SUSE-CU-2025:5625-1: Security update of suse/manager/5.0/x86_64/server-attestation

Wed Jul 23 20:18:33 UTC 2025

SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:5625-1
Container Tags        : suse/manager/5.0/x86_64/server-attestation:5.0.5 , suse/manager/5.0/x86_64/server-attestation:5.0.5.6.23.1 , suse/manager/5.0/x86_64/server-attestation:latest
Container Release     : 6.23.1
Severity              : critical
Type                  : security
References            : 1029961 1081723 1081723 1092100 1121753 1158830 1158830 1158830
                        1181475 1181976 1185417 1195468 1206412 1206798 1209122 1209122
                        1214290 1214290 1220338 1220893 1220895 1220896 1221107 1224113
                        1224113 1225936 1225939 1225941 1225942 1226414 1226415 1228091
                        1228223 1228809 1229228 1229518 1231048 1232227 1232844 1233752
                        1234015 1234015 1234313 1234765 1236177 1236643 1236842 1236886
                        1237496 1241605 1242827 1242844 1242938 1243259 1243767 1243935
                        1244596 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125
                        CVE-2018-1126 CVE-2023-4016 CVE-2023-4016 CVE-2024-2236 CVE-2025-4373
                        CVE-2025-4598 CVE-2025-5278 CVE-2025-6052 
-----------------------------------------------------------------

The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2730-1
Released:    Mon Oct 21 16:04:57 2019
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
This update for procps fixes the following issues:

procps was updated to 3.3.15. (bsc#1092100)

Following security issues were fixed:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

Also this non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)

The update to 3.3.15 contains the following fixes:

* library: Increment to 8:0:1
  No removals, no new functions
  Changes: slab and pid structures
* library: Just check for SIGLOST and don't delete it
* library: Fix integer overflow and LPE in file2strvec   CVE-2018-1124
* library: Use size_t for alloc functions                CVE-2018-1126
* library: Increase comm size to 64
* pgrep: Fix stack-based buffer overflow                 CVE-2018-1125
* pgrep: Remove >15 warning as comm can be longer
* ps: Fix buffer overflow in output buffer, causing DOS  CVE-2018-1123
* ps: Increase command name selection field to 64
* top: Don't use cwd for location of config              CVE-2018-1122
* update translations
* library: build on non-glibc systems
* free: fix scaling on 32-bit systems
* Revert 'Support running with child namespaces'
* library: Increment to 7:0:1
  No changes, no removals
  New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
* doc: Document I idle state in ps.1 and top.1
* free: fix some of the SI multiples
* kill: -l space between name parses correctly
* library: dont use vm_min_free on non Linux
* library: don't strip off wchan prefixes (ps & top)
* pgrep: warn about 15+ char name only if -f not used
* pgrep/pkill: only match in same namespace by default
* pidof: specify separator between pids
* pkill: Return 0 only if we can kill process
* pmap: fix duplicate output line under '-x' option
* ps: avoid eip/esp address truncations
* ps: recognizes SCHED_DEADLINE as valid CPU scheduler
* ps: display NUMA node under which a thread ran
* ps: Add seconds display for cputime and time
* ps: Add LUID field
* sysctl: Permit empty string for value
* sysctl: Don't segv when file not available
* sysctl: Read and write large buffers
* top: add config file support for XDG specification
* top: eliminated minor libnuma memory leak
* top: show fewer memory decimal places (configurable)
* top: provide command line switch for memory scaling
* top: provide command line switch for CPU States
* top: provides more accurate cpu usage at startup
* top: display NUMA node under which a thread ran
* top: fix argument parsing quirk resulting in SEGV
* top: delay interval accepts non-locale radix point
* top: address a wishlist man page NLS suggestion
* top: fix potential distortion in 'Mem' graph display
* top: provide proper multi-byte string handling
* top: startup defaults are fully customizable
* watch: define HOST_NAME_MAX where not defined
* vmstat: Fix alignment for disk partition format
* watch: Support ANSI 39,49 reset sequences

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released:    Fri Jan 24 06:49:07 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1169-1
Released:    Tue Apr 13 15:01:42 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1181976
This update for procps fixes the following issues:

- Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1549-1
Released:    Mon May 10 13:48:00 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1185417
This update for procps fixes the following issues:

- Support up to 2048 CPU as well. (bsc#1185417)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2944-1
Released:    Wed Aug 31 05:39:14 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    important
References:  1181475
This update for procps fixes the following issues:

- Fix 'free' command reporting misleading 'used' value (bsc#1181475)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2104-1
Released:    Thu May  4 21:05:30 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1209122
This update for procps fixes the following issue:

- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:11-1
Released:    Tue Jan  2 13:24:52 2024
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1029961,1158830,1206798,1209122
This update for procps fixes the following issues:

- Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369)

- For support up to 2048 CPU as well (bsc#1185417)
- Allow `-Â´ as leading character to ignore possible errors on systctl entries (bsc#1209122)
- Get the first CPU summary correct (bsc#1121753)
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
  the pwait tool and its manual page will be build
- Do not truncate output of w with option -n
- Prefer logind over utmp (jsc#PED-3144)
- Don't install translated man pages for non-installed binaries
  (uptime, kill).
- Fix directory for Ukrainian man pages translations.
- Move localized man pages to lang package.

- Update to procps-ng-3.3.17

  * library: Incremented to 8:3:0
    (no removals or additions, internal changes only)
  * all: properly handle utf8 cmdline translations
  * kill: Pass int to signalled process
  * pgrep: Pass int to signalled process
  * pgrep: Check sanity of SG_ARG_MAX
  * pgrep: Add older than selection
  * pidof: Quiet mode
  * pidof: show worker threads
  * ps.1: Mention stime alias
  * ps: check also match on truncated 16 char comm names
  * ps: Add exe output option
  * ps: A lot more sorting available
  * pwait: New command waits for a process
  * sysctl: Match systemd directory order
  * sysctl: Document directory order
  * top: ensure config file backward compatibility
  * top: add command line 'e' for symmetry with 'E'
  * top: add '4' toggle for two abreast cpu display
  * top: add '!' toggle for combining multiple cpus
  * top: fix potential SEGV involving -p switch
  * vmstat: Wide mode gives wider proc columns
  * watch: Add environment variable for interval
  * watch: Add no linewrap option
  * watch: Support more colors
  * free,uptime,slabtop: complain about extra ops

- Package translations in procps-lang.

- Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited.

- Enable pidof by default

- Update to procps-ng-3.3.16

  * library: Increment to 8:2:0

    No removals or functions
    Internal changes only, so revision is incremented.
    Previous version should have been 8:1:0 not 8:0:1

  * docs: Use correct symbols for -h option in free.1
  * docs: ps.1 now warns about command name length
  * docs: install translated man pages
  * pgrep: Match on runstate
  * snice: Fix matching on pid
  * top: can now exploit 256-color terminals
  * top: preserves 'other filters' in configuration file
  * top: can now collapse/expand forest view children
  * top: parent %CPU time includes collapsed children
  * top: improve xterm support for vim navigation keys
  * top: avoid segmentation fault at program termination
  * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2239-1
Released:    Wed Jun 26 13:09:10 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    critical
References:  1226415
This update for systemd contains the following fixes:

- testsuite: move a misplaced %endif

- Do not remove existing configuration files in /etc. If these files were
  modified on the systemd, that may cause unwanted side effects (bsc#1226415).

- Import upstream commit (merge of v254.13)
  Use the pty slave fd opened from the namespace when transient service is running in a container.
  This revert the backport of the broken commit until a fix is released in the v254-stable tree.

- Import upstream commit (merge of v254.11)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2024:2282-1
Released:    Tue Jul  2 22:41:28 2024
Summary:     Optional update for openscap, scap-security-guide
Type:        optional
Severity:    moderate
References:  

This update for scap-security-guide and openscap provides the SCAP tooling
for SLE Micro 5.3, 5.4, 5.5.

