes the following issues: Security fixes: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300). Other bug fixes: - Fixed incorrect IPV4 TTL value when using SOCK_DGRAM on big endian systems (bsc#1243284). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1836-1 Released: Mon Jun 9 16:11:28 2025 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1240869 This update for cloud-netconfig fixes the following issues: - Add support for creating IPv6 default route in GCE (bsc#1240869) - Minor fix when looking up IPv6 default route ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2103-1 Released: Wed Jun 25 10:26:23 2025 Summary: Recommended update for cifs-utils Type: recommended Severity: important References: 1243488 This update for cifs-utils fixes the following issues: - Add patches: * Fix cifs.mount with krb5 auth (bsc#1243488) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2178-1 Released: Mon Jun 30 19:53:34 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,CVE-2025-32462 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2198-1 Released: Wed Jul 2 11:22:33 2025 Summary: Security update for runc Type: security Severity: low References: 1230092,CVE-2024-45310 This update for runc fixes the following issues: - CVE-2024-45310: Fixed unintentional creation of empty files/directories on host (bsc#1230092) Other fixes: - Update to runc v1.2.6. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2228-1 Released: Fri Jul 4 15:32:49 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2235-1 Released: Mon Jul 7 14:08:03 2025 Summary: Recommended update for haveged Type: recommended Severity: moderate References: 1165294,1222296 This update for haveged fixes the following issues: - Add patch files introducing the '--once' flag (bsc#1222296, bsc#1165294) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2262-1 Released: Thu Jul 10 00:23:39 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206886,1206887,1208542,1209292,1209556,1209684,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213946,1214991,1218470,1232649,1234887,1235100,1237981,1238032,1240177,1240802,1241525,1241526,1241640,1241648,1242147,1242150,1242151,1242154,1242157,1242158,1242164,1242165,1242169,1242215,1242218,1242219,1242222,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242241,1242244,1242245,1242248,1242261,1242264,1242265,1242270,1242276,1242279,1242280,1242281,1242282,1242284,1242285,1242289,1242294,1242305,1242312,1242320,1242338,1242352,1242353,1242355,1242357,1242358,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1242377,1242378,1242380,1242382,1242385,1242387,1242389,1242391,1242392,1242394,1242398,1242399,1242402,1242403,1242409,1242411,1242415,1242416,1242421,1242422,1242426,1242428,1242440,1242443,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1 242464,1242467,1242469,1242473,1242478,1242481,1242484,1242489,1242493,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242743,1242744,1242745,1242746,1242747,1242749,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243649,1243660,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49110,CVE-2022-49139,CVE-2022-49767,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49775,CVE-2022-49776,CVE-2022-49777,CVE-2022-49779,CVE-2022-49783,CVE-2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49 821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2022-49892,CVE-2022-49900,CVE-2022-49905,CVE-2022-49906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49931,CVE-2023-1990,CVE-2023-53035,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53051,CVE-2023-53052,CVE-2023-53054,CVE- 2023-53056,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53096,CVE-2023-53098,CVE-2023-53099,CVE-2023-53100,CVE-2023-53101,CVE-2023-53106,CVE-2023-53108,CVE-2023-53111,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-53168,CVE-2024-56558,CVE-2025-21888,CVE-2025-21999,CVE-2025-22056,CVE-2025-22060,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37789,CVE-2025-37948,CVE-2025-37963 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49110: netfilter: conntrack: revisit gc autotuning (bsc#1237981). - CVE-2022-49139: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (bsc#1238032). - CVE-2022-49767: 9p/trans_fd: always use O_NONBLOCK read/write (bsc#1242493). - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2022-49858: octeontx2-pf: Fix SQE threshold checking (bsc#1242589). - CVE-2023-53058: net/mlx5: E-Switch, Fix an Oops in error handling code (bsc#1242237). - CVE-2023-53060: igb: revert rtnl_lock() that causes deadlock (bsc#1242241). - CVE-2023-53064: iavf: Fix hang on reboot with ice (bsc#1242222). - CVE-2023-53066: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info (bsc#1242227). - CVE-2023-53079: net/mlx5: Fix steering rules cleanup (bsc#1242765). - CVE-2023-53114: i40e: Fix kernel crash during reboot when adapter is in recovery mode (bsc#1242398). - CVE-2023-53134: bnxt_en: Avoid order-5 memory allocation for TPA data (bsc#1242380) - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21888: RDMA/mlx5: Fix a WARN during dereg_mr for DM type (bsc#1240177). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). The following non-security bugs were fixed: - Refresh fixes for cBPF issue (bsc#1242778) - Remove debug flavor (bsc#1243919). - Update metadata and put them into the sorted part of the series - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2278-1 Released: Thu Jul 10 18:02:28 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-5372: Fixed ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2288-1 Released: Fri Jul 11 11:27:10 2025 Summary: Recommended update for python-azure-agent Type: recommended Severity: important References: 1240385,1244933 This update for python-azure-agent fixes the following issues: - Set AutoUpdate.UpdateToLatestVersion=n in /etc/waagent.conf (bsc#1244933) - Fix %suse_version conditional in spec file so package is built using python2 in SLE 12 (bsc#1240385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2289-1 Released: Fri Jul 11 13:12:28 2025 Summary: Security update for docker Type: security Severity: moderate References: 1239765,1240150,1241830,1242114,1243833,1244035,CVE-2025-0495,CVE-2025-22872 This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2326-1 Released: Wed Jul 16 08:37:51 2025 Summary: Security update for xen Type: security Severity: important References: 1027519,1234282,1238043,1238896,1243117,1244644,1246112,CVE-2024-28956,CVE-2024-36350,CVE-2024-36357,CVE-2024-53241,CVE-2025-1713,CVE-2025-27465 This update for xen fixes the following issues: Security fixes: - CVE-2024-28956: Fixed Intel CPU: Indirect Target Selection (ITS) (XSA-469) (bsc#1243117) - CVE-2024-53241: Fixed Xen hypercall page unsafe against speculative attacks (XSA-466) (bsc#1234282) - CVE-2025-1713: Fixed deadlock potential with VT-d and legacy PCI device pass-through (XSA-467) (bsc#1238043) - CVE-2024-36350, CVE-2024-36357: More AMD transient execution attacks (bsc#1246112, XSA-471) - CVE-2025-27465: Incorrect stubs exception handling for flags recovery (bsc#1244644, XSA-470) Other fixes: - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2355-1 Released: Thu Jul 17 15:02:29 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2375-1 Released: Fri Jul 18 15:16:14 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2384-1 Released: Fri Jul 18 18:45:53 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2431-1 Released: Mon Jul 21 13:23:37 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated - apparmor-abstractions-3.0.4-150400.5.18.1 updated - apparmor-parser-3.0.4-150400.5.18.1 updated - bash-sh-4.4-150400.27.3.2 updated - bash-4.4-150400.27.3.2 updated - bind-utils-9.16.50-150400.5.46.1 updated - ca-certificates-mozilla-2.74-150200.41.1 updated - cifs-utils-6.15-150400.3.15.1 updated - cloud-init-config-suse-23.3-150100.8.85.4 updated - cloud-init-23.3-150100.8.85.4 updated - cloud-netconfig-azure-1.15-150000.25.26.1 added - containerd-ctr-1.7.27-150000.123.1 updated - containerd-1.7.27-150000.123.1 updated - coreutils-8.32-150400.9.9.1 updated - crypto-policies-20210917.c9d86d1-150400.3.8.1 updated - curl-8.0.1-150400.5.62.1 updated - dhcp-client-4.3.6.P1-150000.6.22.1 updated - dhcp-4.3.6.P1-150000.6.22.1 updated - docker-28.2.2_ce-150000.227.1 updated - e2fsprogs-1.46.4-150400.3.9.2 updated - findutils-4.8.0-150300.3.3.2 updated - glibc-locale-base-2.31-150300.95.1 updated - glibc-locale-2.31-150300.95.1 updated - glibc-2.31-150300.95.1 updated - grub2-i386-pc-2.06-150400.11.60.1 updated - grub2-x86_64-efi-2.06-150400.11.60.1 updated - grub2-2.06-150400.11.60.1 updated - haveged-1.9.14-150400.3.8.1 updated - hwdata-0.394-150000.3.77.2 updated - hwinfo-21.88-150400.3.18.1 updated - iproute2-5.14-150400.3.3.1 updated - iputils-20211215-150400.3.22.1 updated - jq-1.6-150000.3.6.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - kernel-default-5.14.21-150400.24.167.1 updated - krb5-1.19.2-150400.3.15.1 updated - libapparmor1-3.0.4-150400.5.18.1 updated - libaugeas0-1.12.0-150400.3.8.1 updated - libavahi-client3-0.8-150400.7.20.1 updated - libavahi-common3-0.8-150400.7.20.1 updated - libblkid1-2.37.2-150400.8.35.2 updated - libcom_err2-1.46.4-150400.3.9.2 updated - libcryptsetup12-2.4.3-150400.3.6.2 updated - libcurl4-8.0.1-150400.5.62.1 updated - libexpat1-2.7.1-150400.3.28.1 updated - libext2fs2-1.46.4-150400.3.9.2 updated - libfdisk1-2.37.2-150400.8.35.2 updated - libfreetype6-2.10.4-150000.4.22.1 updated - libgcc_s1-14.2.0+git10526-150000.1.6.1 updated - libglib-2_0-0-2.70.5-150400.3.23.1 updated - libgnutls30-3.7.3-150400.4.47.1 updated - libhavege2-1.9.14-150400.3.8.1 updated - libjq1-1.6-150000.3.6.1 updated - libmount1-2.37.2-150400.8.35.2 updated - libncurses6-6.1-150000.5.30.1 updated - libopeniscsiusr0_2_0-2.1.7-150400.39.14.1 updated - libopenssl1_1-1.1.1l-150400.7.78.1 updated - libpcap1-1.10.1-150400.3.6.2 updated - libprocps8-3.3.17-150000.7.42.1 updated - libpython3_6m1_0-3.6.15-150300.10.84.1 updated - librdkafka1-0.11.6-150000.1.11.1 updated - libreadline7-7.0-150400.27.3.2 updated - libsmartcols1-2.37.2-150400.8.35.2 updated - libsolv-tools-base-0.7.32-150400.3.35.1 updated - libsolv-tools-0.7.32-150400.3.35.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libssh-config-0.9.8-150400.3.9.1 updated - libssh4-0.9.8-150400.3.9.1 updated - libstdc++6-14.2.0+git10526-150000.1.6.1 updated - libsystemd0-249.17-150400.8.46.1 updated - libtasn1-6-4.13-150000.4.11.1 updated - libtasn1-4.13-150000.4.11.1 updated - libudev1-249.17-150400.8.46.1 updated - libuuid1-2.37.2-150400.8.35.2 updated - libxml2-2-2.9.14-150400.5.44.1 updated - libzypp-17.37.5-150400.3.126.1 updated - login_defs-4.8.1-150400.10.24.1 updated - logrotate-3.18.1-150400.3.10.1 updated - microsoft-dracut-config-0.0.4-150300.7.9.2 added - ncurses-utils-6.1-150000.5.30.1 updated - open-iscsi-2.1.7-150400.39.14.1 updated - openssh-clients-8.4p1-150300.3.49.1 updated - openssh-common-8.4p1-150300.3.49.1 updated - openssh-server-8.4p1-150300.3.49.1 updated - openssh-8.4p1-150300.3.49.1 updated - openssl-1_1-1.1.1l-150400.7.78.1 updated - pam-config-1.1-150200.3.14.1 updated - pam-1.3.0-150000.6.83.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - procps-3.3.17-150000.7.42.1 updated - python-azure-agent-config-server-2.12.0.4-150100.3.50.1 updated - python-azure-agent-2.12.0.4-150100.3.50.1 updated - python3-Jinja2-2.10.1-150000.3.21.1 updated - python3-base-3.6.15-150300.10.84.1 updated - python3-bind-9.16.50-150400.5.46.1 updated - python3-requests-2.25.1-150300.3.15.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - python3-3.6.15-150300.10.84.1 updated - rsyslog-module-relp-8.2306.0-150400.5.33.1 updated - rsyslog-8.2306.0-150400.5.33.1 updated - runc-1.2.6-150000.73.2 updated - shadow-4.8.1-150400.10.24.1 updated - shim-15.8-150300.4.23.1 updated - socat-1.8.0.0-150400.14.6.1 updated - sudo-1.9.9-150400.4.39.1 updated - supportutils-3.2.10-150300.7.35.36.4 updated - suse-build-key-12.0-150000.8.58.1 updated - suseconnect-ng-1.13.0-150400.3.42.1 updated - systemd-sysvinit-249.17-150400.8.46.1 updated - systemd-249.17-150400.8.46.1 updated - terminfo-base-6.1-150000.5.30.1 updated - terminfo-6.1-150000.5.30.1 updated - timezone-2025b-150000.75.34.2 updated - udev-249.17-150400.8.46.1 updated - util-linux-systemd-2.37.2-150400.8.35.2 updated - util-linux-2.37.2-150400.8.35.2 updated - vim-data-common-9.1.1406-150000.5.75.1 updated - vim-9.1.1406-150000.5.75.1 updated - wget-1.20.3-150000.3.29.1 updated - wicked-service-0.6.77-150400.3.36.1 updated - wicked-0.6.77-150400.3.36.1 updated - xen-libs-4.16.7_02-150400.4.72.1 updated - xxd-9.1.1406-150000.5.75.1 added - zypper-1.14.90-150400.3.85.3 updated - libxslt1-1.1.34-150400.3.3.1 removed - python-instance-billing-flavor-check-0.0.6-150400.1.11.7 removed - python3-cssselect-1.0.3-150400.3.7.4 removed - python3-lxml-4.7.1-150200.3.12.1 removed From sle-container-updates at lists.suse.com Wed Jul 23 20:18:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:33 +0200 (CEST) Subject: SUSE-CU-2025:5625-1: Security update of suse/manager/5.0/x86_64/server-attestation Message-ID: <20250723201833.EB580FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5625-1 Container Tags : suse/manager/5.0/x86_64/server-attestation:5.0.5 , suse/manager/5.0/x86_64/server-attestation:5.0.5.6.23.1 , suse/manager/5.0/x86_64/server-attestation:latest Container Release : 6.23.1 Severity : critical Type : security References : 1029961 1081723 1081723 1092100 1121753 1158830 1158830 1158830 1181475 1181976 1185417 1195468 1206412 1206798 1209122 1209122 1214290 1214290 1220338 1220893 1220895 1220896 1221107 1224113 1224113 1225936 1225939 1225941 1225942 1226414 1226415 1228091 1228223 1228809 1229228 1229518 1231048 1232227 1232844 1233752 1234015 1234015 1234313 1234765 1236177 1236643 1236842 1236886 1237496 1241605 1242827 1242844 1242938 1243259 1243767 1243935 1244596 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2023-4016 CVE-2023-4016 CVE-2024-2236 CVE-2025-4373 CVE-2025-4598 CVE-2025-5278 CVE-2025-6052 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:11-1 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1029961,1158830,1206798,1209122 This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-?? as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2239-1 Released: Wed Jun 26 13:09:10 2024 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1226415 This update for systemd contains the following fixes: - testsuite: move a misplaced %endif - Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415). - Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree. - Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc ----------------------------------------------------------------- Advisory ID: SUSE-OU-2024:2282-1 Released: Tue Jul 2 22:41:28 2024 Summary: Optional update for openscap, scap-security-guide Type: optional Severity: moderate References: This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5. This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2641-1 Released: Tue Jul 30 09:29:36 2024 Summary: Recommended update for systemd Type: recommended Severity: moderate References: This update for systemd fixes the following issues: systemd was updated from version 254.13 to version 254.15: - Changes in version 254.15: * boot: cover for hardware keys on phones/tablets * Conditional PSI check to reflect changes done in 5.13 * core/dbus-manager: refuse SoftReboot() for user managers * core/exec-invoke: reopen OpenFile= fds with O_NOCTTY * core/exec-invoke: use sched_setattr instead of sched_setscheduler * core/unit: follow merged units before updating SourcePath= timestamp too * coredump: correctly take tmpfs size into account for compression * cryptsetup: improve TPM2 blob display * docs: Add section to HACKING.md on distribution packages * docs: fixed dead link to GNOME documentation * docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type * Fixed typo in CAP_BPF description * LICENSES/README: expand text to summarize state for binaries and libs * man: fully adopt ~/.local/state/ * man/systemd.exec: list inaccessible files for ProtectKernelTunables * man/tmpfiles: remove outdated behavior regarding symlink ownership * meson: bpf: propagate 'sysroot' for cross compilation * meson: Define __TARGET_ARCH macros required by bpf * mkfs-util: Set sector size for btrfs as well * mkosi: drop CentOS 8 from CI * mkosi: Enable hyperscale-packages-experimental for CentOS * mountpoint-util: do not assume symlinks are not mountpoints * os-util: avoid matching on the wrong extension-release file * README: add missing CONFIG_MEMCG kernel config option for oomd * README: update requirements for signed dm-verity * resolved: allow the full TTL to be used by OPT records * resolved: correct parsing of OPT extended RCODEs * sysusers: handle NSS errors gracefully * TEST-58-REPART: reverse order of diff args * TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic * test: fixed TEST-24-CRYPTSETUP on SUSE * test: install /etc/hosts * Use consistent spelling of systemd.condition_first_boot argument * util: make file_read() 64bit offset safe * vmm: make sure we can handle smbios objects without variable part - Changes in version 254.14: * analyze: show pcrs also in sha384 bank * chase: Tighten '.' and './' check * core/service: fixed accept-socket deserialization * efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too * executor: check for all permission related errnos when setting up IPC namespace * install: allow removing symlinks even for units that are gone * json: use secure un{base64,hex}mem for sensitive variants * man,units: drop 'temporary' from description of systemd-tmpfiles * missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS * repart: fixed memory leak * repart: Use CRYPT_ACTIVATE_PRIVATE * resolved: permit dnssec rrtype questions when we aren't validating * rules: Limit the number of device units generated for serial ttys * run: do not pass the pty slave fd to transient service in a machine * sd-dhcp-server: clear buffer before receive * strbuf: use GREEDY_REALLOC to grow the buffer ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3512-1 Released: Wed Oct 2 18:14:56 2024 Summary: Recommended update for systemd Type: recommended Severity: important References: 1226414,1228091,1228223,1228809,1229518 This update for systemd fixes the following issues: - Determine the effective user limits in a systemd setup (jsc#PED-5659) - Don't try to restart the udev socket units anymore. (bsc#1228809). - Add systemd.rules rework (bsc#1229518). - Don't mention any rpm macros inside comments, even if escaped (bsc#1228091). - upstream commit (bsc#1226414). - Make the 32bit version of libudev.so available again (bsc#1228223). - policykit-1 renamed to polkitd ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:4337-1 Released: Tue Dec 17 08:17:39 2024 Summary: Recommended update for systemd Type: recommended Severity: important References: 1231048,1232844 This update for systemd fixes the following issues: - udev: skipping empty udev rules file while collecting the stats (bsc#1232844) - Clean up some remnants