SUSE-IU-2025:1851-1: Security update of suse/sle-micro/kvm-5.5
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Jul 11 07:04:52 UTC 2025
SUSE Image Update Advisory: suse/sle-micro/kvm-5.5
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:1851-1
Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.350 , suse/sle-micro/kvm-5.5:latest
Image Release : 3.5.350
Severity : important
Type : security
References : 1065729 1081723 1156395 1193629 1194869 1198410 1199356 1199487
1201160 1201956 1202094 1202095 1202564 1202716 1202823 1202860
1203197 1203361 1205220 1205514 1205701 1206451 1206664 1206878
1206880 1207361 1207638 1211226 1212051 1213090 1218184 1218234
1218470 1222634 1223675 1224095 1224113 1224597 1225468 1225820
1226514 1226552 1230827 1232504 1234156 1234381 1235464 1235637
1236821 1236822 1237159 1237312 1237313 1238526 1238876 1241900
1242221 1242414 1242504 1242596 1242778 1242782 1242924 1243330
1243543 1243627 1243649 1243660 1243832 1244114 1244179 1244180
1244234 1244241 1244277 1244309 1244337 1244732 1244764 1244765
1244767 1244770 1244771 1244772 1244773 1244774 1244776 1244779
1244780 1244781 1244782 1244783 1244784 1244786 1244787 1244788
1244790 1244791 1244793 1244794 1244796 1244797 1244798 1244800
1244802 1244804 1244805 1244806 1244807 1244808 1244811 1244813
1244814 1244815 1244816 1244819 1244820 1244823 1244824 1244825
1244826 1244827 1244830 1244831 1244832 1244834 1244836 1244838
1244839 1244840 1244841 1244842 1244843 1244845 1244846 1244848
1244849 1244851 1244853 1244854 1244856 1244858 1244860 1244861
1244866 1244867 1244868 1244869 1244870 1244871 1244872 1244873
1244875 1244876 1244878 1244879 1244881 1244883 1244884 1244886
1244887 1244888 1244890 1244892 1244893 1244895 1244898 1244899
1244900 1244901 1244902 1244903 1244904 1244905 1244908 1244911
1244912 1244914 1244915 1244928 1244936 1244940 1244941 1244942
1244943 1244944 1244945 1244948 1244949 1244950 1244953 1244955
1244956 1244957 1244958 1244959 1244960 1244961 1244965 1244966
1244967 1244968 1244969 1244970 1244973 1244974 1244976 1244977
1244978 1244979 1244983 1244984 1244985 1244986 1244987 1244991
1244992 1244993 1245006 1245007 1245009 1245011 1245012 1245015
1245018 1245019 1245023 1245024 1245028 1245031 1245032 1245033
1245038 1245039 1245040 1245041 1245047 1245048 1245051 1245052
1245057 1245058 1245060 1245062 1245063 1245064 1245069 1245070
1245072 1245073 1245088 1245089 1245092 1245093 1245094 1245098
1245103 1245116 1245117 1245118 1245119 1245121 1245122 1245125
1245129 1245131 1245133 1245134 1245135 1245136 1245138 1245139
1245140 1245142 1245146 1245147 1245149 1245152 1245154 1245155
1245180 1245183 1245189 1245191 1245195 1245197 1245265 1245340
1245348 1245431 1245455 CVE-2021-47557 CVE-2021-47595 CVE-2022-1679
CVE-2022-2585 CVE-2022-2586 CVE-2022-2905 CVE-2022-3903 CVE-2022-4095
CVE-2022-4662 CVE-2022-49934 CVE-2022-49935 CVE-2022-49936 CVE-2022-49937
CVE-2022-49938 CVE-2022-49940 CVE-2022-49942 CVE-2022-49943 CVE-2022-49944
CVE-2022-49945 CVE-2022-49946 CVE-2022-49948 CVE-2022-49949 CVE-2022-49950
CVE-2022-49951 CVE-2022-49952 CVE-2022-49954 CVE-2022-49956 CVE-2022-49957
CVE-2022-49958 CVE-2022-49960 CVE-2022-49962 CVE-2022-49963 CVE-2022-49964
CVE-2022-49965 CVE-2022-49966 CVE-2022-49968 CVE-2022-49969 CVE-2022-49971
CVE-2022-49972 CVE-2022-49977 CVE-2022-49978 CVE-2022-49980 CVE-2022-49981
CVE-2022-49982 CVE-2022-49983 CVE-2022-49984 CVE-2022-49985 CVE-2022-49986