This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2641-1
Released:    Tue Jul 30 09:29:36 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  
This update for systemd fixes the following issues:

systemd was updated from version 254.13 to version 254.15:

- Changes in version 254.15:

  * boot: cover for hardware keys on phones/tablets
  * Conditional PSI check to reflect changes done in 5.13
  * core/dbus-manager: refuse SoftReboot() for user managers
  * core/exec-invoke: reopen OpenFile= fds with O_NOCTTY
  * core/exec-invoke: use sched_setattr instead of sched_setscheduler
  * core/unit: follow merged units before updating SourcePath= timestamp too
  * coredump: correctly take tmpfs size into account for compression
  * cryptsetup: improve TPM2 blob display
  * docs: Add section to HACKING.md on distribution packages
  * docs: fixed dead link to GNOME documentation
  * docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type
  * Fixed typo in CAP_BPF description
  * LICENSES/README: expand text to summarize state for binaries and libs
  * man: fully adopt ~/.local/state/
  * man/systemd.exec: list inaccessible files for ProtectKernelTunables
  * man/tmpfiles: remove outdated behavior regarding symlink ownership
  * meson: bpf: propagate 'sysroot' for cross compilation
  * meson: Define __TARGET_ARCH macros required by bpf
  * mkfs-util: Set sector size for btrfs as well
  * mkosi: drop CentOS 8 from CI
  * mkosi: Enable hyperscale-packages-experimental for CentOS
  * mountpoint-util: do not assume symlinks are not mountpoints
  * os-util: avoid matching on the wrong extension-release file
  * README: add missing CONFIG_MEMCG kernel config option for oomd
  * README: update requirements for signed dm-verity
  * resolved: allow the full TTL to be used by OPT records
  * resolved: correct parsing of OPT extended RCODEs
  * sysusers: handle NSS errors gracefully
  * TEST-58-REPART: reverse order of diff args
  * TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic
  * test: fixed TEST-24-CRYPTSETUP on SUSE
  * test: install /etc/hosts
  * Use consistent spelling of systemd.condition_first_boot argument
  * util: make file_read() 64bit offset safe
  * vmm: make sure we can handle smbios objects without variable part

- Changes in version 254.14:

  * analyze: show pcrs also in sha384 bank
  * chase: Tighten '.' and './' check
  * core/service: fixed accept-socket deserialization
  * efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
  * executor: check for all permission related errnos when setting up IPC namespace
  * install: allow removing symlinks even for units that are gone
  * json: use secure un{base64,hex}mem for sensitive variants
  * man,units: drop 'temporary' from description of systemd-tmpfiles
  * missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS
  * repart: fixed memory leak
  * repart: Use CRYPT_ACTIVATE_PRIVATE
  * resolved: permit dnssec rrtype questions when we aren't validating
  * rules: Limit the number of device units generated for serial ttys
  * run: do not pass the pty slave fd to transient service in a machine
  * sd-dhcp-server: clear buffer before receive
  * strbuf: use GREEDY_REALLOC to grow the buffer

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3512-1
Released:    Wed Oct  2 18:14:56 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1226414,1228091,1228223,1228809,1229518
This update for systemd fixes the following issues:

- Determine the effective user limits in a systemd setup (jsc#PED-5659)
- Don't try to restart the udev socket units anymore. (bsc#1228809).
- Add systemd.rules rework (bsc#1229518).
- Don't mention any rpm macros inside comments, even if escaped (bsc#1228091).
- upstream commit (bsc#1226414).
- Make the 32bit version of libudev.so available again (bsc#1228223).
- policykit-1 renamed to polkitd

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4337-1
Released:    Tue Dec 17 08:17:39 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1231048,1232844
This update for systemd fixes the following issues:

- udev: skipping empty udev rules file while collecting the stats (bsc#1232844)
- Clean up some remnants from when homed was in the experimental sub-package (bsc#1231048)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:10-1
Released:    Fri Jan  3 14:53:56 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1220338,1232227,1234015
This update for systemd fixes the following issues:

- Drop support for efivar SystemdOptions (bsc#1220338)
- pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary (bsc#1232227)
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- udev: add new builtin net_driver
- udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard()
- udev-builtin-net_id: split-out get_pci_slot_specifiers()
- udev-builtin-net_id: introduce get_port_specifier() helper function
- udev-builtin-net_id: split out get_dev_port() and make its failure critical
- udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address()
- udev-builtin-net_id: return earlier when hotplug slot is not found
- udev-builtin-net_id: skip non-directory entry earlier
- udev-builtin-net_id: make names_xen() self-contained
- udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim
- udev-builtin-net_id: make names_netdevsim() self-contained
- udev-builtin-net_id: make names_platform() self-contained
- udev-builtin-net_id: make names_vio() self-contained
- udev-builtin-net_id: make names_ccw() self-contained
- udev-builtin-net_id: make dev_devicetree_onboard() self-contained
- udev-builtin-net_id: make names_mac() self-contained
- udev-builtin-net_id: split out get_ifname_prefix()
- udev-builtin-net_id: swap arguments for streq() and friends
- udev-builtin-net_id: drop unused value from NetNameType

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:547-1
Released:    Fri Feb 14 08:26:30 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1229228,1233752,1234313,1234765
This update for systemd fixes the following issues:

- Fix agetty failing to open credentials directory (bsc#1229228)
- stdio-bridge: fix polled fds
- hwdb: comment out the entry for Logitech MX Keys for Mac
- core/unit-serialize: fix serialization of markers
- locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged
- core: fix assert when AddDependencyUnitFiles is called with invalid parameter
- Fix systemd-network recommending libidn2-devel (bsc#1234765) 
- tpm2-util: also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:741-1
Released:    Fri Feb 28 11:15:50 2025
Summary:     Security update for procps
Type:        security
Severity:    important
References:  1214290,1236842,CVE-2023-4016
This update for procps fixes the following issues:

- Integer overflow due to incomplete fix for CVE-2023-4016 can lead to segmentation fault in ps command when pid
  argument has a leading space (bsc#1236842, bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:915-1
Released:    Wed Mar 19 08:04:05 2025
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1220893,1220895,1220896,1225936,1225939,1225941,1225942
This update for libgcrypt fixes the following issues:

- FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939]
- FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939]
- FIPS: Disable setting the library in non-FIPS mode [bsc#1220893]
- FIPS: Disallow rsa < 2048 [bsc#1225941]
  * Mark RSA operations with keysize < 2048 as non-approved in the SLI
- FIPS: Service level indicator for libgcrypt [bsc#1225939]
- FIPS: Consider deprecate sha1 [bsc#1225942]
  * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will
    transition at the end of 2030. Mark SHA1 as non-approved in SLI.
- FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936]
  * cipher: Do not run RSA encryption selftest by default
- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG
  for the whole length entropy buffer in FIPS mode. [bsc#1220893]
- FIPS: Set the FSM into error state if Jitter RNG is returning an
  error code to the caller when an health test error occurs when
  random bytes are requested through the jent_read_entropy_safe()
  function. [bsc#1220895]
- FIPS: Replace the built-in jitter rng with standalone version
  * Remove the internal jitterentropy copy [bsc#1220896]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released:    Tue Mar 25 15:59:05 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1234015,1236643,1236886
This update for systemd fixes the following issues:

- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
  It is likely an oversight from when systemd-userdb was migrated from the
  experimental package to the main one.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1376-1
Released:    Fri Apr 25 18:11:02 2025
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1241605
This update for libgcrypt fixes the following issues:

- FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1739-1
Released:    Thu May 29 11:40:51 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1236177,1237496,1242938,1243259
This update for systemd fixes the following issues:

- Add missing 'systemd-journal-remote' package
  to 15-SP7 (bsc#1243259)
- umount: do not move busy network mounts (bsc#1236177)
- Apply coredump sysctl settings on systemd-coredump updates/removals.
- Fix the issue with journalctl not working
  for users in Container UID range (bsc#1242938)
  Don't write messages sent from users with UID falling into the container UID
  range to the system journal. Daemons in the container don't talk to the
  outside journald as they talk to the inner one directly, which does its
  journal splitting based on shifted uids.
- man/pstore.conf: pstore.conf template is not always installed in /etc
- man: coredump.conf template is not always installed in /etc (bsc#1237496)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2167-1
Released:    Mon Jun 30 09:14:40 2025
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1242844,1244596,CVE-2025-4373,CVE-2025-6052
This update for glib2 fixes the following issues:

- CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596).
- CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2237-1
Released:    Mon Jul  7 14:59:13 2025
Summary:     Recommended update for openssl-3
Type:        recommended
Severity:    moderate
References:  
This update for openssl-3 fixes the following issues:

- Backport mdless cms signing support [jsc#PED-12895]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2244-1
Released:    Tue Jul  8 10:44:02 2025
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1242827,1243935,CVE-2025-4598
This update for systemd fixes the following issues:

- CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935).