from when homed was in the experimental sub-package (bsc#1231048) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:10-1 Released: Fri Jan 3 14:53:56 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1220338,1232227,1234015 This update for systemd fixes the following issues: - Drop support for efivar SystemdOptions (bsc#1220338) - pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary (bsc#1232227) - udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - udev: add new builtin net_driver - udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard() - udev-builtin-net_id: split-out get_pci_slot_specifiers() - udev-builtin-net_id: introduce get_port_specifier() helper function - udev-builtin-net_id: split out get_dev_port() and make its failure critical - udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address() - udev-builtin-net_id: return earlier when hotplug slot is not found - udev-builtin-net_id: skip non-directory entry earlier - udev-builtin-net_id: make names_xen() self-contained - udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim - udev-builtin-net_id: make names_netdevsim() self-contained - udev-builtin-net_id: make names_platform() self-contained - udev-builtin-net_id: make names_vio() self-contained - udev-builtin-net_id: make names_ccw() self-contained - udev-builtin-net_id: make dev_devicetree_onboard() self-contained - udev-builtin-net_id: make names_mac() self-contained - udev-builtin-net_id: split out get_ifname_prefix() - udev-builtin-net_id: swap arguments for streq() and friends - udev-builtin-net_id: drop unused value from NetNameType ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:547-1 Released: Fri Feb 14 08:26:30 2025 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1229228,1233752,1234313,1234765 This update for systemd fixes the following issues: - Fix agetty failing to open credentials directory (bsc#1229228) - stdio-bridge: fix polled fds - hwdb: comment out the entry for Logitech MX Keys for Mac - core/unit-serialize: fix serialization of markers - locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged - core: fix assert when AddDependencyUnitFiles is called with invalid parameter - Fix systemd-network recommending libidn2-devel (bsc#1234765) - tpm2-util: also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:741-1 Released: Fri Feb 28 11:15:50 2025 Summary: Security update for procps Type: security Severity: important References: 1214290,1236842,CVE-2023-4016 This update for procps fixes the following issues: - Integer overflow due to incomplete fix for CVE-2023-4016 can lead to segmentation fault in ps command when pid argument has a leading space (bsc#1236842, bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:915-1 Released: Wed Mar 19 08:04:05 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942 This update for libgcrypt fixes the following issues: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] - FIPS: Disallow rsa < 2048 [bsc#1225941] * Mark RSA operations with keysize < 2048 as non-approved in the SLI - FIPS: Service level indicator for libgcrypt [bsc#1225939] - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1016-1 Released: Tue Mar 25 15:59:05 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1234015,1236643,1236886 This update for systemd fixes the following issues: - udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - journald: close runtime journals before their parent directory removed - journald: reset runtime seqnum data when flushing to system journal (bsc#1236886) - Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643) It is likely an oversight from when systemd-userdb was migrated from the experimental package to the main one. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) The following package changes have been done: - libzstd1-1.5.5-150600.1.3 added - libgpg-error0-1.47-150600.1.3 added - coreutils-8.32-150400.9.9.1 updated - mozilla-nspr-4.36-150000.3.32.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - openssl-3-3.1.4-150600.5.33.1 updated - libgcrypt20-1.10.3-150600.3.9.1 added - liblz4-1-1.9.4-150600.1.4 added - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libfreebl3-3.112-150400.3.57.1 updated - libsystemd0-254.25-150600.4.40.1 added - mozilla-nss-certs-3.112-150400.3.57.1 updated - libprocps8-3.3.17-150000.7.42.1 added - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - procps-3.3.17-150000.7.42.1 added From sle-container-updates at lists.suse.com Wed Jul 23 20:18:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 23 Jul 2025 22:18:49 +0200 (CEST) Subject: SUSE-CU-2025:5627-1: Security update of suse/manager/5.0/x86_64/server Message-ID: <20250723201849.323CCFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5627-1 Container Tags : suse/manager/5.0/x86_64/server:5.0.5 , suse/manager/5.0/x86_64/server:5.0.5.7.30.1 , suse/manager/5.0/x86_64/server:latest Container Release : 7.30.1 Severity : critical Type : security References : 1081723 1081723 1157520 1161007 1167603 1193951 1221107 1224113 1224113 1228776 1229655 1229825 1230282 1230403 1230908 1233371 1234608 1235847 1236565 1236621 1236779 1236877 1236910 1236931 1237294 1237710 1237770 1237938 1238173 1238320 1238514 1238827 1238922 1239119 1239154 1239558 1239559 1239602 1239604 1239621 1239743 1239744 1239747 1239801 1239817 1239826 1239868 1239903 1239907 1240010 1240023 1240038 1240050 1240076 1240124 1240131 1240160 1240386 1240604 1240635 1240666 1240901 1240984 1241034 1241094 1241239 1241286 1241455 1241490 1241667 1241880 1242004 1242010 1242030 1242135 1242148 1242561 1242722 1242827 1242844 1242916 1243226 1243239 1243241 1243268 1243292 1243375 1243385 1243460 1243721 1243724 1243765 1243767 1243772 1243815 1243821 1243825 1243935 1244135 1244325 1244554 1244555 1244557 1244561 1244564 1244565 1244566 1244567 1244568 1244570 1244571 1244572 1244574 1244575 1244590 1244596 1244649 1244656 1244657 1244663 1244700 1245005 1245222 1245274 1245275 1245309 1245310 1245311 1245314 1245368 1246119 1246431 CVE-2020-21913 CVE-2024-2236 CVE-2024-38822 CVE-2024-38823 CVE-2024-38824 CVE-2024-38825 CVE-2024-41965 CVE-2025-22236 CVE-2025-22237 CVE-2025-22238 CVE-2025-22239 CVE-2025-22240 CVE-2025-22241 CVE-2025-22242 CVE-2025-23392 CVE-2025-23393 CVE-2025-29768 CVE-2025-30258 CVE-2025-32462 CVE-2025-32463 CVE-2025-4373 CVE-2025-4565 CVE-2025-4598 CVE-2025-46701 CVE-2025-46809 CVE-2025-46811 CVE-2025-47287 CVE-2025-4877 CVE-2025-4878 CVE-2025-48964 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5222 CVE-2025-5278 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6021 CVE-2025-6052 CVE-2025-6170 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2159-1 Released: Fri Jun 27 16:56:02 2025 Summary: Security update for apache-commons-fileupload Type: security Severity: important References: 1244657,CVE-2025-48976 This update for apache-commons-fileupload fixes the following issues: Upgrade to upstream version 1.6.0 - CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657). Full changelog: https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2167-1 Released: Mon Jun 30 09:14:40 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596). - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2177-1 Released: Mon Jun 30 19:53:04 2025 Summary: Security update for sudo Type: security Severity: important References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463 This update for sudo fixes the following issues: - CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274). - CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2215-1 Released: Thu Jul 3 12:01:42 2025 Summary: Recommended update for firewalld Type: recommended Severity: moderate References: This update for firewalld fixes the following issue: Align with up to update python stack tools. This update also ships python311-firewall and python311-dbus-python to the Python3 Module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2226-1 Released: Fri Jul 4 15:31:04 2025 Summary: Security update for vim Type: security Severity: moderate References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768 This update for vim fixes the following issues: - CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776). - CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2229-1 Released: Fri Jul 4 18:02:30 2025 Summary: Security update for libssh Type: security Severity: important References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372 This update for libssh fixes the following issues: - CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311). - CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309). - CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310). - CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2237-1 Released: Mon Jul 7 14:59:13 2025 Summary: Recommended update for openssl-3 Type: recommended Severity: moderate References: This update for openssl-3 fixes the following issues: - Backport mdless cms signing support [jsc#PED-12895] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2239-1 Released: Mon Jul 7 15:32:03 2025 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1244135 This update for libbpf fixes the following issue: - Workaround kernel module size increase, 6.15 modules are 2-4 times larger than 6.14's (bsc#1244135). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2240-1 Released: Mon Jul 7 18:16:10 2025 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1241667 This update for openssh fixes the following issue: - 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2244-1 Released: Tue Jul 8 10:44:02 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1242827,1243935,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). Other bugfixes: - logs-show: get timestamp and boot ID only when necessary (bsc#1242827). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2259-1 Released: Wed Jul 9 17:18:02 2025 Summary: Recommended update for gpg2 Type: security Severity: low References: 1236931,1239119,1239817,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119). Other bugfixes: - Do not install expired sks certificate (bsc#1243069). - gpg hangs when importing a key (bsc#1236931). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2267-1 Released: Thu Jul 10 11:24:02 2025 Summary: Recommended update for sssd Type: recommended Severity: moderate References: 1243385,1244325 This update for sssd fixes the following issues: - Check if the memory cache fd was closed or hijacked; (bsc#1243385); - Build with openldap 2.5 which supports TLS channel binding. - Install file in krb5.conf.d to include sssd krb5 config snippets (bsc#1244325) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2274-1 Released: Thu Jul 10 14:35:40 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * bmo#1965754 Update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * bmo#1951396 Update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed Updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * bmo#1927096 Update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible. Use key from openssl (bsc#1081723) - Exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * various build, test and automation script fixes * major parts of the source code were reformatted ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2280-1 Released: Thu Jul 10 18:04:24 2025 Summary: Security update for tomcat Type: security Severity: important References: 1242722,1243815,1244649,1244656,CVE-2025-46701,CVE-2025-48988,CVE-2025-49125 This update for tomcat fixes the following issues: - CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815). - CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656). - CVE-2025-49125: Fixed expand checks for webAppMount (bsc#1244649). Other bugfixes: - Made permissions more secure (bsc#1242722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2301-1 Released: Mon Jul 14 11:48:57 2025 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1229655 This update for cyrus-sasl fixes the following issues: - Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097) - Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2311-1 Released: Tue Jul 15 11:15:48 2025 Summary: Security update for protobuf Type: security Severity: moderate References: 1244663,CVE-2025-4565 This update for protobuf fixes the following issues: - CVE-2025-4565: Fix parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages that can lead to crash due to RecursionError (bsc#1244663). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2314-1 Released: Tue Jul 15 14:34:08 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170 This update for libxml2 fixes the following issues: - CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554) - CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557) - CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555) - CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700) - CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2323-1 Released: Wed Jul 16 04:07:18 2025 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1081723,1224113 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.112: * Fix alias for mac workers on try * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault * ABI/API break in ssl certificate processing * remove unnecessary assertion in sec_asn1d_init_state_based_on_template * update taskgraph to v14.2.1 * Workflow for automation of the release on GitHub when pushing a tag * fix faulty assertions in SEC_ASN1DecoderUpdate * Renegotiations should use a fresh ECH GREASE buffer * update taskgraph to v14.1.1 * Partial fix for ACVP build CI job * Initialize find in sftk_searchDatabase * Add clang-18 to extra builds * Fault tolerant git fetch for fuzzing * Tolerate intermittent failures in ssl_policy_pkix_ocsp * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls * Remove Cryptofuzz CI version check Update to NSS 3.111: * FIPS changes need to be upstreamed: force ems policy * Turn off Websites Trust Bit from CAs * Update nssckbi version following April 2025 Batch of Changes * Disable SMIME ???trust bit??? for GoDaddy CAs * Replaced deprecated sprintf function with snprintf in dbtool.c * Need up update NSS for PKCS 3.1 * avoid leaking localCert if it is already set in ssl3_FillInCachedSID * Decrease ASAN quarantine size for Cryptofuzz in CI * selfserv: Add support for zlib certificate compression Update to NSS 3.110: * FIPS changes need to be upstreamed: force ems policy * Prevent excess allocations in sslBuffer_Grow * Remove Crl templates from ASN1 fuzz target * Remove CERT_CrlTemplate from ASN1 fuzz target * Fix memory leak in NSS_CMSMessage_IsSigned * NSS policy updates * Improve locking in nssPKIObject_GetInstances * Fix race in sdb_GetMetaData * Fix member access within null pointer * Increase smime fuzzer memory limit * Enable resumption when using custom extensions * change CN of server12 test certificate * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * Part 1: Fix smime UBSan errors * FIPS changes need to be upstreamed: updated key checks * Don't build libpkix in static builds * handle `-p all` in try syntax * fix opt-make builds to actually be opt * fix opt-static builds to actually be opt * Remove extraneous assert Update to NSS 3.109: * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available * NSS policy updates - fix inaccurate key policy issues * SMIME fuzz target * ASN1 decoder fuzz target * Part 2: Revert ???Extract testcases from ssl gtests for fuzzing??? * Add fuzz/README.md * Part 4: Fix tstclnt arguments script * Extend pkcs7 fuzz target * Extend certDN fuzz target * revert changes to HACL* files from bug 1866841 * Part 3: Package frida corpus script Update to NSS 3.108: * libclang-16 -> libclang-19 * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1 * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2 * Remove SwissSign Silver CA ??? G2 * Add D-Trust 2023 TLS Roots to NSS * fix fips test failure on windows * change default sensitivity of KEM keys * Part 1: Introduce frida hooks and script * add missing arm_neon.h include to gcm.c * ci: update windows workers to win2022 * strip trailing carriage returns in tools tests * work around unix/windows path translation issues in cert test script * ci: let the windows setup script work without $m * detect msys * add a specialized CTR_Update variant for AES-GCM * NSS policy updates * FIPS changes need to be upstreamed: FIPS 140-3 RNG * FIPS changes need to be upstreamed: Add SafeZero * FIPS changes need to be upstreamed - updated POST * Segmentation fault in SECITEM_Hash during pkcs12 processing * Extending NSS with LoadModuleFromFunction functionality * Ensure zero-initialization of collectArgs.cert * pkcs7 fuzz target use CERT_DestroyCertificate * Fix actual underlying ODR violations issue * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set * Fix memory leak in pkcs7 fuzz target * Set -O2 for ASan builds in CI * Change branch of tlsfuzzer dependency * Run tests in CI for ASan builds with detect_odr_violation=1 * Fix coverage failure in CI * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround * Part 3: Restructure fuzz/ * Extract testcases from ssl gtests for fuzzing * Force Cryptofuzz to use NSS in CI * Fix Cryptofuzz on 32 bit in CI * Update Cryptofuzz repository link * fix build error from 9505f79d * simplify error handling in get_token_objects_for_cache * nss doc: fix a warning * pkcs12 fixes from RHEL need to be picked up Update to NSS 3.107: * Remove MPI fuzz targets. * Remove globals `lockStatus` and `locksEverDisabled`. * Enable PKCS8 fuzz target. * Integrate Cryptofuzz in CI. * Part 2: Set tls server target socket options in config class * Part 1: Set tls client target socket options in config class * Support building with thread sanitizer. * set nssckbi version number to 2.72. * remove Websites Trust Bit from Entrust Root Certification Authority - G4. * remove Security Communication RootCA3 root cert. * remove SecureSign RootCA11 root cert. * Add distrust-after for TLS to Entrust Roots. * update expected error code in pk12util pbmac1 tests. * Use random tstclnt args with handshake collection script * Remove extraneous assert in ssl3gthr.c. * Adding missing release notes for NSS_3_105. * Enable the disabled mlkem tests for dtls. * NSS gtests filter cleans up the constucted buffer before the use. * Make ssl_SetDefaultsFromEnvironment thread-safe. * Remove short circuit test from ssl_Init. Update to NSS 3.106: * NSS 3.106 should be distributed with NSPR 4.36. * pk12util: improve error handling in p12U_ReadPKCS12File. * Correctly destroy bulkkey in error scenario. * PKCS7 fuzz target, r=djackson,nss-reviewers. * Extract certificates with handshake collection script. * Specify len_control for fuzz targets. * Fix memory leak in dumpCertificatePEM. * Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * add new error codes to mozilla::pkix for Firefox to use. * allow null phKey in NSC_DeriveKey. * Only create seed corpus zip from existing corpus. * Use explicit allowlist for for KDF PRFS. * Increase optimization level for fuzz builds. * Remove incorrect assert. * Use libFuzzer options from fuzz/options/\*.options