CVE-2022-49987 CVE-2022-49989 CVE-2022-49990 CVE-2022-49993 CVE-2022-49995
CVE-2022-49999 CVE-2022-50002 CVE-2022-50003 CVE-2022-50005 CVE-2022-50006
CVE-2022-50008 CVE-2022-50010 CVE-2022-50011 CVE-2022-50012 CVE-2022-50015
CVE-2022-50016 CVE-2022-50019 CVE-2022-50020 CVE-2022-50021 CVE-2022-50022
CVE-2022-50023 CVE-2022-50024 CVE-2022-50026 CVE-2022-50027 CVE-2022-50028
CVE-2022-50029 CVE-2022-50030 CVE-2022-50031 CVE-2022-50032 CVE-2022-50033
CVE-2022-50034 CVE-2022-50035 CVE-2022-50036 CVE-2022-50037 CVE-2022-50038
CVE-2022-50039 CVE-2022-50040 CVE-2022-50041 CVE-2022-50044 CVE-2022-50045
CVE-2022-50046 CVE-2022-50047 CVE-2022-50049 CVE-2022-50050 CVE-2022-50051
CVE-2022-50052 CVE-2022-50053 CVE-2022-50054 CVE-2022-50055 CVE-2022-50059
CVE-2022-50060 CVE-2022-50061 CVE-2022-50062 CVE-2022-50065 CVE-2022-50066
CVE-2022-50067 CVE-2022-50068 CVE-2022-50072 CVE-2022-50073 CVE-2022-50074
CVE-2022-50076 CVE-2022-50077 CVE-2022-50079 CVE-2022-50083 CVE-2022-50084
CVE-2022-50085 CVE-2022-50086 CVE-2022-50087 CVE-2022-50092 CVE-2022-50093
CVE-2022-50094 CVE-2022-50095 CVE-2022-50097 CVE-2022-50098 CVE-2022-50099
CVE-2022-50100 CVE-2022-50101 CVE-2022-50102 CVE-2022-50103 CVE-2022-50104
CVE-2022-50108 CVE-2022-50109 CVE-2022-50110 CVE-2022-50111 CVE-2022-50112
CVE-2022-50115 CVE-2022-50116 CVE-2022-50117 CVE-2022-50118 CVE-2022-50120
CVE-2022-50121 CVE-2022-50124 CVE-2022-50125 CVE-2022-50126 CVE-2022-50127
CVE-2022-50129 CVE-2022-50131 CVE-2022-50132 CVE-2022-50133 CVE-2022-50134
CVE-2022-50135 CVE-2022-50136 CVE-2022-50137 CVE-2022-50138 CVE-2022-50139
CVE-2022-50140 CVE-2022-50141 CVE-2022-50142 CVE-2022-50143 CVE-2022-50144
CVE-2022-50145 CVE-2022-50146 CVE-2022-50149 CVE-2022-50151 CVE-2022-50152
CVE-2022-50153 CVE-2022-50154 CVE-2022-50155 CVE-2022-50156 CVE-2022-50157
CVE-2022-50158 CVE-2022-50160 CVE-2022-50161 CVE-2022-50162 CVE-2022-50164
CVE-2022-50165 CVE-2022-50166 CVE-2022-50169 CVE-2022-50171 CVE-2022-50172
CVE-2022-50173 CVE-2022-50175 CVE-2022-50176 CVE-2022-50178 CVE-2022-50179
CVE-2022-50181 CVE-2022-50183 CVE-2022-50184 CVE-2022-50185 CVE-2022-50186
CVE-2022-50187 CVE-2022-50188 CVE-2022-50190 CVE-2022-50191 CVE-2022-50192
CVE-2022-50194 CVE-2022-50196 CVE-2022-50197 CVE-2022-50198 CVE-2022-50199
CVE-2022-50200 CVE-2022-50201 CVE-2022-50202 CVE-2022-50203 CVE-2022-50204
CVE-2022-50206 CVE-2022-50207 CVE-2022-50208 CVE-2022-50209 CVE-2022-50211
CVE-2022-50212 CVE-2022-50213 CVE-2022-50215 CVE-2022-50218 CVE-2022-50220
CVE-2022-50221 CVE-2022-50222 CVE-2022-50226 CVE-2022-50228 CVE-2022-50229
CVE-2022-50231 CVE-2023-3111 CVE-2023-52924 CVE-2023-52925 CVE-2023-53046
CVE-2023-53048 CVE-2023-53076 CVE-2023-53097 CVE-2024-26808 CVE-2024-26924
CVE-2024-26935 CVE-2024-27397 CVE-2024-35840 CVE-2024-36978 CVE-2024-46800
CVE-2024-53125 CVE-2024-53141 CVE-2024-53197 CVE-2024-56770 CVE-2024-57999
CVE-2025-21700 CVE-2025-21702 CVE-2025-21703 CVE-2025-21756 CVE-2025-23141
CVE-2025-23145 CVE-2025-37752 CVE-2025-37798 CVE-2025-37823 CVE-2025-37890
CVE-2025-37932 CVE-2025-37948 CVE-2025-37953 CVE-2025-37963 CVE-2025-37997
CVE-2025-38000 CVE-2025-38001 CVE-2025-38014 CVE-2025-38060 CVE-2025-38083
-----------------------------------------------------------------
The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2264-1
Released: Thu Jul 10 10:25:37 2025