Other bugfixes:

- logs-show: get timestamp and boot ID only when necessary (bsc#1242827).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2274-1
Released:    Thu Jul 10 14:35:40 2025
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1081723,1224113
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.112:

   * Fix alias for mac workers on try
   * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
   * ABI/API break in ssl certificate processing
   * remove unnecessary assertion in sec_asn1d_init_state_based_on_template
   * bmo#1965754 Update taskgraph to v14.2.1
   * Workflow for automation of the release on GitHub when pushing a tag
   * fix faulty assertions in SEC_ASN1DecoderUpdate
   * Renegotiations should use a fresh ECH GREASE buffer
   * bmo#1951396 Update taskgraph to v14.1.1
   * Partial fix for ACVP build CI job
   * Initialize find in sftk_searchDatabase
   * Add clang-18 to extra builds
   * Fault tolerant git fetch for fuzzing
   * Tolerate intermittent failures in ssl_policy_pkix_ocsp
   * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
   * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
   * Remove Cryptofuzz CI version check

Update to NSS 3.111:

  * FIPS changes need to be upstreamed: force ems policy
  * Turn off Websites Trust Bit from CAs
  * Update nssckbi version following April 2025 Batch of Changes
  * Disable SMIME â€˜trust bitâ€™ for GoDaddy CAs
  * Replaced deprecated sprintf function with snprintf in dbtool.c
  * Need up update NSS for PKCS 3.1
  * avoid leaking localCert if it is already set in ssl3_FillInCachedSID
  * Decrease ASAN quarantine size for Cryptofuzz in CI
  * selfserv: Add support for zlib certificate compression

Update to NSS 3.110:

  * FIPS changes need to be upstreamed: force ems policy
  * Prevent excess allocations in sslBuffer_Grow
  * Remove Crl templates from ASN1 fuzz target
  * Remove CERT_CrlTemplate from ASN1 fuzz target
  * Fix memory leak in NSS_CMSMessage_IsSigned
  * NSS policy updates
  * Improve locking in nssPKIObject_GetInstances
  * Fix race in sdb_GetMetaData
  * Fix member access within null pointer
  * Increase smime fuzzer memory limit
  * Enable resumption when using custom extensions
  * change CN of server12 test certificate
  * Part 2: Add missing check in
                  NSS_CMSDigestContext_FinishSingle
  * Part 1: Fix smime UBSan errors
  * FIPS changes need to be upstreamed: updated key checks
  * Don't build libpkix in static builds
  * handle `-p all` in try syntax
  * fix opt-make builds to actually be opt
  * fix opt-static builds to actually be opt
  * Remove extraneous assert

Update to NSS 3.109:

  * Call BL_Init before RNG_RNGInit() so that special
                  SHA instructions can be used if available
  * NSS policy updates - fix inaccurate key policy issues
  * SMIME fuzz target
  * ASN1 decoder fuzz target
  * Part 2: Revert â€œExtract testcases from ssl gtests
                  for fuzzingâ€
  * Add fuzz/README.md
  * Part 4: Fix tstclnt arguments script
  * Extend pkcs7 fuzz target
  * Extend certDN fuzz target
  * revert changes to HACL* files from bug 1866841
  * Part 3: Package frida corpus script

Update to NSS 3.108:

  * libclang-16 -> libclang-19
  * Turn off Secure Email Trust Bit for Security
                  Communication ECC RootCA1
  * Turn off Secure Email Trust Bit for BJCA Global Root
                  CA1 and BJCA Global Root CA2
  * Remove SwissSign Silver CA â€“ G2
  * Add D-Trust 2023 TLS Roots to NSS
  * fix fips test failure on windows
  * change default sensitivity of KEM keys
  * Part 1: Introduce frida hooks and script
  * add missing arm_neon.h include to gcm.c
  * ci: update windows workers to win2022
  * strip trailing carriage returns in tools tests
  * work around unix/windows path translation issues
                  in cert test script
  * ci: let the windows setup script work without $m
  * detect msys
  * add a specialized CTR_Update variant for AES-GCM
  * NSS policy updates
  * FIPS changes need to be upstreamed: FIPS 140-3 RNG
  * FIPS changes need to be upstreamed: Add SafeZero
  * FIPS changes need to be upstreamed Updated POST
  * Segmentation fault in SECITEM_Hash during pkcs12 processing
  * Extending NSS with LoadModuleFromFunction functionality
  * Ensure zero-initialization of collectArgs.cert
  * pkcs7 fuzz target use CERT_DestroyCertificate
  * Fix actual underlying ODR violations issue
  * mozilla::pkix: allow reference ID labels to begin
                  and/or end with hyphens
  * don't look for secmod.db in nssutil_ReadSecmodDB if
                  NSS_DISABLE_DBM is set
  * Fix memory leak in pkcs7 fuzz target
  * Set -O2 for ASan builds in CI
  * Change branch of tlsfuzzer dependency
  * Run tests in CI for ASan builds with detect_odr_violation=1
  * Fix coverage failure in CI
  * Add fuzzing for delegated credentials, DTLS short
                  header and Tls13BackendEch
  * Add fuzzing for SSL_EnableTls13GreaseEch and
                  SSL_SetDtls13VersionWorkaround
  * Part 3: Restructure fuzz/
  * Extract testcases from ssl gtests for fuzzing
  * Force Cryptofuzz to use NSS in CI
  * Fix Cryptofuzz on 32 bit in CI
  * Update Cryptofuzz repository link
  * fix build error from 9505f79d
  * simplify error handling in get_token_objects_for_cache
  * nss doc: fix a warning
  * pkcs12 fixes from RHEL need to be picked up

Update to NSS 3.107:

  * Remove MPI fuzz targets.
  * Remove globals `lockStatus` and `locksEverDisabled`.
  * Enable PKCS8 fuzz target.
  * Integrate Cryptofuzz in CI.
  * Part 2: Set tls server target socket options in config class
  * Part 1: Set tls client target socket options in config class
  * Support building with thread sanitizer.
  * set nssckbi version number to 2.72.
  * remove Websites Trust Bit from Entrust Root
                  Certification Authority - G4.
  * remove Security Communication RootCA3 root cert.
  * remove SecureSign RootCA11 root cert.
  * Add distrust-after for TLS to Entrust Roots.
  * bmo#1927096 Update expected error code in pk12util pbmac1 tests.
  * Use random tstclnt args with handshake collection script
  * Remove extraneous assert in ssl3gthr.c.
  * Adding missing release notes for NSS_3_105.
  * Enable the disabled mlkem tests for dtls.
  * NSS gtests filter cleans up the constucted buffer
                  before the use.
  * Make ssl_SetDefaultsFromEnvironment thread-safe.
  * Remove short circuit test from ssl_Init.

Update to NSS 3.106:

  * NSS 3.106 should be distributed with NSPR 4.36.
  * pk12util: improve error handling in p12U_ReadPKCS12File.
  * Correctly destroy bulkkey in error scenario.
  * PKCS7 fuzz target, r=djackson,nss-reviewers.
  * Extract certificates with handshake collection script.
  * Specify len_control for fuzz targets.
  * Fix memory leak in dumpCertificatePEM.
  * Fix UBSan errors for SECU_PrintCertificate and
                  SECU_PrintCertificateBasicInfo.
  * add new error codes to mozilla::pkix for Firefox to use.
  * allow null phKey in NSC_DeriveKey.
  * Only create seed corpus zip from existing corpus.
  * Use explicit allowlist for for KDF PRFS.
  * Increase optimization level for fuzz builds.
  * Remove incorrect assert.
  * Use libFuzzer options from fuzz/options/\*.options in CI.
  * Polish corpus collection for automation.
  * Detect new and unfuzzed SSL options.
  * PKCS12 fuzzing target.