in CI. * Polish corpus collection for automation. * Detect new and unfuzzed SSL options. * PKCS12 fuzzing target. Update to NSS 3.105: * Allow importing PKCS#8 private EC keys missing public key * UBSAN fix: applying zero offset to null pointer in sslsnce.c * set KRML_MUSTINLINE=inline in makefile builds * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * override default definition of KRML_MUSTINLINE * libssl support for mlkem768x25519 * support for ML-KEM-768 in softoken and pk11wrap * Add Libcrux implementation of ML-KEM 768 to FreeBL * Avoid misuse of ctype(3) functions * part 2: run clang-format * part 1: upgrade to clang-format 13 * clang-format fuzz * DTLS client message buffer may not empty be on retransmit * Optionally print config for TLS client and server fuzz target * Fix some simple documentation issues in NSS. * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN Update to NSS 3.104: * Copy original corpus to heap-allocated buffer * Fix min ssl version for DTLS client fuzzer * Remove OS2 support just like we did on NSPR * clang-format NSS improvements * Adding basicutil.h to use HexString2SECItem function * removing dirent.c from build * Allow handing in keymaterial to shlibsign to make the output reproducible * remove nec4.3, sunos4, riscos and SNI references * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix * remove mentions of WIN95 * remove mentions of WIN16 * More explicit directory naming * Add more options to TLS server fuzz target * Add more options to TLS client fuzz target * Use OSS-Fuzz corpus in NSS CI * set nssckbi version number to 2.70. * Remove Email Trust bit from ACCVRAIZ1 root cert. * Remove Email Trust bit from certSIGN ROOT CA. * Add Cybertrust Japan Roots to NSS. * Add Taiwan CA Roots to NSS. * remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber * Fix tstclnt CI build failure * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow * Enable all supported protocol versions for UDP * Actually use random PSK hash type * Initialize NSS DB once * Additional ECH cipher suites and PSK hash types * Automate corpus file generation for TLS client Fuzzer * Fix crash with UNSAFE_FUZZER_MODE * clang-format shlibsign.c Update to NSS 3.103: * move list size check after lock acquisition in sftk_PutObjectToList. * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH, * Follow-up to fix test for presence of file nspr.patch. * Adjust libFuzzer size limits * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk * Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION - Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files) - FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113). Update to NSS 3.102.1: * ChaChaXor to return after the function Update to NSS 3.102: * Add Valgrind annotations to freebl Chacha20-Poly1305. * missing sqlite header. * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. * correct length of raw SPKI data before printing in pp utility. - Make NSS-build reproducible Use key from openssl (bsc#1081723) - FIPS: exclude the SHA-1 hash from SLI approval. mozilla-nspr was updated to version 4.36: * renamed the prwin16.h header to prwin.h * configure was updated from 2.69 to 2.71 * various build, test and automation script fixes * major parts of the source code were reformatted ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2344-1 Released: Thu Jul 17 13:09:02 2025 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1246431 This update for samba fixes the following issues: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName (bsc#1246431). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2362-1 Released: Fri Jul 18 11:07:24 2025 Summary: Security update for coreutils Type: security Severity: moderate References: 1243767,CVE-2025-5278 This update for coreutils fixes the following issues: - CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2430-1 Released: Mon Jul 21 13:23:17 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2447-1 Released: Mon Jul 21 16:45:25 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107) ----------------------------------------------------------------- Advisory ID: SUSE-Manager-5.0-2025-2478 Released: Wed Jul 23 14:39:10 2025 Summary: Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Server Type: security Severity: critical References: 1157520,1229825,1230282,1230403,1230908,1233371,1234608,1235847,1236565,1236621,1236779,1236877,1236910,1237294,1237710,1237770,1237938,1238173,1238320,1238514,1238827,1238922,1239154,1239558,1239559,1239604,1239621,1239743,1239744,1239747,1239801,1239826,1239868,1239903,1239907,1240010,1240023,1240038,1240050,1240076,1240124,1240131,1240160,1240386,1240604,1240635,1240666,1240901,1240984,1241034,1241094,1241239,1241286,1241455,1241490,1241880,1242004,1242010,1242030,1242135,1242148,1242561,1242916,1243239,1243241,1243268,1243292,1243375,1243460,1243724,1243765,1243821,1243825,1244561,1244564,1244565,1244566,1244567,1244568,1244570,1244571,1244572,1244574,1244575,1245005,1245222,1245368,1246119,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-23392,CVE-2025-23393,CVE-2025-46809,CVE-2025-46811,CVE-2025-47287 Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server: This is a codestream only update The following package changes have been done: - libssh-config-0.9.8-150600.11.3.1 updated - libglib-2_0-0-2.78.6-150600.4.16.1 updated - libudev1-254.25-150600.4.40.1 updated - libopenssl3-3.1.4-150600.5.33.1 updated - libxml2-2-2.10.3-150500.5.29.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated - libssh4-0.9.8-150600.11.3.1 updated - libgcrypt20-1.10.3-150600.3.9.1 updated - gpg2-2.4.4-150600.3.9.1 updated - libsasl2-3-2.1.28-150600.7.6.2 updated - openssl-3-3.1.4-150600.5.33.1 updated - pam-config-1.1-150600.16.8.1 updated - libsystemd0-254.25-150600.4.40.1 updated - systemd-254.25-150600.4.40.1 updated - coreutils-8.32-150400.9.9.1 updated - grafana-formula-5.0.0-150600.3.6.2 updated - iputils-20221126-150500.3.14.1 updated - libbpf1-1.2.2-150600.3.6.2 updated - libfreebl3-3.112-150400.3.57.1 updated - libgmodule-2_0-0-2.78.6-150600.4.16.1 updated - libgobject-2_0-0-2.78.6-150600.4.16.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated - libipa_hbac0-2.9.3-150600.3.25.1 updated - libsss_idmap0-2.9.3-150600.3.25.1 updated - libsss_nss_idmap0-2.9.3-150600.3.25.1 updated - libxml2-tools-2.10.3-150500.5.29.1 updated - mozilla-nspr-4.36-150000.3.32.1 updated - openssh-common-9.6p1-150600.6.29.2 updated - release-notes-susemanager-5.0.5-150600.11.39.1 updated - sudo-1.9.15p5-150600.3.9.1 updated - susemanager-schema-utility-5.0.15-150600.3.15.2 updated - uyuni-config-modules-5.0.14-150600.3.15.2 updated - vim-data-common-9.1.1406-150500.20.27.1 updated - cyrus-sasl-2.1.28-150600.7.6.2 updated - libicu-suse65_1-65.1-150200.4.15.1 updated - libsss_certmap0-2.9.3-150600.3.25.1 updated - mozilla-nss-certs-3.112-150400.3.57.1 updated - openssh-fips-9.6p1-150600.6.29.2 updated - susemanager-docs_en-5.0.4-150600.11.15.2 updated - libgio-2_0-0-2.78.6-150600.4.16.1 updated - glib2-tools-2.78.6-150600.4.16.1 updated - spacewalk-java-lib-5.0.27-150600.3.33.1 updated - vim-9.1.1406-150500.20.27.1 updated - cyrus-sasl-gssapi-2.1.28-150600.7.6.2 updated - cyrus-sasl-digestmd5-2.1.28-150600.7.6.2 updated - openssh-server-9.6p1-150600.6.29.2 updated - openssh-clients-9.6p1-150600.6.29.2 updated - python3-uyuni-common-libs-5.0.7-150600.2.9.2 updated - mozilla-nss-3.112-150400.3.57.1 updated - libsoftokn3-3.112-150400.3.57.1 updated - susemanager-docs_en-pdf-5.0.4-150600.11.15.2 updated - susemanager-schema-5.0.15-150600.3.15.2 updated - susemanager-sync-data-5.0.13-150600.3.22.2 updated - openssh-9.6p1-150600.6.29.2 updated - python3-libxml2-2.10.3-150500.5.29.1 updated - sssd-ldap-2.9.3-150600.3.25.1 updated - sssd-2.9.3-150600.3.25.1 updated - sssd-krb5-common-2.9.3-150600.3.25.1 updated - samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 updated - susemanager-build-keys-15.5.3-150600.5.9.3 updated - inter-server-sync-0.3.7-150600.3.6.2 updated - spacecmd-5.0.13-150600.4.15.2 updated - spacewalk-backend-sql-postgresql-5.0.14-150600.4.17.1 updated - sssd-krb5-2.9.3-150600.3.25.1 updated - sssd-dbus-2.9.3-150600.3.25.1 updated - python3-sssd-config-2.9.3-150600.3.25.1 updated - sssd-ad-2.9.3-150600.3.25.1 updated - tomcat-servlet-4_0-api-9.0.106-150200.86.1 updated - tomcat-el-3_0-api-9.0.106-150200.86.1 updated - spacewalk-base-minimal-5.0.21-150600.3.27.7 updated - susemanager-build-keys-web-15.5.3-150600.5.9.3 updated - spacewalk-config-5.0.7-150600.3.12.2 updated - sssd-tools-2.9.3-150600.3.25.1 updated - sssd-ipa-2.9.3-150600.3.25.1 updated - tomcat-jsp-2_3-api-9.0.106-150200.86.1 updated - apache-commons-fileupload-1.6.0-150200.3.12.1 updated - python3-firewall-2.0.1-150600.3.9.1 updated - spacewalk-base-minimal-config-5.0.21-150600.3.27.7 updated - tomcat-lib-9.0.106-150200.86.1 updated - protobuf-java-25.1-150600.16.13.1 updated - firewalld-2.0.1-150600.3.9.1 updated - spacewalk-backend-5.0.14-150600.4.17.1 updated - python3-spacewalk-client-tools-5.0.10-150600.4.12.4 updated - spacewalk-client-tools-5.0.10-150600.4.12.4 updated - spacewalk-base-5.0.21-150600.3.27.7 updated - spacewalk-search-5.0.4-150600.3.6.2 updated - subscription-matcher-0.40-150600.3.6.2 updated - salt-3006.0-150600.8.5.4 updated - python3-salt-3006.0-150600.8.5.4 updated - spacewalk-backend-sql-5.0.14-150600.4.17.1 updated - python3-spacewalk-certs-tools-5.0.10-150600.3.12.2 updated - spacewalk-certs-tools-5.0.10-150600.3.12.2 updated - spacewalk-admin-5.0.11-150600.3.11.2 updated - tomcat-9.0.106-150200.86.1 updated - salt-master-3006.0-150600.8.5.4 updated - cobbler-3.3.3-150600.5.14.4 updated - spacewalk-backend-server-5.0.14-150600.4.17.1 updated - susemanager-sls-5.0.14-150600.3.15.2 updated - spacewalk-java-postgresql-5.0.27-150600.3.33.1 updated - spacewalk-java-config-5.0.27-150600.3.33.1 updated - salt-api-3006.0-150600.8.5.4 updated - spacewalk-backend-xmlrpc-5.0.14-150600.4.17.1 updated - spacewalk-backend-xml-export-libs-5.0.14-150600.4.17.1 updated - spacewalk-backend-package-push-server-5.0.14-150600.4.17.1 updated - spacewalk-backend-iss-5.0.14-150600.4.17.1 updated - spacewalk-backend-app-5.0.14-150600.4.17.1 updated - saltboot-formula-0.1.1750679229.f368550-150600.3.6.2 updated - spacewalk-reports-5.0.3-150600.3.3.2 updated - spacewalk-html-5.0.21-150600.3.27.7 updated - spacewalk-taskomatic-5.0.27-150600.3.33.1 updated - spacewalk-java-5.0.27-150600.3.33.1 updated - spacewalk-backend-iss-export-5.0.14-150600.4.17.1 updated - susemanager-tools-5.0.13-150600.3.15.2 updated - spacewalk-backend-tools-5.0.14-150600.4.17.1 updated - spacewalk-utils-5.0.7-150600.3.9.2 updated - susemanager-5.0.13-150600.3.15.2 updated - container:suse-manager-5.0-init-5.0.5-5.0.5-7.21.12 added - container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 removed From sle-container-updates at lists.suse.com Fri Jul 25 07:04:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 25 Jul 2025 09:04:55 +0200 (CEST) Subject: SUSE-IU-2025:2024-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250725070455.7A5ADFD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2024-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.28 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.28 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 395 Released: Thu Jul 24 13:51:08 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844) - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596) The following package changes have been done: - SL-Micro-release-6.0-25.37 updated - libglib-2_0-0-2.76.2-9.1 updated - libgobject-2_0-0-2.76.2-9.1 updated - libgmodule-2_0-0-2.76.2-9.1 updated - libgio-2_0-0-2.76.2-9.1 updated - glib2-tools-2.76.2-9.1 updated - container:suse-toolbox-image-1.0.0-9.16 updated From sle-container-updates at lists.suse.com Fri Jul 25 07:05:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 25 Jul 2025 09:05:45 +0200 (CEST) Subject: SUSE-IU-2025:2025-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250725070545.69AC8FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2025-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.53 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.53 Severity : important Type : security References : 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 395 Released: Thu Jul 24 13:51:08 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844) - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596) The following package changes have been done: - SL-Micro-release-6.0-25.37 updated - libglib-2_0-0-2.76.2-9.1 updated - libgobject-2_0-0-2.76.2-9.1 updated - libgmodule-2_0-0-2.76.2-9.1 updated - libgio-2_0-0-2.76.2-9.1 updated - glib2-tools-2.76.2-9.1 updated - container:SL-Micro-base-container-2.1.3-7.28 updated From sle-container-updates at lists.suse.com Fri Jul 25 07:06:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 25 Jul 2025 09:06:36 +0200 (CEST) Subject: SUSE-IU-2025:2026-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250725070636.7C9DBFD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2026-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.63 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.63 Severity : important Type : security References : 1216091 1218459 1241052 1242844 1244596 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 395 Released: Thu Jul 24 13:51:08 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844) - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596) The following package changes have been done: - rpm-4.18.0-7.1 updated - SL-Micro-release-6.0-25.37 updated - libglib-2_0-0-2.76.2-9.1 updated - libgobject-2_0-0-2.76.2-9.1 updated - libgmodule-2_0-0-2.76.2-9.1 updated - libgio-2_0-0-2.76.2-9.1 updated - glib2-tools-2.76.2-9.1 updated - container:SL-Micro-container-2.1.3-6.60 updated From sle-container-updates at lists.suse.com Sat Jul 26 07:10:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 26 Jul 2025 09:10:48 +0200 (CEST) Subject: SUSE-CU-2025:5640-1: Security update of bci/spack Message-ID: <20250726071048.16E19FF2E@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5640-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.27 Container Release : 11.27 Severity : important Type : security References : 1246472 CVE-2025-7519 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2527-1 Released: Fri Jul 25 16:34:21 2025 Summary: Security update for polkit Type: security Severity: important References: 1246472,CVE-2025-7519 This update for polkit fixes the following issues: - CVE-2025-7519: Fixed a XML policy file with a large number of nested elements that may lead to out-of-bounds write. (bsc#1246472) The following package changes have been done: - libpolkit-agent-1-0-121-150500.3.6.1 updated - libpolkit-gobject-1-0-121-150500.3.6.1 updated - polkit-121-150500.3.6.1 updated From sle-container-updates at lists.suse.com Sat Jul 26 07:10:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 26 Jul 2025 09:10:59 +0200 (CEST) Subject: SUSE-CU-2025:5641-1: Recommended update of bci/kiwi Message-ID: <20250726071059.5B4E9FF2E@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5641-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.36 , bci/kiwi:latest Container Release : 16.36 Severity : important Type : recommended References : 1244917 1246501 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2518-1 Released: Fri Jul 25 08:07:07 2025 Summary: Recommended update for multipath-tools Type: recommended Severity: important References: 1244917,1246501 This update for multipath-tools fixes the following issues: - multipath-tools: add HPE MSA Gen7 (2070/2072) to hwtable (bsc#1246501) - multipathd: cli_reinstate(): avoid reinstated paths being failed again (bsc#1244917) The following package changes have been done: - libmpath0-0.10.3+124+suse.ed5b4b11-150700.3.3.1 updated - kpartx-0.10.3+124+suse.ed5b4b11-150700.3.3.1 updated From sle-container-updates at lists.suse.com Sat Jul 26 07:05:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 26 Jul 2025 09:05:51 +0200 (CEST) Subject: SUSE-IU-2025:2061-1: Security update of suse/sle-micro/5.5 Message-ID: <20250726070551.B044CFF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2061-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.336 , suse/sle-micro/5.5:latest Image Release : 5.5.336 Severity : important Type : security References : 1246472 CVE-2025-7519 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2527-1 Released: Fri Jul 25 16:34:21 2025 Summary: Security update for polkit Type: security Severity: important References: 1246472,CVE-2025-7519 This update for polkit fixes the following issues: - CVE-2025-7519: Fixed a XML policy file with a large number of nested elements that may lead to out-of-bounds write. (bsc#1246472) The following package changes have been done: - libpolkit-gobject-1-0-121-150500.3.6.1 updated - libpolkit-agent-1-0-121-150500.3.6.1 updated - polkit-121-150500.3.6.