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1065729,1156395,1193629,1194869,1198410,1199356,1199487,1201160,1201956,1202094,1202095,1202564,1202716,1202823,1202860,1203197,1203361,1205220,1205514,1205701,1206451,1206664,1206878,1206880,1207361,1207638,1211226,1212051,1213090,1218184,1218234,1218470,1222634,1223675,1224095,1224597,1225468,1225820,1226514,1226552,1230827,1232504,1234156,1234381,1235464,1235637,1236821,1236822,1237159,1237312,1237313,1238526,1238876,1241900,1242221,1242414,1242504,1242596,1242778,1242782,1242924,1243330,1243543,1243627,1243649,1243660,1243832,1244114,1244179,1244180,1244234,1244241,1244277,1244309,1244337,1244732,1244764,1244765,1244767,1244770,1244771,1244772,1244773,1244774,1244776,1244779,1244780,1244781,1244782,1244783,1244784,1244786,1244787,1244788,1244790,1244791,1244793,1244794,1244796,1244797,1244798,1244800,1244802,1244804,1244805,1244806,1244807,1244808,1244811,1244813,1244814,1244815,1244816,1244819,1244820,1244823,1244824,1244825,1244826,1244827,1244830,1244831,1244832,1
244834,1244836,1244838,1244839,1244840,1244841,1244842,1244843,1244845,1244846,1244848,1244849,1244851,1244853,1244854,1244856,1244858,1244860,1244861,1244866,1244867,1244868,1244869,1244870,1244871,1244872,1244873,1244875,1244876,1244878,1244879,1244881,1244883,1244884,1244886,1244887,1244888,1244890,1244892,1244893,1244895,1244898,1244899,1244900,1244901,1244902,1244903,1244904,1244905,1244908,1244911,1244912,1244914,1244915,1244928,1244936,1244940,1244941,1244942,1244943,1244944,1244945,1244948,1244949,1244950,1244953,1244955,1244956,1244957,1244958,1244959,1244960,1244961,1244965,1244966,1244967,1244968,1244969,1244970,1244973,1244974,1244976,1244977,1244978,1244979,1244983,1244984,1244985,1244986,1244987,1244991,1244992,1244993,1245006,1245007,1245009,1245011,1245012,1245015,1245018,1245019,1245023,1245024,1245028,1245031,1245032,1245033,1245038,1245039,1245040,1245041,1245047,1245048,1245051,1245052,1245057,1245058,1245060,1245062,1245063,1245064,1245069,1245070,1245072,124507
3,1245088,1245089,1245092,1245093,1245094,1245098,1245103,1245116,1245117,1245118,1245119,1245121,1245122,1245125,1245129,1245131,1245133,1245134,1245135,1245136,1245138,1245139,1245140,1245142,1245146,1245147,1245149,1245152,1245154,1245155,1245180,1245183,1245189,1245191,1245195,1245197,1245265,1245340,1245348,1245431,1245455,CVE-2021-47557,CVE-2021-47595,CVE-2022-1679,CVE-2022-2585,CVE-2022-2586,CVE-2022-2905,CVE-2022-3903,CVE-2022-4095,CVE-2022-4662,CVE-2022-49934,CVE-2022-49935,CVE-2022-49936,CVE-2022-49937,CVE-2022-49938,CVE-2022-49940,CVE-2022-49942,CVE-2022-49943,CVE-2022-49944,CVE-2022-49945,CVE-2022-49946,CVE-2022-49948,CVE-2022-49949,CVE-2022-49950,CVE-2022-49951,CVE-2022-49952,CVE-2022-49954,CVE-2022-49956,CVE-2022-49957,CVE-2022-49958,CVE-2022-49960,CVE-2022-49962,CVE-2022-49963,CVE-2022-49964,CVE-2022-49965,CVE-2022-49966,CVE-2022-49968,CVE-2022-49969,CVE-2022-49971,CVE-2022-49972,CVE-2022-49977,CVE-2022-49978,CVE-2022-49980,CVE-2022-49981,CVE-2022-49982,CVE-2022-49983
,CVE-2022-49984,CVE-2022-49985,CVE-2022-49986,CVE-2022-49987,CVE-2022-49989,CVE-2022-49990,CVE-2022-49993,CVE-2022-49995,CVE-2022-49999,CVE-2022-50002,CVE-2022-50003,CVE-2022-50005,CVE-2022-50006,CVE-2022-50008,CVE-2022-50010,CVE-2022-50011,CVE-2022-50012,CVE-2022-50015,CVE-2022-50016,CVE-2022-50019,CVE-2022-50020,CVE-2022-50021,CVE-2022-50022,CVE-2022-50023,CVE-2022-50024,CVE-2022-50026,CVE-2022-50027,CVE-2022-50028,CVE-2022-50029,CVE-2022-50030,CVE-2022-50031,CVE-2022-50032,CVE-2022-50033,CVE-2022-50034,CVE-2022-50035,CVE-2022-50036,CVE-2022-50037,CVE-2022-50038,CVE-2022-50039,CVE-2022-50040,CVE-2022-50041,CVE-2022-50044,CVE-2022-50045,CVE-2022-50046,CVE-2022-50047,CVE-2022-50049,CVE-2022-50050,CVE-2022-50051,CVE-2022-50052,CVE-2022-50053,CVE-2022-50054,CVE-2022-50055,CVE-2022-50059,CVE-2022-50060,CVE-2022-50061,CVE-2022-50062,CVE-2022-50065,CVE-2022-50066,CVE-2022-50067,CVE-2022-50068,CVE-2022-50072,CVE-2022-50073,CVE-2022-50074,CVE-2022-50076,CVE-2022-50077,CVE-2022-50079,CVE-20