Update to NSS 3.105:

  * Allow importing PKCS#8 private EC keys missing public key
  * UBSAN fix: applying zero offset to null pointer in sslsnce.c
  * set KRML_MUSTINLINE=inline in makefile builds
  * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
  * override default definition of KRML_MUSTINLINE
  * libssl support for mlkem768x25519
  * support for ML-KEM-768 in softoken and pk11wrap
  * Add Libcrux implementation of ML-KEM 768 to FreeBL
  * Avoid misuse of ctype(3) functions
  * part 2: run clang-format
  * part 1: upgrade to clang-format 13
  * clang-format fuzz
  * DTLS client message buffer may not empty be on retransmit
  * Optionally print config for TLS client and server
                  fuzz target
  * Fix some simple documentation issues in NSS.
  * improve performance of NSC_FindObjectsInit when
                  template has CKA_TOKEN attr
  * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN

Update to NSS 3.104:

  * Copy original corpus to heap-allocated buffer
  * Fix min ssl version for DTLS client fuzzer
  * Remove OS2 support just like we did on NSPR
  * clang-format NSS improvements
  * Adding basicutil.h to use HexString2SECItem function
  * removing dirent.c from build
  * Allow handing in keymaterial to shlibsign to make
                  the output reproducible
  * remove nec4.3, sunos4, riscos and SNI references
  * remove other old OS (BSDI, old HP UX, NCR,
                  openunix, sco, unixware or reliantUnix
  * remove mentions of WIN95
  * remove mentions of WIN16
  * More explicit directory naming
  * Add more options to TLS server fuzz target
  * Add more options to TLS client fuzz target
  * Use OSS-Fuzz corpus in NSS CI
  * set nssckbi version number to 2.70.
  * Remove Email Trust bit from ACCVRAIZ1 root cert.
  * Remove Email Trust bit from certSIGN ROOT CA.
  * Add Cybertrust Japan Roots to NSS.
  * Add Taiwan CA Roots to NSS.
  * remove search by decoded serial in
                  nssToken_FindCertificateByIssuerAndSerialNumber
  * Fix tstclnt CI build failure
  * vfyserv: ensure peer cert chain is in db for
                  CERT_VerifyCertificateNow
  * Enable all supported protocol versions for UDP
  * Actually use random PSK hash type
  * Initialize NSS DB once
  * Additional ECH cipher suites and PSK hash types
  * Automate corpus file generation for TLS client Fuzzer
  * Fix crash with UNSAFE_FUZZER_MODE
  * clang-format shlibsign.c

Update to NSS 3.103:

  * move list size check after lock acquisition in sftk_PutObjectToList.
  * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
  * Adjust libFuzzer size limits
  * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
                  SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
  * Add fuzzing support for SSL_ENABLE_GREASE and
                  SSL_ENABLE_CH_EXTENSION_PERMUTATION

- Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files)
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

Update to NSS 3.102.1:

  * ChaChaXor to return after the function

Update to NSS 3.102:

  * Add Valgrind annotations to freebl Chacha20-Poly1305.
  * missing sqlite header.
  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
  * correct length of raw SPKI data before printing in pp utility.

- Make NSS-build reproducible.
  Use key from openssl (bsc#1081723)

- Exclude the SHA-1 hash from SLI approval.

mozilla-nspr was updated to version 4.36:

  * renamed the prwin16.h header to prwin.h
  * various build, test and automation script fixes
  * major parts of the source code were reformatted

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2323-1
Released:    Wed Jul 16 04:07:18 2025
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1081723,1224113
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.112:

   * Fix alias for mac workers on try
   * ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
   * ABI/API break in ssl certificate processing
   * remove unnecessary assertion in sec_asn1d_init_state_based_on_template
   * update taskgraph to v14.2.1
   * Workflow for automation of the release on GitHub when pushing a tag
   * fix faulty assertions in SEC_ASN1DecoderUpdate
   * Renegotiations should use a fresh ECH GREASE buffer
   * update taskgraph to v14.1.1
   * Partial fix for ACVP build CI job
   * Initialize find in sftk_searchDatabase
   * Add clang-18 to extra builds
   * Fault tolerant git fetch for fuzzing
   * Tolerate intermittent failures in ssl_policy_pkix_ocsp
   * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
   * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
   * Remove Cryptofuzz CI version check