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:04:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:04:15 +0200 (CEST) Subject: SUSE-IU-2025:2127-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250729070415.AB67DFF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2127-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.189 , suse/sle-micro/base-5.5:latest Image Release : 5.8.189 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:12:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:12:45 +0200 (CEST) Subject: SUSE-CU-2025:5650-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250729071245.E7F5CFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5650-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.163 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.163 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_regex1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:15:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:15:15 +0200 (CEST) Subject: SUSE-CU-2025:5651-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250729071515.C25E1FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5651-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.30 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.30 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:16:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:16:49 +0200 (CEST) Subject: SUSE-CU-2025:5653-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250729071649.DAAB3FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5653-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.163 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.163 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_regex1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:18:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:18:07 +0200 (CEST) Subject: SUSE-CU-2025:5654-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250729071807.E57C5FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5654-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.66 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.66 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_regex1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:18:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:18:48 +0200 (CEST) Subject: SUSE-IU-2025:2131-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250729071848.A5F83FF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2131-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.61 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.61 Severity : important Type : security References : 1216091 1218459 1241052 1242844 1243450 1244596 CVE-2024-23337 CVE-2025-4373 CVE-2025-6052 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 393 Released: Thu Jul 24 13:41:34 2025 Summary: Security update for jq Type: security Severity: moderate References: 1243450,CVE-2024-23337 This update for jq fixes the following issues: - CVE-2024-23337: Fixed signed integer overflow in jv.c:jvp_array_write (bsc#1243450) ----------------------------------------------------------------- Advisory ID: 395 Released: Thu Jul 24 13:51:08 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844) - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596) The following package changes have been done: - rpm-4.18.0-7.1 updated - SL-Micro-release-6.0-25.38 updated - libglib-2_0-0-2.76.2-9.1 updated - libgobject-2_0-0-2.76.2-9.1 updated - libgmodule-2_0-0-2.76.2-9.1 updated - libgio-2_0-0-2.76.2-9.1 updated - glib2-tools-2.76.2-9.1 updated - libjq1-1.6-4.1 updated - jq-1.6-4.1 updated - container:SL-Micro-base-container-2.1.3-7.29 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:15:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:15:16 +0200 (CEST) Subject: SUSE-CU-2025:5652-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250729071516.EAA6EFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5652-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.31 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.31 Severity : important Type : security References : 1065729 1156395 1193629 1194869 1198410 1199356 1199487 1201160 1201956 1202094 1202095 1202564 1202716 1202823 1202860 1203197 1203361 1205220 1205514 1206664 1206878 1206880 1207361 1207638 1211226 1212051 1213090 1218184 1218234 1218470 1222634 1223675 1224095 1224597 1225468 1225820 1226514 1226552 1228659 1230827 1231293 1232504 1233551 1234156 1234381 1234454 1235637 1236333 1236821 1236822 1237159 1237312 1237313 1238303 1238526 1238570 1238876 1239986 1240785 1241038 1242221 1242414 1242417 1242504 1242596 1242782 1242924 1243001 1243330 1243543 1243627 1243832 1244114 1244179 1244234 1244241 1244277 1244309 1244337 1244732 1244764 1244765 1244767 1244770 1244771 1244773 1244774 1244776 1244779 1244780 1244781 1244782 1244783 1244784 1244786 1244787 1244788 1244790 1244793 1244794 1244796 1244797 1244798 1244800 1244802 1244804 1244807 1244808 1244811 1244813 1244814 1244815 1244816 1244819 1244820 1244823 1244824 1244825 1244830 1244831 1244832 1244834 1244836 1244838 1244839 1244840 1244841 1244842 1244843 1244845 1244846 1244848 1244849 1244851 1244853 1244854 1244856 1244860 1244861 1244866 1244867 1244868 1244869 1244870 1244871 1244872 1244873 1244875 1244876 1244878 1244879 1244881 1244883 1244884 1244886 1244887 1244890 1244895 1244899 1244900 1244901 1244902 1244903 1244908 1244911 1244915 1244936 1244941 1244942 1244943 1244944 1244945 1244948 1244949 1244950 1244956 1244958 1244959 1244965 1244966 1244967 1244968 1244969 1244970 1244974 1244976 1244977 1244978 1244979 1244983 1244984 1244985 1244986 1244991 1244992 1244993 1245006 1245007 1245009 1245011 1245012 1245018 1245019 1245024 1245028 1245031 1245032 1245033 1245038 1245039 1245041 1245047 1245051 1245057 1245058 1245060 1245062 1245064 1245069 1245072 1245073 1245088 1245089 1245092 1245093 1245098 1245103 1245117 1245118 1245119 1245121 1245122 1245125 1245129 1245131 1245133 1245134 1245135 1245136 1245138 1245139 1245140 1245142 1245146 1245147 1245149 1245152 1245154 1245180 1245183 1245189 1245191 1245195 1245197 1245265 1245348 1245431 1245455 CVE-2021-47557 CVE-2021-47595 CVE-2022-1679 CVE-2022-2585 CVE-2022-2586 CVE-2022-2905 CVE-2022-3903 CVE-2022-4095 CVE-2022-4662 CVE-2022-49934 CVE-2022-49936 CVE-2022-49937 CVE-2022-49938 CVE-2022-49940 CVE-2022-49942 CVE-2022-49945 CVE-2022-49946 CVE-2022-49948 CVE-2022-49950 CVE-2022-49952 CVE-2022-49954 CVE-2022-49956 CVE-2022-49957 CVE-2022-49958 CVE-2022-49960 CVE-2022-49964 CVE-2022-49966 CVE-2022-49968 CVE-2022-49969 CVE-2022-49977 CVE-2022-49978 CVE-2022-49981 CVE-2022-49982 CVE-2022-49983 CVE-2022-49984 CVE-2022-49985 CVE-2022-49986 CVE-2022-49987 CVE-2022-49989 CVE-2022-49990 CVE-2022-49993 CVE-2022-49995 CVE-2022-49999 CVE-2022-50005 CVE-2022-50006 CVE-2022-50008 CVE-2022-50010 CVE-2022-50011 CVE-2022-50012 CVE-2022-50019 CVE-2022-50020 CVE-2022-50021 CVE-2022-50022 CVE-2022-50023 CVE-2022-50024 CVE-2022-50026 CVE-2022-50027 CVE-2022-50028 CVE-2022-50029 CVE-2022-50030 CVE-2022-50031 CVE-2022-50032 CVE-2022-50033 CVE-2022-50034 CVE-2022-50036 CVE-2022-50038 CVE-2022-50039 CVE-2022-50040 CVE-2022-50045 CVE-2022-50046 CVE-2022-50047 CVE-2022-50051 CVE-2022-50053 CVE-2022-50055 CVE-2022-50059 CVE-2022-50060 CVE-2022-50061 CVE-2022-50062 CVE-2022-50065 CVE-2022-50066 CVE-2022-50067 CVE-2022-50068 CVE-2022-50072 CVE-2022-50073 CVE-2022-50074 CVE-2022-50076 CVE-2022-50077 CVE-2022-50079 CVE-2022-50083 CVE-2022-50084 CVE-2022-50085 CVE-2022-50087 CVE-2022-50092 CVE-2022-50093 CVE-2022-50094 CVE-2022-50095 CVE-2022-50097 CVE-2022-50098 CVE-2022-50099 CVE-2022-50100 CVE-2022-50101 CVE-2022-50102 CVE-2022-50103 CVE-2022-50104 CVE-2022-50108 CVE-2022-50109 CVE-2022-50110 CVE-2022-50111 CVE-2022-50112 CVE-2022-50116 CVE-2022-50118 CVE-2022-50120 CVE-2022-50121 CVE-2022-50124 CVE-2022-50125 CVE-2022-50126 CVE-2022-50127 CVE-2022-50129 CVE-2022-50131 CVE-2022-50132 CVE-2022-50134 CVE-2022-50136 CVE-2022-50137 CVE-2022-50138 CVE-2022-50139 CVE-2022-50140 CVE-2022-50141 CVE-2022-50142 CVE-2022-50143 CVE-2022-50145 CVE-2022-50146 CVE-2022-50149 CVE-2022-50151 CVE-2022-50152 CVE-2022-50153 CVE-2022-50154 CVE-2022-50155 CVE-2022-50156 CVE-2022-50157 CVE-2022-50158 CVE-2022-50160 CVE-2022-50161 CVE-2022-50162 CVE-2022-50164 CVE-2022-50165 CVE-2022-50169 CVE-2022-50171 CVE-2022-50172 CVE-2022-50173 CVE-2022-50175 CVE-2022-50176 CVE-2022-50178 CVE-2022-50179 CVE-2022-50181 CVE-2022-50185 CVE-2022-50187 CVE-2022-50190 CVE-2022-50191 CVE-2022-50192 CVE-2022-50194 CVE-2022-50196 CVE-2022-50197 CVE-2022-50198 CVE-2022-50199 CVE-2022-50200 CVE-2022-50201 CVE-2022-50202 CVE-2022-50203 CVE-2022-50204 CVE-2022-50206 CVE-2022-50207 CVE-2022-50208 CVE-2022-50209 CVE-2022-50211 CVE-2022-50212 CVE-2022-50213 CVE-2022-50215 CVE-2022-50218 CVE-2022-50220 CVE-2022-50222 CVE-2022-50226 CVE-2022-50228 CVE-2022-50229 CVE-2022-50231 CVE-2023-3111 CVE-2023-52924 CVE-2023-52925 CVE-2023-53048 CVE-2023-53076 CVE-2023-53097 CVE-2024-26808 CVE-2024-26924 CVE-2024-26935 CVE-2024-27397 CVE-2024-35840 CVE-2024-36978 CVE-2024-46800 CVE-2024-53057 CVE-2024-53125 CVE-2024-53141 CVE-2024-56770 CVE-2024-57947 CVE-2024-57999 CVE-2025-21700 CVE-2025-21702 CVE-2025-21703 CVE-2025-21756 CVE-2025-23141 CVE-2025-23145 CVE-2025-37752 CVE-2025-37797 CVE-2025-37798 CVE-2025-37823 CVE-2025-37890 CVE-2025-37932 CVE-2025-37953 CVE-2025-37997 CVE-2025-38000 CVE-2025-38001 CVE-2025-38014 CVE-2025-38083 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2537-1 Released: Mon Jul 28 17:08:58 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1156395,1193629,1194869,1198410,1199356,1199487,1201160,1201956,1202094,1202095,1202564,1202716,1202823,1202860,1203197,1203361,1205220,1205514,1206664,1206878,1206880,1207361,1207638,1211226,1212051,1213090,1218184,1218234,1218470,1222634,1223675,1224095,1224597,1225468,1225820,1226514,1226552,1228659,1230827,1231293,1232504,1233551,1234156,1234381,1234454,1235637,1236333,1236821,1236822,1237159,1237312,1237313,1238303,1238526,1238570,1238876,1239986,1240785,1241038,1242221,1242414,1242417,1242504,1242596,1242782,1242924,1243001,1243330,1243543,1243627,1243832,1244114,1244179,1244234,1244241,1244277,1244309,1244337,1244732,1244764,1244765,1244767,1244770,1244771,1244773,1244774,1244776,1244779,1244780,1244781,1244782,1244783,1244784,1244786,1244787,1244788,1244790,1244793,1244794,1244796,1244797,1244798,1244800,1244802,1244804,1244807,1244808,1244811,1244813,1244814,1244815,1244816,1244819,1244820,1244823,1244824,1244825,1244830,1244831,1244832,1244834,1244836,1 244838,1244839,1244840,1244841,1244842,1244843,1244845,1244846,1244848,1244849,1244851,1244853,1244854,1244856,1244860,1244861,1244866,1244867,1244868,1244869,1244870,1244871,1244872,1244873,1244875,1244876,1244878,1244879,1244881,1244883,1244884,1244886,1244887,1244890,1244895,1244899,1244900,1244901,1244902,1244903,1244908,1244911,1244915,1244936,1244941,1244942,1244943,1244944,1244945,1244948,1244949,1244950,1244956,1244958,1244959,1244965,1244966,1244967,1244968,1244969,1244970,1244974,1244976,1244977,1244978,1244979,1244983,1244984,1244985,1244986,1244991,1244992,1244993,1245006,1245007,1245009,1245011,1245012,1245018,1245019,1245024,1245028,1245031,1245032,1245033,1245038,1245039,1245041,1245047,1245051,1245057,1245058,1245060,1245062,1245064,1245069,1245072,1245073,1245088,1245089,1245092,1245093,1245098,1245103,1245117,1245118,1245119,1245121,1245122,1245125,1245129,1245131,1245133,1245134,1245135,1245136,1245138,1245139,1245140,1245142,1245146,1245147,1245149,1245152,124515 4,1245180,1245183,1245189,1245191,1245195,1245197,1245265,1245348,1245431,1245455,CVE-2021-47557,CVE-2021-47595,CVE-2022-1679,CVE-2022-2585,CVE-2022-2586,CVE-2022-2905,CVE-2022-3903,CVE-2022-4095,CVE-2022-4662,CVE-2022-49934,CVE-2022-49936,CVE-2022-49937,CVE-2022-49938,CVE-2022-49940,CVE-2022-49942,CVE-2022-49945,CVE-2022-49946,CVE-2022-49948,CVE-2022-49950,CVE-2022-49952,CVE-2022-49954,CVE-2022-49956,CVE-2022-49957,CVE-2022-49958,CVE-2022-49960,CVE-2022-49964,CVE-2022-49966,CVE-2022-49968,CVE-2022-49969,CVE-2022-49977,CVE-2022-49978,CVE-2022-49981,CVE-2022-49982,CVE-2022-49983,CVE-2022-49984,CVE-2022-49985,CVE-2022-49986,CVE-2022-49987,CVE-2022-49989,CVE-2022-49990,CVE-2022-49993,CVE-2022-49995,CVE-2022-49999,CVE-2022-50005,CVE-2022-50006,CVE-2022-50008,CVE-2022-50010,CVE-2022-50011,CVE-2022-50012,CVE-2022-50019,CVE-2022-50020,CVE-2022-50021,CVE-2022-50022,CVE-2022-50023,CVE-2022-50024,CVE-2022-50026,CVE-2022-50027,CVE-2022-50028,CVE-2022-50029,CVE-2022-50030,CVE-2022-50031,CVE-202 2-50032,CVE-2022-50033,CVE-2022-50034,CVE-2022-50036,CVE-2022-50038,CVE-2022-50039,CVE-2022-50040,CVE-2022-50045,CVE-2022-50046,CVE-2022-50047,CVE-2022-50051,CVE-2022-50053,CVE-2022-50055,CVE-2022-50059,CVE-2022-50060,CVE-2022-50061,CVE-2022-50062,CVE-2022-50065,CVE-2022-50066,CVE-2022-50067,CVE-2022-50068,CVE-2022-50072,CVE-2022-50073,CVE-2022-50074,CVE-2022-50076,CVE-2022-50077,CVE-2022-50079,CVE-2022-50083,CVE-2022-50084,CVE-2022-50085,CVE-2022-50087,CVE-2022-50092,CVE-2022-50093,CVE-2022-50094,CVE-2022-50095,CVE-2022-50097,CVE-2022-50098,CVE-2022-50099,CVE-2022-50100,CVE-2022-50101,CVE-2022-50102,CVE-2022-50103,CVE-2022-50104,CVE-2022-50108,CVE-2022-50109,CVE-2022-50110,CVE-2022-50111,CVE-2022-50112,CVE-2022-50116,CVE-2022-50118,CVE-2022-50120,CVE-2022-50121,CVE-2022-50124,CVE-2022-50125,CVE-2022-50126,CVE-2022-50127,CVE-2022-50129,CVE-2022-50131,CVE-2022-50132,CVE-2022-50134,CVE-2022-50136,CVE-2022-50137,CVE-2022-50138,CVE-2022-50139,CVE-2022-50140,CVE-2022-50141,CVE-2022-50142 ,CVE-2022-50143,CVE-2022-50145,CVE-2022-50146,CVE-2022-50149,CVE-2022-50151,CVE-2022-50152,CVE-2022-50153,CVE-2022-50154,CVE-2022-50155,CVE-2022-50156,CVE-2022-50157,CVE-2022-50158,CVE-2022-50160,CVE-2022-50161,CVE-2022-50162,CVE-2022-50164,CVE-2022-50165,CVE-2022-50169,CVE-2022-50171,CVE-2022-50172,CVE-2022-50173,CVE-2022-50175,CVE-2022-50176,CVE-2022-50178,CVE-2022-50179,CVE-2022-50181,CVE-2022-50185,CVE-2022-50187,CVE-2022-50190,CVE-2022-50191,CVE-2022-50192,CVE-2022-50194,CVE-2022-50196,CVE-2022-50197,CVE-2022-50198,CVE-2022-50199,CVE-2022-50200,CVE-2022-50201,CVE-2022-50202,CVE-2022-50203,CVE-2022-50204,CVE-2022-50206,CVE-2022-50207,CVE-2022-50208,CVE-2022-50209,CVE-2022-50211,CVE-2022-50212,CVE-2022-50213,CVE-2022-50215,CVE-2022-50218,CVE-2022-50220,CVE-2022-50222,CVE-2022-50226,CVE-2022-50228,CVE-2022-50229,CVE-2022-50231,CVE-2023-3111,CVE-2023-52924,CVE-2023-52925,CVE-2023-53048,CVE-2023-53076,CVE-2023-53097,CVE-2024-26808,CVE-2024-26924,CVE-2024-26935,CVE-2024-27397,CVE-202 4-35840,CVE-2024-36978,CVE-2024-46800,CVE-2024-53057,CVE-2024-53125,CVE-2024-53141,CVE-2024-56770,CVE-2024-57947,CVE-2024-57999,CVE-2025-21700,CVE-2025-21702,CVE-2025-21703,CVE-2025-21756,CVE-2025-23141,CVE-2025-23145,CVE-2025-37752,CVE-2025-37797,CVE-2025-37798,CVE-2025-37823,CVE-2025-37890,CVE-2025-37932,CVE-2025-37953,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38014,CVE-2025-38083 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468). - CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552). - CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821). - CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822). - CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634). - CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820). - CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095). - CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514). - CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827). - CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (bsc#1233551). - CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381). - CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637). - CVE-2024-57947: netfilter: nf_set_pipapo: fix initial map fill (bsc#1236333). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876). - CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732). - CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183). The following non-security bugs were fixed: - Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).') - Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504) - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - Use gcc-13 for build on SLE16 (jsc#PED-10028). - add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE. - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - check-for-config-changes: Fix flag name typo - doc/README.SUSE: Point to the updated version of LKMPG - hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431). - kernel-binary: Support livepatch_rt with merged RT branch - kernel-obs-qa: Use srchash for dependency as well - kernel-source: Also replace bin/env - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env' - kernel-source: Remove log.sh from sources - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - packaging: Patch Makefile to pre-select gcc version (jsc#PED-12251). - packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).') - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN Both spellings are actually used - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE - rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang. - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sle_version was obsoleted for SLE16. It has to be combined with suse_version check. - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). - rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454) - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - rpm/package-descriptions: Add rt and rt_debug descriptions - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - rpm: Stop using is_kotd_qa macro - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). - wifi: cfg80211: Add my certificate (bsc#1243001). - wifi: cfg80211: fix certs build to not depend on file order (bsc#1243001). The following package changes have been done: - kernel-default-5.14.21-150400.24.170.2 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:22:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:22:09 +0200 (CEST) Subject: SUSE-CU-2025:5657-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250729072209.31373FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5657-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.16 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.16 Severity : important Type : security References : 1174091 1216091 1218459 1221107 1227378 1241052 1242844 1243155 1243273 1243772 1244032 1244056 1244059 1244060 1244061 1244596 1244705 831629 CVE-2019-20907 CVE-2019-9947 CVE-2020-15523 CVE-2020-15801 CVE-2024-12718 CVE-2024-2236 CVE-2025-4138 CVE-2025-4330 CVE-2025-4373 CVE-2025-4435 CVE-2025-4516 CVE-2025-4517 CVE-2025-48964 CVE-2025-6052 CVE-2025-6069 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 381 Released: Fri Jul 11 11:20:30 2025 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1221107,CVE-2024-2236 This update for libgcrypt fixes the following issues: - CVE-2024-2236: Fixed timing based side-channel in RSA implementation (bsc#1221107) ----------------------------------------------------------------- Advisory ID: 379 Released: Fri Jul 11 11:47:32 2025 Summary: Security update for python311 Type: security Severity: important References: 1174091,1227378,1243155,1243273,1244032,1244056,1244059,1244060,1244061,1244705,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,CVE-2025-6069 This update for python311 fixes the following issues: - CVE-2025-6069: Avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705). Update to 3.11.13: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter='data' and filter='tar') to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). - gh-133767: Fix use-after-free in the ???unicode-escape??? decoder with a non-???strict??? error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output according to RFC 3596, ??2.5. Patch by B??n??dikt Tran. - bpo-43633: Improve the textual representation of IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2) in ipaddress. Patch by Oleksandr Pavliuk. - CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS. (bsc#1243273) ----------------------------------------------------------------- Advisory ID: 388 Released: Mon Jul 21 11:01:26 2025 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216091,1218459,1241052 This update for rpm fixes the following issues: - fix --runposttrans not working correctly with the --root option [bsc#1216091] * added 'rpm_fixed_runposttrans' provides for libzypp - print scriptlet messages in --runposttrans * needed to fix leaking tmp files [bsc#1218459] - fix memory leak in str2locale [bsc#1241052] ----------------------------------------------------------------- Advisory ID: 390 Released: Mon Jul 21 12:04:01 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1243772,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772) ----------------------------------------------------------------- Advisory ID: 395 Released: Thu Jul 24 13:51:08 2025 Summary: Security update for glib2 Type: security Severity: important References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052 This update for glib2 fixes the following issues: - CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844) - CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596) The following package changes have been done: - SL-Micro-release-6.0-25.37 updated - iputils-20221126-6.1 updated - libgcrypt20-1.10.3-2.1 updated - libglib-2_0-0-2.76.2-9.1 updated - libgmodule-2_0-0-2.76.2-9.1 updated - libpython3_11-1_0-3.11.13-1.1 updated - libzypp-17.37.12-1.1 updated - python311-base-3.11.13-1.1 updated - rpm-4.18.0-7.