22-50083,CVE-2022-50084,CVE-2022-50085,CVE-2022-50086,CVE-2022-50087,CVE-2022-50092,CVE-2022-50093,CVE-2022-50094,CVE-2022-50095,CVE-2022-50097,CVE-2022-50098,CVE-2022-50099,CVE-2022-50100,CVE-2022-50101,CVE-2022-50102,CVE-2022-50103,CVE-2022-50104,CVE-2022-50108,CVE-2022-50109,CVE-2022-50110,CVE-2022-50111,CVE-2022-50112,CVE-2022-50115,CVE-2022-50116,CVE-2022-50117,CVE-2022-50118,CVE-2022-50120,CVE-2022-50121,CVE-2022-50124,CVE-2022-50125,CVE-2022-50126,CVE-2022-50127,CVE-2022-50129,CVE-2022-50131,CVE-2022-50132,CVE-2022-50133,CVE-2022-50134,CVE-2022-50135,CVE-2022-50136,CVE-2022-50137,CVE-2022-50138,CVE-2022-50139,CVE-2022-50140,CVE-2022-50141,CVE-2022-50142,CVE-2022-50143,CVE-2022-50144,CVE-2022-50145,CVE-2022-50146,CVE-2022-50149,CVE-2022-50151,CVE-2022-50152,CVE-2022-50153,CVE-2022-50154,CVE-2022-50155,CVE-2022-50156,CVE-2022-50157,CVE-2022-50158,CVE-2022-50160,CVE-2022-50161,CVE-2022-50162,CVE-2022-50164,CVE-2022-50165,CVE-2022-50166,CVE-2022-50169,CVE-2022-50171,CVE-2022-5017
2,CVE-2022-50173,CVE-2022-50175,CVE-2022-50176,CVE-2022-50178,CVE-2022-50179,CVE-2022-50181,CVE-2022-50183,CVE-2022-50184,CVE-2022-50185,CVE-2022-50186,CVE-2022-50187,CVE-2022-50188,CVE-2022-50190,CVE-2022-50191,CVE-2022-50192,CVE-2022-50194,CVE-2022-50196,CVE-2022-50197,CVE-2022-50198,CVE-2022-50199,CVE-2022-50200,CVE-2022-50201,CVE-2022-50202,CVE-2022-50203,CVE-2022-50204,CVE-2022-50206,CVE-2022-50207,CVE-2022-50208,CVE-2022-50209,CVE-2022-50211,CVE-2022-50212,CVE-2022-50213,CVE-2022-50215,CVE-2022-50218,CVE-2022-50220,CVE-2022-50221,CVE-2022-50222,CVE-2022-50226,CVE-2022-50228,CVE-2022-50229,CVE-2022-50231,CVE-2023-3111,CVE-2023-52924,CVE-2023-52925,CVE-2023-53046,CVE-2023-53048,CVE-2023-53076,CVE-2023-53097,CVE-2024-26808,CVE-2024-26924,CVE-2024-26935,CVE-2024-27397,CVE-2024-35840,CVE-2024-36978,CVE-2024-46800,CVE-2024-53125,CVE-2024-53141,CVE-2024-53197,CVE-2024-56770,CVE-2024-57999,CVE-2025-21700,CVE-2025-21702,CVE-2025-21703,CVE-2025-21756,CVE-2025-23141,CVE-2025-23145,CVE-20
25-37752,CVE-2025-37798,CVE-2025-37823,CVE-2025-37890,CVE-2025-37932,CVE-2025-37948,CVE-2025-37953,CVE-2025-37963,CVE-2025-37997,CVE-2025-38000,CVE-2025-38001,CVE-2025-38014,CVE-2025-38060,CVE-2025-38083
The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes.
The following security bugs were fixed:
- CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468).
- CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552).
- CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821).
- CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822).
- CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634).
- CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820).
- CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095).
- CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514).
- CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
- CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156).
- CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381).
- CVE-2024-53197: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (bsc#1235464).
- CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637).
- CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159).
- CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312).
- CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313).
- CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876).
- CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782).
- CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504).
- CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924).
- CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330).
- CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832).
- CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277).
- CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234).
- CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732).
- CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155).
- CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183).
The following non-security bugs were fixed:
- ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes).
- Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504)
- MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build')
- MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild')
- MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed.
- bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)')
- hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431).
- kernel-source: Do not use multiple -r in sed parameters
- kernel-source: Remove log.sh from sources
- mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
- mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431).
- mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431).
- net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
- net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504)
- ovl: fix use inode directly in rcu-walk mode (bsc#1241900).
- powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790).
- powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790).
- scsi: storvsc: Do not report the host packet status as the hv status (git-fixes).
- scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2274-1
Released: Thu Jul 10 14:35:40 2025
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1081723,1224113
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* bmo#1965754 Update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 Update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
Update to NSS 3.111:
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzingâ€
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
Update to NSS 3.108:
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed Updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 Update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files)
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible.
Use key from openssl (bsc#1081723)
- Exclude the SHA-1 hash from SLI approval.
mozilla-nspr was updated to version 4.36:
* renamed the prwin16.h header to prwin.h
* various build, test and automation script fixes
* major parts of the source code were reformatted
The following package changes have been done:
- kernel-default-base-5.14.21-150500.55.113.1.150500.6.53.1 updated
- mozilla-nspr-4.36-150000.3.32.1 updated
- container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.183 updated
More information about the sle-container-updates
mailing list