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.36 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:22:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:22:43 +0200 (CEST) Subject: SUSE-IU-2025:2135-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250729072243.7F6C5FF1E@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2135-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.1 , suse/sl-micro/6.1/base-os-container:2.2.1-5.12 , suse/sl-micro/6.1/base-os-container:latest Image Release : 5.12 Severity : important Type : security References : 1223880 1233785 1241083 1243226 1244079 CVE-2024-11498 CVE-2024-34062 CVE-2024-56406 CVE-2025-40909 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 191 Released: Mon Jul 28 16:35:09 2025 Summary: Security update for perl Type: security Severity: important References: 1233785,1241083,1244079,CVE-2024-11498,CVE-2024-56406,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2024-56406: Fixed heap buffer overflow when transliterating non-ASCII bytes (bsc#1241083) - CVE-2025-40909: Fixed a working directory race condition causing file operations to target unintended paths (bsc#1244079) ----------------------------------------------------------------- Advisory ID: 192 Released: Mon Jul 28 16:36:18 2025 Summary: Security update for pam-config Type: security Severity: important References: 1223880,1243226,CVE-2024-34062,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - perl-base-5.38.2-slfo.1.1_2.1 updated - pam-config-2.11+git.20240906-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.44 updated - container:suse-toolbox-image-1.0.0-4.55 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:23:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:23:17 +0200 (CEST) Subject: SUSE-IU-2025:2136-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250729072317.C65CDFF1E@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2136-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.12 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 5.12 Severity : important Type : security References : 1223880 1243226 CVE-2024-34062 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 192 Released: Mon Jul 28 16:36:18 2025 Summary: Security update for pam-config Type: security Severity: important References: 1223880,1243226,CVE-2024-34062,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - pam-config-2.11+git.20240906-slfo.1.1_2.1 updated - SL-Micro-release-6.1-slfo.1.11.44 updated - container:SL-Micro-base-container-2.2.1-5.12 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:30:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:30:44 +0200 (CEST) Subject: SUSE-CU-2025:5666-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250729073044.03DADFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5666-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.153 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.153 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_regex1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Tue Jul 29 07:35:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 29 Jul 2025 09:35:17 +0200 (CEST) Subject: SUSE-CU-2025:5668-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250729073517.B8C1BFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5668-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.155 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.155 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_regex1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:06:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:06:22 +0200 (CEST) Subject: SUSE-IU-2025:2147-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250730070622.F1D09FF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2147-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.30 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.30 Severity : important Type : security References : 1229163 1229164 1233606 1233608 1233609 1233610 1233612 1233613 1233614 1233615 1233616 1233617 1234958 1236316 1236317 1237002 1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014 1239674 1242971 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125 CVE-2025-4382 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 399 Released: Tue Jul 29 10:20:21 2025 Summary: Security update for grub2 Type: security Severity: important References: 1229163,1229164,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1239674,1242971,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382 This update for grub2 fixes the following issues: - CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971) - Filter out the non-subvolume btrfs mount points when creating the relative path (bsc#1239674) - CVE-2024-45781: Fixed ufs strcpy overflow (bsc#1233617) - CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958) - CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615) - CVE-2024-45780: Fixed overflow in tar/cpio(bsc#1233614) - CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616) - CVE-2025-0624: Fixed out-of-bounds write in grub_net_search_config_file() (bsc#1236316) - CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609) - CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610) - CVE-2025-0622: Fixed command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317) - CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612) - CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613) - CVE-2025-0690: Fixed integer overflow in read that may lead to out-of-bounds write (bsc#1237012) - CVE-2025-1118: Fixed commands/dump: The dump command is not in lockdown when secure boot is enabled(bsc#1237013) - CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606) - CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608) - CVE-2025-0677: Fixed integer overflow that may lead to heap based out-of-bounds write when handling symlinks in ufs (bsc#1237002) - CVE-2025-0684: Fixed reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008) - CVE-2025-0685: Fixed jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009) - CVE-2025-0686: Fixed romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010) - CVE-2025-0689: Fixed udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011) - CVE-2025-1125: Fixed fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014) - CVE-2025-0678: Fixed squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006) - Bump upstream SBAT generation to 5 to block older grub2 versions. - CVE-2024-49504: Fixed Bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164) - Restrict CLI access if the encrypted root device is automatically unlocked by the TPM. LUKS password authentication is required for access to be granted - Obsolete, as CLI access is now locked and granted access no longer requires the previous restrictions The following package changes have been done: - grub2-2.12~rc1-6.1 updated - grub2-i386-pc-2.12~rc1-6.1 updated - grub2-x86_64-efi-2.12~rc1-6.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:06:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:06:23 +0200 (CEST) Subject: SUSE-IU-2025:2148-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250730070623.99353FF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2148-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.32 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.32 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 401 Released: Tue Jul 29 16:09:33 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - pam-config-2.11-2.1 updated - container:suse-toolbox-image-1.0.0-9.18 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:07:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:07:04 +0200 (CEST) Subject: SUSE-IU-2025:2150-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250730070704.38695FF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2150-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.56 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.56 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 401 Released: Tue Jul 29 16:09:33 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - pam-config-2.11-2.1 updated - container:SL-Micro-base-container-2.1.3-7.32 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:07:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:07:50 +0200 (CEST) Subject: SUSE-IU-2025:2152-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250730070750.40AE4FF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2152-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.66 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.66 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 401 Released: Tue Jul 29 16:09:33 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - pam-config-2.11-2.1 updated - container:SL-Micro-container-2.1.3-6.63 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:09:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:09:06 +0200 (CEST) Subject: SUSE-CU-2025:5675-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250730070906.8F5EBFF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5675-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.18 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.18 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 401 Released: Tue Jul 29 16:09:33 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack. (bsc#1243226) The following package changes have been done: - pam-config-2.11-2.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:10:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:10:01 +0200 (CEST) Subject: SUSE-CU-2025:5676-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250730071001.9D415FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5676-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.57 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.57 , suse/ltss/sle15.4/sle15:latest Container Release : 2.57 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:18:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:18:14 +0200 (CEST) Subject: SUSE-CU-2025:5684-1: Security update of suse/sle15 Message-ID: <20250730071814.6348BFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5684-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.16 , suse/sle15:15.6 , suse/sle15:15.6.47.23.16 Container Release : 47.23.16 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:19:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:19:19 +0200 (CEST) Subject: SUSE-CU-2025:5686-1: Recommended update of suse/389-ds Message-ID: <20250730071919.2AB70FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5686-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.28 , suse/389-ds:latest Container Release : 61.28 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated - python3-python-dateutil-2.8.1-150300.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:20:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:20:41 +0200 (CEST) Subject: SUSE-CU-2025:5700-1: Security update of suse/kea Message-ID: <20250730072041.28D10FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/kea ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5700-1 Container Tags : suse/kea:2.6 , suse/kea:2.6-61.25 , suse/kea:latest Container Release : 61.25 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/kea was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - container:registry.suse.com-bci-bci-base-15.7-4232c2790095361d6776af20382c431e7222f9956d773c3790d57cf7e94a7911-0 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:20:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:20:51 +0200 (CEST) Subject: SUSE-CU-2025:5701-1: Recommended update of bci/kiwi Message-ID: <20250730072051.3798AFF1E@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5701-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-17.2 , bci/kiwi:latest Container Release : 17.2 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated - python3-simplejson-3.17.2-150300.3.7.1 updated - python3-PyYAML-5.4.1-150300.3.6.1 updated - python3-urllib3-1.25.10-150300.4.15.1 updated - python3-requests-2.25.1-150300.3.18.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:20:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:20:51 +0200 (CEST) Subject: SUSE-CU-2025:5702-1: Security update of bci/kiwi Message-ID: <20250730072051.ED54BFF1E@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5702-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-17.3 , bci/kiwi:latest Container Release : 17.3 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated - container:registry.suse.com-bci-bci-base-15.7-4232c2790095361d6776af20382c431e7222f9956d773c3790d57cf7e94a7911-0 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:22:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:22:22 +0200 (CEST) Subject: SUSE-CU-2025:5716-1: Recommended update of bci/python Message-ID: <20250730072222.194E0FF1E@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5716-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-72.8 Container Release : 72.8 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:22:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:22:59 +0200 (CEST) Subject: SUSE-CU-2025:5723-1: Security update of suse/sle15 Message-ID: <20250730072259.A2893FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5723-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.16 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.16 , suse/sle15:latest Container Release : 5.8.16 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:23:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:23:08 +0200 (CEST) Subject: SUSE-CU-2025:5724-1: Security update of bci/spack Message-ID: <20250730072308.6F85FFF1E@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5724-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-14.8 , bci/spack:latest Container Release : 14.8 Severity : important Type : security References : 1246472 CVE-2025-7519 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2527-1 Released: Fri Jul 25 16:34:21 2025 Summary: Security update for polkit Type: security Severity: important References: 1246472,CVE-2025-7519 This update for polkit fixes the following issues: - CVE-2025-7519: Fixed a XML policy file with a large number of nested elements that may lead to out-of-bounds write. (bsc#1246472) The following package changes have been done: - libpolkit-agent-1-0-121-150500.3.6.1 updated - libpolkit-gobject-1-0-121-150500.3.6.1 updated - polkit-121-150500.3.6.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:25:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:25:43 +0200 (CEST) Subject: SUSE-CU-2025:5733-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20250730072543.94CA3FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5733-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.3 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.3 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated - python3-PyYAML-5.4.1-150300.3.6.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:25:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:25:44 +0200 (CEST) Subject: SUSE-CU-2025:5734-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250730072544.55DA2FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5734-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.4 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.4 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated - container:sles15-ltss-image-15.4.0-2.57 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:26:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:26:37 +0200 (CEST) Subject: SUSE-CU-2025:5736-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250730072637.EA4E3FF2E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5736-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.4 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.4 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated - container:sles15-ltss-image-15.4.0-2.57 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:26:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:26:37 +0200 (CEST) Subject: SUSE-CU-2025:5735-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250730072637.34C7EFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5735-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.3 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.3 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-PyYAML-5.4.1-150300.3.6.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:28:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:28:22 +0200 (CEST) Subject: SUSE-CU-2025:5739-1: Recommended update of suse/manager/4.3/proxy-ssh Message-ID: <20250730072822.E2801FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5739-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.16 , suse/manager/4.3/proxy-ssh:4.3.16.9.57.2 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.57.2 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-PyYAML-5.4.1-150300.3.6.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:29:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:29:16 +0200 (CEST) Subject: SUSE-CU-2025:5741-1: Recommended update of suse/manager/4.3/proxy-tftpd Message-ID: <20250730072916.8BB19FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5741-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.16 , suse/manager/4.3/proxy-tftpd:4.3.16.9.57.2 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.57.2 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated - python3-PyYAML-5.4.1-150300.3.6.1 updated - python3-urllib3-1.25.10-150300.4.15.1 updated - python3-requests-2.25.1-150300.3.18.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 13:09:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 15:09:29 +0200 (CEST) Subject: SUSE-CU-2025:5742-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250730130929.50555FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5742-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.114 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.114 Severity : important Type : security References : 1246296 CVE-2025-7425 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2547-1 Released: Wed Jul 30 09:38:26 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1246296,CVE-2025-7425 This update for libxml2 fixes the following issues: - CVE-2025-7425: Fixed heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr (bsc#1246296) The following package changes have been done: - libxml2-2-2.9.4-46.90.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 13:10:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 15:10:45 +0200 (CEST) Subject: SUSE-CU-2025:5744-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250730131045.48CF9FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5744-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.109 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.109 , suse/ltss/sle15.3/sle15:latest Container Release : 2.109 Severity : critical Type : security References : 1245936 CVE-2016-9840 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated From sle-container-updates at lists.suse.com Wed Jul 30 13:14:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 15:14:34 +0200 (CEST) Subject: SUSE-CU-2025:5746-1: Security update of suse/kiosk/pulseaudio Message-ID: <20250730131434.B03DDFF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/pulseaudio ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5746-1 Container Tags : suse/kiosk/pulseaudio:17 , suse/kiosk/pulseaudio:17.0 , suse/kiosk/pulseaudio:17.0-61.29 , suse/kiosk/pulseaudio:latest Container Release : 61.29 Severity : important Type : security References : 1246472 CVE-2025-7519 ----------------------------------------------------------------- The container suse/kiosk/pulseaudio was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2527-1 Released: Fri Jul 25 16:34:21 2025 Summary: Security update for polkit Type: security Severity: important References: 1246472,CVE-2025-7519 This update for polkit fixes the following issues: - CVE-2025-7519: Fixed a XML policy file with a large number of nested elements that may lead to out-of-bounds write. (bsc#1246472) The following package changes have been done: - libpolkit-agent-1-0-121-150500.3.6.1 updated - libpolkit-gobject-1-0-121-150500.3.6.1 updated - polkit-121-150500.3.6.1 updated - container:registry.suse.com-bci-bci-base-15.7-4232c2790095361d6776af20382c431e7222f9956d773c3790d57cf7e94a7911-0 updated From sle-container-updates at lists.suse.com Wed Jul 30 13:14:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 15:14:43 +0200 (CEST) Subject: SUSE-CU-2025:5747-1: Recommended update of bci/bci-sle15-kernel-module-devel Message-ID: <20250730131443.E1D63FF2D@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5747-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.31 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.31 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2466-1 Released: Tue Jul 22 15:08:33 2025 Summary: Recommended update for pesign Type: recommended Severity: moderate References: This update for pesign fixes the following issues: - Added missing pesign-systemd to SUSE Manager 4.3 (no source changes) The following package changes have been done: - pesign-0.112-150000.4.23.1 updated - container:registry.suse.com-bci-bci-base-15.7-4232c2790095361d6776af20382c431e7222f9956d773c3790d57cf7e94a7911-0 updated From sle-container-updates at lists.suse.com Wed Jul 30 13:15:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 15:15:48 +0200 (CEST) Subject: SUSE-CU-2025:5741-1: Recommended update of suse/manager/4.3/proxy-tftpd Message-ID: <20250730131548.B07F1FF2D@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5741-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.16 , suse/manager/4.3/proxy-tftpd:4.3.16.9.57.2 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.57.2 Severity : moderate Type : recommended References : 1233012 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2543-1 Released: Tue Jul 29 11:09:01 2025 Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 Type: recommended Severity: moderate References: 1233012 This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues: - Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012) The following package changes have been done: - python3-pyparsing-2.4.7-150300.3.3.1 updated - python3-PyYAML-5.4.1-150300.3.6.1 updated - python3-urllib3-1.25.10-150300.4.15.1 updated - python3-requests-2.25.1-150300.3.18.1 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:04:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:04:32 +0200 (CEST) Subject: SUSE-IU-2025:2242-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250731070432.4911BFF2D@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:2242-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.190 , suse/sle-micro/base-5.5:latest Image Release : 5.8.190 Severity : moderate Type : recommended References : 1243279 1243457 1243486 1244042 1244710 1245220 1245452 1245496 1245672 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2562-1 Released: Wed Jul 30 22:26:54 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1243279,1243457,1243486,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - zypper does not distinguish between install and upgrade in %postinstall (bsc#1243279). - Most recent version released for nvidia-open-driver-G06-signed-kmp-default differs from nvidia-driver-G06-kmp-default (bsc#1244042). - Set proxy settings for zypper (bsc#1244710). - KVM guest installation show Unexpected Application Error (bsc#1245452). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. - BuildRequires: Now %{libsolv_devel_package} greater or equal to 0.7.34 is required (bsc#1243486). The following package changes have been done: - libsolv-tools-base-0.7.34-150500.6.12.3 updated - libsolv-tools-0.7.34-150500.6.12.3 updated - libzypp-17.37.10-150500.6.56.1 updated - zypper-1.14.92-150500.6.36.1 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:14:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:14:59 +0200 (CEST) Subject: SUSE-CU-2025:5751-1: Recommended update of suse/sle-micro/5.3/toolbox Message-ID: <20250731071459.7F6B5FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5751-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.165 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.165 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - zypper-1.14.92-150400.3.95.5 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:18:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:18:04 +0200 (CEST) Subject: SUSE-CU-2025:5752-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250731071804.7F9B4FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5752-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.33 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.33 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - zypper-1.14.92-150400.3.95.5 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:20:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:20:02 +0200 (CEST) Subject: SUSE-CU-2025:5753-1: Recommended update of suse/sle-micro/5.4/toolbox Message-ID: <20250731072002.CDCD7FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5753-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.165 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.165 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - zypper-1.14.92-150400.3.95.5 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:21:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:21:42 +0200 (CEST) Subject: SUSE-CU-2025:5754-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20250731072142.CD4EEFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5754-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.67 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.67 Severity : moderate Type : recommended References : 1243279 1243457 1243486 1244042 1244710 1245220 1245452 1245496 1245672 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2562-1 Released: Wed Jul 30 22:26:54 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1243279,1243457,1243486,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - zypper does not distinguish between install and upgrade in %postinstall (bsc#1243279). - Most recent version released for nvidia-open-driver-G06-signed-kmp-default differs from nvidia-driver-G06-kmp-default (bsc#1244042). - Set proxy settings for zypper (bsc#1244710). - KVM guest installation show Unexpected Application Error (bsc#1245452). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. - BuildRequires: Now %{libsolv_devel_package} greater or equal to 0.7.34 is required (bsc#1243486). The following package changes have been done: - libsolv-tools-base-0.7.34-150500.6.12.3 updated - libsolv-tools-0.7.34-150500.6.12.3 updated - libzypp-17.37.10-150500.6.56.1 updated - zypper-1.14.92-150500.6.36.1 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:22:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:22:50 +0200 (CEST) Subject: SUSE-CU-2025:5755-1: Recommended update of suse/ltss/sle15.3/sle15 Message-ID: <20250731072250.B4CEFFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5755-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.110 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.110 , suse/ltss/sle15.3/sle15:latest Container Release : 2.110 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2557-1 Released: Wed Jul 30 22:13:37 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042) There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libsolv-tools-base-0.7.34-150200.48.2 updated - libsolv-tools-0.7.34-150200.48.2 updated - libzypp-17.37.9-150200.166.3 updated - zypper-1.14.92-150200.120.2 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:24:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:24:28 +0200 (CEST) Subject: SUSE-CU-2025:5757-1: Recommended update of suse/ltss/sle15.4/sle15 Message-ID: <20250731072428.56BDAFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5757-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.59 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.59 , suse/ltss/sle15.4/sle15:latest Container Release : 2.59 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - zypper-1.14.92-150400.3.95.5 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:30:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:30:30 +0200 (CEST) Subject: SUSE-CU-2025:5760-1: Recommended update of suse/389-ds Message-ID: <20250731073030.5AA44FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5760-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.30 , suse/389-ds:latest Container Release : 61.30 Severity : important Type : recommended References : 1243428 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2561-1 Released: Wed Jul 30 22:22:54 2025 Summary: Recommended update for 389-ds Type: recommended Severity: important References: 1243428 This update for 389-ds fixes the following issues: - resolve infinite loop due when loading RUV entryrdn (bsc#1243428) - lib389/replica.py is using nonexistent datetime.UTC in Python 3.9 - Backend creation cleanup and Database UI tab error handling - Improve paged result locking - Synchronise accept_thread with slapd_daemon - RootDN Access Control Plugin with wildcards for IP addresses - Exception thrown by dsconf instance repl get_ruv - Incorrect pwdpolicysubentry returned for an entry with user password policy - Update concread to 0.5.6 - Add a CI test - Password modify extended operation should skip password policy checks when executed by root DN - Enabling audit log makes slapd coredump - CI fails with Fedora 41 and DNF5 - Improve error message when bulk import connection is closed - RFE - database compaction interval should be persistent - Ignore replica busy condition in healthcheck - Add basic dsidm organizational unit tests - Fix dsidm service get_dn option - ns-slapd doesn't start in referral mode - statistics about index lookup report a wrong duration - Confusing error message from dsconf plugin set --enabled - lib389 get_db_lib function may returns the wrong db type - UI - schema editing and memberof shared config not working correctly The following package changes have been done: - libsvrcore0-2.5.3~git107.a0bf348e0-150700.3.3.1 updated - lib389-2.5.3~git107.a0bf348e0-150700.3.3.1 updated - 389-ds-2.5.3~git107.a0bf348e0-150700.3.3.1 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:33:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:33:08 +0200 (CEST) Subject: SUSE-CU-2025:5763-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20250731073308.76127FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5763-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.16 , suse/manager/4.3/proxy-httpd:4.3.16.9.67.6 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.67.6 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - zypper-1.14.92-150400.3.95.5 updated - container:sles15-ltss-image-15.4.0-2.59 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:34:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:34:21 +0200 (CEST) Subject: SUSE-CU-2025:5764-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250731073421.37F26FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5764-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.16 , suse/manager/4.3/proxy-salt-broker:4.3.16.9.57.6 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.57.6 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 1246697 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2559-1 Released: Wed Jul 30 22:15:25 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042). There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - libsolv-tools-base-0.7.34-150400.3.41.1 updated - libsolv-tools-0.7.34-150400.3.41.1 updated - libzypp-17.37.10-150400.3.137.1 updated - zypper-1.14.92-150400.3.95.5 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - container:sles15-ltss-image-15.4.0-2.59 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:35:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:35:28 +0200 (CEST) Subject: SUSE-CU-2025:5765-1: Recommended update of suse/manager/4.3/proxy-squid Message-ID: <20250731073528.C49B7FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5765-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.16 , suse/manager/4.3/proxy-squid:4.3.16.9.66.5 , suse/manager/4.3/proxy-squid:latest Container Release : 9.66.5 Severity : moderate Type : recommended References : 1246697 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - container:sles15-ltss-image-15.4.0-2.59 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:36:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:36:44 +0200 (CEST) Subject: SUSE-CU-2025:5766-1: Recommended update of suse/manager/4.3/proxy-ssh Message-ID: <20250731073644.ED36EFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5766-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.16 , suse/manager/4.3/proxy-ssh:4.3.16.9.57.5 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.57.5 Severity : moderate Type : recommended References : 1246697 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - container:sles15-ltss-image-15.4.0-2.59 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:38:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:38:09 +0200 (CEST) Subject: SUSE-CU-2025:5767-1: Recommended update of suse/manager/4.3/proxy-tftpd Message-ID: <20250731073809.7519CFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5767-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.16 , suse/manager/4.3/proxy-tftpd:4.3.16.9.57.5 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.57.5 Severity : moderate Type : recommended References : 1246697 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2556-1 Released: Wed Jul 30 21:04:22 2025 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1246697 This update for openssl-1_1 fixes the following issues: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.81.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.81.1 updated - openssl-1_1-1.1.1l-150400.7.81.1 updated - container:sles15-ltss-image-15.4.0-2.59 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:40:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:40:05 +0200 (CEST) Subject: SUSE-CU-2025:5768-1: Recommended update of suse/sle-micro/5.1/toolbox Message-ID: <20250731074005.23C93FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5768-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.154 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.154 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2557-1 Released: Wed Jul 30 22:13:37 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042) There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libsolv-tools-base-0.7.34-150200.48.2 updated - libsolv-tools-0.7.34-150200.48.2 updated - libzypp-17.37.9-150200.166.3 updated - zypper-1.14.92-150200.120.2 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:45:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:45:43 +0200 (CEST) Subject: SUSE-CU-2025:5770-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20250731074543.27458FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5770-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.156 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.156 Severity : moderate Type : recommended References : 1230267 1243279 1243457 1244042 1244710 1245220 1245452 1245496 1245672 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2557-1 Released: Wed Jul 30 22:13:37 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1 + MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042) There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - Implement color filtering when adding update targets. - Support orderwithrequires dependencies in susedata.xml. The following package changes have been done: - libsolv-tools-base-0.7.34-150200.48.2 updated - libsolv-tools-0.7.34-150200.48.2 updated - libzypp-17.37.9-150200.166.3 updated - zypper-1.14.92-150200.120.2 updated From sle-container-updates at lists.suse.com Wed Jul 30 07:17:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 30 Jul 2025 09:17:33 +0200 (CEST) Subject: SUSE-CU-2025:5682-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250730071733.BB542FF1E@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5682-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.32 Container Release : 44.32 Severity : important Type : security References : 1012628 1151679 1151680 1151794 1151927 1210025 1211226 1215199 1218184 1223008 1228557 1228854 1232504 1232882 1235490 1235728 1236208 1237312 1237913 1238859 1238982 1240180 1240577 1240610 1240686 1240723 1240814 1240823 1241166 1241278 1241414 1241544 1241572 1241592 1241617 1242086 1242163 1242504 1242515 1242521 1242556 1242573 1242725 1242846 1242849 1242850 1242907 1242940 1242946 1242954 1242982 1243051 1243060 1243342 1243467 1243475 1243480 1243506 1243523 1243537 1243538 1243542 1243544 1243551 1243571 1243572 1243620 1243628 1243698 1243774 1243782 1243823 1243827 1243832 1243836 1243847 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244261 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245225 1245226 1245228 1245431 1245455 CVE-2023-52888 CVE-2024-26831 CVE-2024-49568 CVE-2024-50106 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21868 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21938 CVE-2025-21959 CVE-2025-21997 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22113 CVE-2025-22120 CVE-2025-23155 CVE-2025-37738 CVE-2025-37743 CVE-2025-37752 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37800 CVE-2025-37801 CVE-2025-37811 CVE-2025-37844 CVE-2025-37859 CVE-2025-37862 CVE-2025-37865 CVE-2025-37874 CVE-2025-37884 CVE-2025-37909 CVE-2025-37917 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37933 CVE-2025-37936 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37967 CVE-2025-37968 CVE-2025-37973 CVE-2025-37987 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-37998 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2466-1 Released: Tue Jul 22 15:08:33 2025 Summary: Recommended update for pesign Type: recommended Severity: moderate References: This update for pesign fixes the following issues: - Added missing pesign-systemd to SUSE Manager 4.3 (no source changes) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2538-1 Released: Mon Jul 28 17:10:28 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1151679,1151680,1151794,1151927,1210025,1211226,1215199,1218184,1223008,1228557,1228854,1232504,1232882,1235490,1235728,1236208,1237312,1237913,1238859,1238982,1240180,1240577,1240610,1240686,1240723,1240814,1240823,1241166,1241278,1241414,1241544,1241572,1241592,1241617,1242086,1242163,1242504,1242515,1242521,1242556,1242573,1242725,1242846,1242849,1242850,1242907,1242940,1242946,1242954,1242982,1243051,1243060,1243342,1243467,1243475,1243480,1243506,1243523,1243537,1243538,1243542,1243544,1243551,1243571,1243572,1243620,1243628,1243698,1243774,1243782,1243823,1243827,1243832,1243836,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244261,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1 245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2023-52888,CVE-2024-26831,CVE-2024-49568,CVE-2024-50106,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21868,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21938,CVE-2025-21959,CVE-2025-21997,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111,CVE-2025-22113,CVE-2025-22120,CVE-2025-23155,CVE-2025-37738,CVE-2025-37743,CVE-2025-37752,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37800,CVE-2025-37801,CVE-2025-37811,CVE-2025-37844,CVE-2025-37859,CVE-2025-37862,CVE-2025-37865,CVE-2025-37874,CVE-2025-37884,CVE-2025-37909,CVE-2025-37917,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37933,CVE-2025-37936,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37967,CVE-2025-37968,CVE-2025-37973,CVE-2025-37987,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-37998,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-380 05,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728). - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21868: kABI workaround for adding an header (bsc#1240180). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617). - CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573). - CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982). - CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954). - CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628). - CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572). - CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571). - CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - Input: xpad - add more controllers (stable-fixes). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - NFS: Do not allow waiting for exiting tasks (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - SUNRPC: Do not allow waiting for exiting tasks (git-fixes). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - drm: Add valid clones check (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - ip6mr: fix tables suspicious RCU usage (git-fixes). - ip_tunnel: annotate data-races around t->parms.link (git-fixes). - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - ipmr: fix tables suspicious RCU usage (git-fixes). - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - ipv6: save dontfrag in cork (git-fixes). - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: ipv6: save dontfrag in cork (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - kernel-source: Do not use multiple -r in sed parameters - kernel-source: Remove log.sh from sources - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/neighbor: clear error in case strict check is not set (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - net: linkwatch: use system_unbound_wq (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: page_pool: fix warning code (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - orangefs: Do not truncate file size (git-fixes). - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang. - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rpm: Stop using is_kotd_qa macro This macro is set by bs-upload-kernel, and a conditional in each spec file is used to determine when to build the spec file. This logic should not really be in the spec file. Previously this was done with package links and package meta for the individula links. However, the use of package links is rejected for packages in git based release projects (nothing to do with git actually, new policy). An alternative to package links is multibuild. However, for multibuild packages package meta cannot be used to set which spec file gets built. Use prjcon buildflags instead, and remove this conditional. Depends on bs-upload-kernel adding the build flag. - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes). - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - udp: annotate data-races around up->pending (git-fixes). - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - udp: fix receiving fraglist GSO packets (git-fixes). - udp: preserve the connected status if only UDP cmsg (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). The following package changes have been done: - kernel-macros-6.4.0-150600.23.60.4 updated - kernel-devel-6.4.0-150600.23.60.4 updated - pesign-0.112-150000.4.23.1 updated - kernel-default-devel-6.4.0-150600.23.60.5 updated - kernel-syms-6.4.0-150600.23.60.4 updated From sle-container-updates at lists.suse.com Thu Jul 31 07:28:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 09:28:51 +0200 (CEST) Subject: SUSE-CU-2025:5759-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250731072851.D9D7DFF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5759-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.85 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.85 Severity : critical Type : security References : 1012628 1151679 1151680 1151794 1151927 1210025 1211226 1215199 1218184 1223008 1228557 1228854 1230267 1232504 1232882 1235490 1235728 1236208 1237312 1237913 1238859 1238982 1240180 1240577 1240610 1240686 1240723 1240814 1240823 1241166 1241278 1241414 1241544 1241572 1241592 1241617 1242086 1242163 1242504 1242515 1242521 1242556 1242573 1242725 1242846 1242849 1242850 1242907 1242940 1242946 1242954 1242982 1243051 1243060 1243279 1243342 1243457 1243467 1243475 1243480 1243486 1243506 1243523 1243537 1243538 1243542 1243544 1243551 1243571 1243572 1243620 1243628 1243698 1243774 1243782 1243823 1243827 1243832 1243836 1243847 1244042 1244100 1244145 1244172 1244176 1244229 1244234 1244241 1244261 1244274 1244275 1244277 1244309 1244313 1244337 1244626 1244710 1244725 1244727 1244729 1244731 1244732 1244736 1244737 1244738 1244739 1244743 1244746 1244759 1244789 1244862 1244906 1244938 1244995 1244996 1244999 1245001 1245003 1245004 1245025 1245042 1245046 1245078 1245081 1245082 1245083 1245155 1245183 1245193 1245210 1245217 1245220 1245225 1245226 1245228 1245431 1245452 1245455 1245496 1245672 1245936 CVE-2016-9840 CVE-2023-52888 CVE-2024-26831 CVE-2024-49568 CVE-2024-50106 CVE-2024-56613 CVE-2024-56699 CVE-2024-57982 CVE-2024-58053 CVE-2025-21658 CVE-2025-21720 CVE-2025-21868 CVE-2025-21898 CVE-2025-21899 CVE-2025-21920 CVE-2025-21938 CVE-2025-21959 CVE-2025-21997 CVE-2025-22035 CVE-2025-22083 CVE-2025-22111 CVE-2025-22113 CVE-2025-22120 CVE-2025-23155 CVE-2025-37738 CVE-2025-37743 CVE-2025-37752 CVE-2025-37756 CVE-2025-37757 CVE-2025-37786 CVE-2025-37800 CVE-2025-37801 CVE-2025-37811 CVE-2025-37844 CVE-2025-37859 CVE-2025-37862 CVE-2025-37865 CVE-2025-37874 CVE-2025-37884 CVE-2025-37909 CVE-2025-37917 CVE-2025-37921 CVE-2025-37923 CVE-2025-37927 CVE-2025-37933 CVE-2025-37936 CVE-2025-37938 CVE-2025-37945 CVE-2025-37946 CVE-2025-37961 CVE-2025-37967 CVE-2025-37968 CVE-2025-37973 CVE-2025-37987 CVE-2025-37992 CVE-2025-37994 CVE-2025-37995 CVE-2025-37997 CVE-2025-37998 CVE-2025-38000 CVE-2025-38001 CVE-2025-38003 CVE-2025-38004 CVE-2025-38005 CVE-2025-38007 CVE-2025-38009 CVE-2025-38010 CVE-2025-38011 CVE-2025-38013 CVE-2025-38014 CVE-2025-38015 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38023 CVE-2025-38024 CVE-2025-38027 CVE-2025-38031 CVE-2025-38040 CVE-2025-38043 CVE-2025-38044 CVE-2025-38045 CVE-2025-38053 CVE-2025-38057 CVE-2025-38059 CVE-2025-38060 CVE-2025-38065 CVE-2025-38068 CVE-2025-38072 CVE-2025-38077 CVE-2025-38078 CVE-2025-38079 CVE-2025-38080 CVE-2025-38081 CVE-2025-38083 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2536-1 Released: Mon Jul 28 16:06:06 2025 Summary: Security update for boost Type: security Severity: critical References: 1245936,CVE-2016-9840 This update for boost fixes the following issues: - CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2538-1 Released: Mon Jul 28 17:10:28 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1151679,1151680,1151794,1151927,1210025,1211226,1215199,1218184,1223008,1228557,1228854,1232504,1232882,1235490,1235728,1236208,1237312,1237913,1238859,1238982,1240180,1240577,1240610,1240686,1240723,1240814,1240823,1241166,1241278,1241414,1241544,1241572,1241592,1241617,1242086,1242163,1242504,1242515,1242521,1242556,1242573,1242725,1242846,1242849,1242850,1242907,1242940,1242946,1242954,1242982,1243051,1243060,1243342,1243467,1243475,1243480,1243506,1243523,1243537,1243538,1243542,1243544,1243551,1243571,1243572,1243620,1243628,1243698,1243774,1243782,1243823,1243827,1243832,1243836,1243847,1244100,1244145,1244172,1244176,1244229,1244234,1244241,1244261,1244274,1244275,1244277,1244309,1244313,1244337,1244626,1244725,1244727,1244729,1244731,1244732,1244736,1244737,1244738,1244739,1244743,1244746,1244759,1244789,1244862,1244906,1244938,1244995,1244996,1244999,1245001,1245003,1245004,1245025,1245042,1245046,1245078,1245081,1245082,1245083,1245155,1245183,1245193,1 245210,1245217,1245225,1245226,1245228,1245431,1245455,CVE-2023-52888,CVE-2024-26831,CVE-2024-49568,CVE-2024-50106,CVE-2024-56613,CVE-2024-56699,CVE-2024-57982,CVE-2024-58053,CVE-2025-21658,CVE-2025-21720,CVE-2025-21868,CVE-2025-21898,CVE-2025-21899,CVE-2025-21920,CVE-2025-21938,CVE-2025-21959,CVE-2025-21997,CVE-2025-22035,CVE-2025-22083,CVE-2025-22111,CVE-2025-22113,CVE-2025-22120,CVE-2025-23155,CVE-2025-37738,CVE-2025-37743,CVE-2025-37752,CVE-2025-37756,CVE-2025-37757,CVE-2025-37786,CVE-2025-37800,CVE-2025-37801,CVE-2025-37811,CVE-2025-37844,CVE-2025-37859,CVE-2025-37862,CVE-2025-37865,CVE-2025-37874,CVE-2025-37884,CVE-2025-37909,CVE-2025-37917,CVE-2025-37921,CVE-2025-37923,CVE-2025-37927,CVE-2025-37933,CVE-2025-37936,CVE-2025-37938,CVE-2025-37945,CVE-2025-37946,CVE-2025-37961,CVE-2025-37967,CVE-2025-37968,CVE-2025-37973,CVE-2025-37987,CVE-2025-37992,CVE-2025-37994,CVE-2025-37995,CVE-2025-37997,CVE-2025-37998,CVE-2025-38000,CVE-2025-38001,CVE-2025-38003,CVE-2025-38004,CVE-2025-380 05,CVE-2025-38007,CVE-2025-38009,CVE-2025-38010,CVE-2025-38011,CVE-2025-38013,CVE-2025-38014,CVE-2025-38015,CVE-2025-38018,CVE-2025-38020,CVE-2025-38022,CVE-2025-38023,CVE-2025-38024,CVE-2025-38027,CVE-2025-38031,CVE-2025-38040,CVE-2025-38043,CVE-2025-38044,CVE-2025-38045,CVE-2025-38053,CVE-2025-38057,CVE-2025-38059,CVE-2025-38060,CVE-2025-38065,CVE-2025-38068,CVE-2025-38072,CVE-2025-38077,CVE-2025-38078,CVE-2025-38079,CVE-2025-38080,CVE-2025-38081,CVE-2025-38083 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728). - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21868: kABI workaround for adding an header (bsc#1240180). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617). - CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573). - CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982). - CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954). - CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628). - CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537). - CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572). - CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571). - CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - Input: xpad - add more controllers (stable-fixes). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild') - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - NFS: Do not allow waiting for exiting tasks (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes). - Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'ipv6: save dontfrag in cork (git-fixes).' - Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).' - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - SUNRPC: Do not allow waiting for exiting tasks (git-fixes). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)') - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - drm: Add valid clones check (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - ip6mr: fix tables suspicious RCU usage (git-fixes). - ip_tunnel: annotate data-races around t->parms.link (git-fixes). - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - ipmr: fix tables suspicious RCU usage (git-fixes). - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - ipv6: save dontfrag in cork (git-fixes). - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: ipv6: save dontfrag in cork (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - kernel-source: Do not use multiple -r in sed parameters - kernel-source: Remove log.sh from sources - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: add file_start_write() and file_end_write() (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/neighbor: clear error in case strict check is not set (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - net: linkwatch: use system_unbound_wq (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: page_pool: fix warning code (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - orangefs: Do not truncate file size (git-fixes). - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang. - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rpm: Stop using is_kotd_qa macro This macro is set by bs-upload-kernel, and a conditional in each spec file is used to determine when to build the spec file. This logic should not really be in the spec file. Previously this was done with package links and package meta for the individula links. However, the use of package links is rejected for packages in git based release projects (nothing to do with git actually, new policy). An alternative to package links is multibuild. However, for multibuild packages package meta cannot be used to set which spec file gets built. Use prjcon buildflags instead, and remove this conditional. Depends on bs-upload-kernel adding the build flag. - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes). - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - udp: annotate data-races around up->pending (git-fixes). - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - udp: fix receiving fraglist GSO packets (git-fixes). - udp: preserve the connected status if only UDP cmsg (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2558-1 Released: Wed Jul 30 22:14:27 2025 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1230267,1243279,1243457,1243486,1244042,1244710,1245220,1245452,1245496,1245672 This update for libsolv fixes the following issues: - Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1+MLM (bsc#1243457). - implement color filtering when adding update targets. - support orderwithrequires dependencies in susedata.xml. - Fix SEGV in MediaDISK handler (bsc#1245452). - Fix evaluation of libproxy results (bsc#1244710). - Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes (bsc#1230267). - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - Enhancements with mirror handling during repo refresh, needs zypper 1.14.91. - Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042) There was no testcase written for the very first solver run. - zypper does not allow distinctions between install and upgrade in %postinstall (bsc#1243279). - Ignore DeltaRpm download errors, in case of a failure the full rpm is downloaded (bsc#1245672). - Improve fix for incorrect filesize handling and download data exceeded errors on HTTP responses (bsc#1245220). - sh: Reset solver options after command (bsc#1245496). - BuildRequires: Now %{libsolv_devel_package} greater or equal to 0.7.34 is required (bsc#1243486). The following package changes have been done: - boost-license1_66_0-1.66.0-150200.12.7.1 updated - kernel-default-6.4.0-150600.23.60.5 updated - libboost_system1_66_0-1.66.0-150200.12.7.1 updated - libboost_thread1_66_0-1.66.0-150200.12.7.1 updated - libsolv-tools-base-0.7.34-150600.8.17.2 updated - libzypp-17.37.10-150600.3.74.1 updated - zypper-1.14.92-150600.10.46.2 updated From sle-container-updates at lists.suse.com Thu Jul 31 12:31:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 14:31:15 +0200 (CEST) Subject: SUSE-CU-2025:5771-1: Security update of containers/pytorch Message-ID: <20250731123115.8B1F4FF2D@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5771-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.39 Container Release : 2.39 Severity : moderate Type : security References : 1244270 1244272 1244273 1244279 1244336 CVE-2025-5914 CVE-2025-5915 CVE-2025-5916 CVE-2025-5917 CVE-2025-5918 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2566-1 Released: Thu Jul 31 09:18:44 2025 Summary: Security update for libarchive Type: security Severity: moderate References: 1244270,1244272,1244273,1244279,1244336,CVE-2025-5914,CVE-2025-5915,CVE-2025-5916,CVE-2025-5917,CVE-2025-5918 This update for libarchive fixes the following issues: - CVE-2025-5914: Fixed double free due to an integer overflow in the archive_read_format_rar_seek_data() function (bsc#1244272) - CVE-2025-5915: Fixed heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c (bsc#1244273) - CVE-2025-5916: Fixed integer overflow while reading warc files at archive_read_support_format_warc.c (bsc#1244270) - CVE-2025-5917: Fixed off by one error in build_ustar_entry_name() at archive_write_set_format_pax.c (bsc#1244336) - CVE-2025-5918: Fixed reading past EOF may be triggered for piped file streams (bsc#1244279) The following package changes have been done: - libarchive13-3.7.2-150600.3.17.1 updated From sle-container-updates at lists.suse.com Thu Jul 31 12:38:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 31 Jul 2025 14:38:05 +0200 (CEST) Subject: SUSE-CU-2025:5778-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250731123805.A66C5FF1E@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:5778-1 Container Tags : suse/kiosk/firefox-esr:140.1 , suse/kiosk/firefox-esr:140.1-63.1 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 63.1 Severity : important Type : security References : 1179930 1179931 1179932 1179933 1180102 1180232 1181598 1181599 1183353 1184110 1185128 1201590 1222253 1222762 1223110 1230613 1236438 1237231 1244670 1246664 CVE-2020-26418 CVE-2020-26419 CVE-2020-26420 CVE-2020-26421 CVE-2020-26422 CVE-2021-22173 CVE-2021-22174 CVE-2021-22191 CVE-2021-22207 CVE-2024-32462 CVE-2025-6424 CVE-2025-6425 CVE-2025-6426 CVE-2025-6427 CVE-2025-6428 CVE-2025-6429 CVE-2025-6430 CVE-2025-6431 CVE-2025-6432 CVE-2025-6433 CVE-2025-6434 CVE-2025-6435 CVE-2025-6436 CVE-2025-8027 CVE-2025-8028 CVE-2025-8029 CVE-2025-8030 CVE-2025-8031 CVE-2025-8032 CVE-2025-8033 CVE-2025-8034 CVE-2025-8035 CVE-2025-8036 CVE-2025-8037 CVE-2025-8038 CVE-2025-8039 CVE-2025-8040 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2125-1 Released: Tue Jun 22 14:41:26 2021 Summary: Security update for wireshark Type: security Severity: important References: 1179930,1179931,1179932,1179933,1180102,1180232,1181598,1181599,1183353,1184110,1185128,CVE-2020-26418,CVE-2020-26419,CVE-2020-26420,CVE-2020-26421,CVE-2020-26422,CVE-2021-22173,CVE-2021-22174,CVE-2021-22191,CVE-2021-22207 This update for wireshark, libvirt, sbc and libqt5-qtmultimedia fixes the following issues: Update wireshark to version 3.4.5 - New and updated support and bug fixes for multiple protocols - Asynchronous DNS resolution is always enabled - Protobuf fields can be dissected as Wireshark (header) fields - UI improvements Including security fixes for: - CVE-2021-22191: Wireshark could open unsafe URLs (bsc#1183353). - CVE-2021-22207: MS-WSP dissector excessive memory consumption (bsc#1185128) - CVE-2020-26422: QUIC dissector crash (bsc#1180232) - CVE-2020-26418: Kafka dissector memory leak (bsc#1179930) - CVE-2020-26419: Multiple dissector memory leaks (bsc#1179931) - CVE-2020-26420: RTPS dissector memory leak (bsc#1179932) - CVE-2020-26421: USB HID dissector crash (bsc#1179933) - CVE-2021-22173: Fix USB HID dissector memory leak (bsc#1181598) - CVE-2021-22174: Fix USB HID dissector crash (bsc#1181599) libqt5-qtmultimedia and sbc are necessary dependencies. libvirt is needed to rebuild wireshark-plugin-libvirt. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4062-1 Released: Fri Nov 18 09:05:07 2022 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1201590 This update for libusb-1_0 fixes the following issues: - Fix regression where some devices no longer work if they have a configuration value of 0 (bsc#1201590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2067-1 Released: Tue Jun 18 13:16:24 2024 Summary: Security update for xdg-desktop-portal Type: security Severity: important References: 1223110,CVE-2024-32462 This update for xdg-desktop-portal fixes the following issues: - CVE-2024-32462: Fix arbitrary code execution outside bwrap sandbox by checking that the first commandline item doesn't start with whitespaces or a hyphen. (bsc#1223110) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2586-1 Released: Mon Jul 22 13:44:35 2024 Summary: Recommended update for lv2, serd, sord, sratom Type: recommended Severity: moderate References: This update for lv2, serd, sord, sratom fixes the following issues: lv was updated to 1.18.4: * Fix build issues with newer toolchains. * Fix spelling errors. * atom: Fix spelling errors. * patch: Fix spelling errors. * patch: Fix type and range of patch:value. * patch: Make the type of patch:wildcard more precise. * state: Fix spelling errors. * ui: Deprecate ui:resize. * ui: Fix spelling errors. serd was updated to 0.30.16: * Switch to meson * Add html documentation do devel 0.30.16 changes: * Add SERD_STATIC to pkg-config Cflags for static-only builds * Adopt REUSE machine-readable licensing standard * Allow programs to be used from subproject * Fix spelling mistake in serdi man page 0.30.14 changes: * Fix memory consumption when reading documents * Switch to Meson build system * Update README and project metadata update to 0.30.12: * Fix warnings and build issues with clang 13 and VS 2019 * Fix writing long literals with triple quotes * Improve documentation style * Support combining several BSD-style command line flags in serdi * Write statements with invalid URI characters in lax mode update to 0.30.10: * Add fallback configuration if documentation theme is unavailable * Fix SERD_DISABLE_DEPRECATED * Fix building for older MacOS versions on newer MacOS * Fix documentation installation directory * Deprecate serd_uri_to_path() * Don't install API man pages * Fix potential memory error when serialising URIs * Move headers to an include directory * Refuse to write relative URI references to NTriples * Remove the need for a generated configuration header * Remove use of C character class functions that may use locale * Split up and reorganize unit tests * Use aligned allocation via C11 or Windows API where possible sord was updated to 0.16.14: Update to 0.16.14: * Adopt REUSE machine-readable licensing standard * Allow programs to be used from subproject * Fix accidentally exposed internal zix symbols * Fix various warnings * Switch to meson build system Update to 0.16.10: * Fix Windows build * Fix potential crash or incorrectness issue with GCC 10 again Update to 0.16.8: * Fix potential undefined behavior * Fix potentially incorrect search results * Remove the need for a generated configuration header Update to 0.16.6: * Fix potential crash or incorrectness issues with GCC 10 * Fix various minor warnings and other code quality issues Update to 0.16.2: * Update waf bundle to 2.0.9 * Fix warious compiler warnings and clang-format reports sratom was updated to 0.6.14: Update to 0.6.14 * Fix potential null pointer dereference update to 0.6.6: * Fix various minor warnings and other code quality issues Update to 0.6.2: * Update waf internals to work with python 3.7 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3919-1 Released: Wed Nov 6 06:37:24 2024 Summary: Recommended update for pipewire Type: recommended Severity: moderate References: 1222253,1230613 This update for pipewire fixes the following issues: - Make sure the pipewire-libjack package doesn't completely replace the original jack libraries unless the pipewire-jack package which installs the ld.so.conf.d file is installed too (bsc#1222253). - Moved modules jack-tunnel and jackdbus-detect to the pipewire-spa-plugins-0_2-jack since those modules should only be used when the real jack server is running. This fixes pipewire starting jackdbus on start (bsc#1230613) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2024:4281-1 Released: Tue Dec 10 17:01:29 2024 Summary: Optional update for fuse3 Type: optional Severity: moderate References: This update for fuse3 provides missing -devel packages for SLE 15 SP4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1728-1 Released: Wed May 28 16:22:03 2025 Summary: Recommended update for abseil-cpp Type: recommended Severity: moderate References: 1236438 This update for abseil-cpp fixes the following issue: - Version update 20240116.3 * Fix potential integer overflow in hash container create/resize (bsc#1236438). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1781-1 Released: Fri May 30 17:31:50 2025 Summary: Recommended update for pipewire Type: recommended Severity: moderate References: 1222762 This update for pipewire fixes the following issue: - Add patch from upstream to make pipewire not run as root at all (bsc#1222762). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2529-1 Released: Fri Jul 25 19:36:13 2025 Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE Type: security Severity: important References: 1237231,1244670,1246664,CVE-2025-6424,CVE-2025-6425,CVE-2025-6426,CVE-2025-6427,CVE-2025-6428,CVE-2025-6429,CVE-2025-6430,CVE-2025-6431,CVE-2025-6432,CVE-2025-6433,CVE-2025-6434,CVE-2025-6435,CVE-2025-6436,CVE-2025-8027,CVE-2025-8028,CVE-2025-8029,CVE-2025-8030,CVE-2025-8031,CVE-2025-8032,CVE-2025-8033,CVE-2025-8034,CVE-2025-8035,CVE-2025-8036,CVE-2025-8037,CVE-2025-8038,CVE-2025-8039,CVE-2025-8040 This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues: MozillaFirefox is updated to the 140ESR series. Firefox Extended Support Release 140.0esr ESR: * General - Reader View now has an enhanced Text and Layout menu with new options for character spacing, word spacing, and text alignment. These changes offer a more accessible reading experience. - Reader View now has a Theme menu with additional Contrast and Gray options. You can also select custom colors for text, background, and links from the Custom tab. - Firefox will now offer to temporarily remember when users grant permissions to sites (e.g. geolocation). Temporary permissions will be removed either after one hour or when the tab is closed. - Firefox now includes safeguards to prevent sites from abusing the history API by generating excessive history entries, which can make navigating with the back and forward buttons difficult by cluttering the history. This intervention ensures that such entries, unless interacted with by the user, are skipped when using the back and forward buttons. - Firefox now identifies all links in PDFs and turns them into hyperlinks. - You can now copy links from background tabs using the tabstrip context menu on macOS and Linux. - Users on macOS and Linux are now given the option to close only the current tab if the Quit keyboard shortcut is used while multiple tabs are open in the window. (bmo#None) * Sidebar and Tabs - You can now enable the updated Firefox sidebar in Settings > General > Browser Layout to quickly access multiple tools in one click, without leaving your main view. Sidebar tools include an AI chatbot of your choice, bookmarks, history, and tabs from devices you sync with your Mozilla account. - Keep a lot of tabs open? Try our new vertical tabs layout to quickly scan your list of tabs. With vertical tabs, your open and pinned tabs appear in the sidebar instead of along the top of the browser. To turn on vertical tabs, right-click on the toolbar near the top of the browser and select Turn on Vertical Tabs. If you???ve enabled the updated sidebar, you can also go to Customize sidebar and check Vertical tabs. Early testers report feeling more organized after using vertical tabs for a few days. - Stay productive and organized with less effort by grouping related tabs together. One simple way to create a group is to drag a tab onto another, pause until you see a highlight, then drop to create the group. Tab groups can be named, color-coded, and are always saved. You can close a group and reopen it later. - A tab preview is now displayed when hovering the mouse over background tabs, making it easier to locate the desired tab without needing to switch tabs. - The sidebar to view tabs from other devices can now be opened via the Tab overview menu. * Security & Privacy - HTTPS is replacing HTTP as the default protocol in the address bar on non-local sites. If a site is not available via HTTPS, Firefox will fall back to HTTP. - Firefox now blocks third-party cookie access when Enhanced Tracking Protection's Strict mode is enabled. - Firefox now has a new anti-tracking feature, Bounce Tracking Protection, which is now available in Enhanced Tracking Protection's 'Strict' mode. This feature detects bounce trackers based on their redirect behavior and periodically purges their cookies and site data to block tracking. - Firefox now enforces certificate transparency, requiring web servers to provide sufficient proof that their certificates were publicly disclosed before they will be trusted. This only affects servers using certificates issued by a certificate authority in Mozilla's Root CA Program. - Smartblock Embeds allows users to selectively unblock certain social media embeds that are blocked in ETP Strict and Private Browsing modes. Currently, support is limited to a few embed types, with more to be added in future updates. - Firefox now upgrades page loads to HTTPS by default and gracefully falls back to HTTP if the secure connection fails. This behavior is known as HTTPS-First. - The 'Copy Without Site Tracking' menu item was renamed to 'Copy Clean Link' to help clarify expectations around what the feature does. 'Copy Clean Link' is a list based approach to remove - known tracking parameters from links. This option can also now be used on plain text links. - The Clear browsing data and cookies dialog now allows clearing saved form info separately from browsing history. * Translations - Firefox now allows translating selected text portions to different languages after a full-page translation. - Full-Page Translations are now available within Firefox extension pages that start with the moz-extension:// URL scheme. - When suggesting a default translation language, Firefox will now take into consideration languages you have previously used for translations. - Added support for many new languages in Firefox translation. * Linux - Firefox now supports touchpad hold gestures on Linux. This means that kinetic (momentum) scrolling can now be interrupted by placing two fingers on the touchpad. * Developer: - Firefox now supports text fragments, which allows users to link directly to a specific portion of text in a web document via a special URL fragment. - Debugger log-point values are now automatically converted into profiler markers, making it easy to add information to the marker timeline directly from the Debugger. - The Debugger's directory root is now scoped to the specific domain where it was set, which aligns with typical usage and avoids applying it across unrelated domains. This builds on previous improvements such as a redesigned UI and easier removal of the root setting. Setting a directory root updates the Source List to show only the selected directory and its children. (Learn more) - The Network Blocking feature in the Network panel now blocks HTTP requests in addition to blocking responses. - The Network panel displays information about Early Hints, including a dedicated indicator for the 103 HTTP status code in the user interface. - The Network panel now allows overriding network request responses with local files. - The filter setting in the Network panel is now preserved across DevTools Toolbox sessions. - A new column has been added to the Network panel to display the full path of the request URL. This enhancement makes helps developers quickly view and analyze complete request paths. - Introduced a new console command `$$$` that allows searching the page, including within shadow roots. - Improved support for debugging web extensions, such as automatically reloading the web extension's source code in the Debugger when the extension is reloaded. Workers are now available in the Console panel???s context selector and breakpoints function correctly in content scripts. - In the Inspector Fonts panel, we now display fonts metadata, like the font version, designer, vendor, license, etc. - Added support for the import map integrity field, allowing you to ensure the integrity of dynamically or statically imported modules. - Implemented support for `Error.isError`, enabling brand checks to determine whether an object is an instance of Error. (Learn more) - Added support for the `error.captureStackTrace` extension to improve compatibility with other browsers. (Learn more: http://github.com/tc39/proposal-error-capturestacktrace) * Enterprise: - The UserMessaging policy has been updated with a new option to allow disabling Firefox Labs in preferences. - The Preferences policy has been updated to allow setting the preference security.pki.certificate_transparency.mode. - HTTPS-First is now on by default. You can manage this behavior using the HttpsOnlyMode and HttpAllowlist policies. - An internal change has been made to Firefox that removes `XPCOMUtils.defineLazyGetter`. For most people, this shouldn't matter, but if you encounter problems with AutoConfig or third party software like PolicyPak, this might be the cause. You'll need to reach out to your provider. - Firefox now supports the Content Analysis SDK for integrating DLP software. For more information, see this post. - The SearchEngines policy is now available on all versions of Firefox (not just the ESR). Various security fixes MFSA 2025-51 (bsc#1244670): * CVE-2025-6424 (bmo#1966423) Use-after-free in FontFaceSet * CVE-2025-6425 (bmo#1717672) The WebCompat WebExtension shipped with Firefox exposed a persistent UUID * CVE-2025-6426 (bmo#1964385) No warning when opening executable terminal files on macOS * CVE-2025-6427 (bmo#1966927) connect-src Content Security Policy restriction could be bypassed * CVE-2025-6428 (bmo#1970151) Firefox for Android opened URLs specified in a link querystring parameter * CVE-2025-6429 (bmo#1970658) Incorrect parsing of URLs could have allowed embedding of youtube.com * CVE-2025-6430 (bmo#1971140) Content-Disposition header ignored when a file is included in an embed or object tag * CVE-2025-6431 (bmo#1942716) The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed * CVE-2025-6432 (bmo#1943804) DNS Requests leaked outside of a configured SOCKS proxy * CVE-2025-6433 (bmo#1954033) WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate * CVE-2025-6434 (bmo#1955182) HTTPS-Only exception screen lacked anti-clickjacking delay * CVE-2025-6435 (bmo#1950056, bmo#1961777) Save as in Devtools could download files without sanitizing the extension * CVE-2025-6436 (bmo#1941377, bmo#1960948, bmo#1966187, bmo#1966505, bmo#1970764) Memory safety bugs fixed in Firefox 140 and Thunderbird 140 Various security fixes MFSA 2025-59 (bsc#1246664): - CVE-2025-8027: JavaScript engine only wrote partial return value to stack - CVE-2025-8028: Large branch table could lead to truncated instruction - CVE-2025-8029: javascript: URLs executed on object and embed tags - CVE-2025-8036: DNS rebinding circumvents CORS - CVE-2025-8037: Nameless cookies shadow secure cookies - CVE-2025-8030: Potential user-assisted code execution in ???Copy as cURL??? command - CVE-2025-8031: Incorrect URL stripping in CSP reports - CVE-2025-8032: XSLT documents could bypass CSP - CVE-2025-8038: CSP frame-src was not correctly enforced for paths - CVE-2025-8039: Search terms persisted in URL bar - CVE-2025-8033: Incorrect JavaScript state machine for generators - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 The following package changes have been done: - libabsl2401_0_0-20240116.3-150600.19.3.15 added - libbluetooth3-5.78-150700.1.3 added - libconfig++11-1.7-2.12 added - libfdk-aac2-2.0.0-150400.3.2.1 added - libfuse3-3-3.10.5-150400.3.2.1 added - liblc3-1-1.0.4-150600.1.3 added - libldac2-2.0.2.3-150300.3.2.1 added - libraw1394-11-2.1.2-150600.1.3 added - libsbc1-1.3-3.2.1 added - libserd-0-0-0.30.16-150600.10.3.1 added - libsigc-2_0-0-2.12.1-150600.1.2 added - libvulkan1-1.3.275.0-150600.1.2 added - libwebrtc-audio-processing-1-3-1.3-150600.1.3 added - libiec61883-0-1.2.0-1.27 added - libavc1394-0-0.5.4-1.27 added - libsord-0-0-0.16.14-150600.16.3.1 added - libusb-1_0-0-1.0.24-150400.3.3.1 added - libmysofa1-1.3.2-150600.1.4 added - libglibmm-2_4-1-2.66.6-150600.1.2 added - libsratom-0-0-0.6.14-150600.16.3.1 added - libxml++-3_0-1-3.2.4-150600.1.2 added - liblilv-0-0-0.24.10-150600.10.2.1 added - libffado2-2.4.7-150600.1.3 added - pipewire-spa-plugins-0_2-1.0.5+git36.60deeb2-150600.3.6.2 added - libjson-glib-1_0-0-1.8.0-150600.1.3 added - libpipewire-0_3-0-1.0.5+git36.60deeb2-150600.3.6.2 added - pipewire-modules-0_3-1.0.5+git36.60deeb2-150600.3.6.2 added - fuse3-3.10.5-150400.3.2.1 added - xdg-desktop-portal-1.18.2-150600.4.3.1 added - MozillaFirefox-140.1.0-150200.152.193.1 updated - MozillaFirefox-branding-SLE-140-150200.9.21.1 updated - container:suse-sle15-15.7-4232c2790095361d6776af20382c431e7222f9956d773c3790d57cf7e94a7911-0 updated