SUSE-CU-2025:5627-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Jul 23 20:18:49 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:5627-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.5 , suse/manager/5.0/x86_64/server:5.0.5.7.30.1 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.30.1
Severity : critical
Type : security
References : 1081723 1081723 1157520 1161007 1167603 1193951 1221107 1224113
1224113 1228776 1229655 1229825 1230282 1230403 1230908 1233371
1234608 1235847 1236565 1236621 1236779 1236877 1236910 1236931
1237294 1237710 1237770 1237938 1238173 1238320 1238514 1238827
1238922 1239119 1239154 1239558 1239559 1239602 1239604 1239621
1239743 1239744 1239747 1239801 1239817 1239826 1239868 1239903
1239907 1240010 1240023 1240038 1240050 1240076 1240124 1240131
1240160 1240386 1240604 1240635 1240666 1240901 1240984 1241034
1241094 1241239 1241286 1241455 1241490 1241667 1241880 1242004
1242010 1242030 1242135 1242148 1242561 1242722 1242827 1242844
1242916 1243226 1243239 1243241 1243268 1243292 1243375 1243385
1243460 1243721 1243724 1243765 1243767 1243772 1243815 1243821
1243825 1243935 1244135 1244325 1244554 1244555 1244557 1244561
1244564 1244565 1244566 1244567 1244568 1244570 1244571 1244572
1244574 1244575 1244590 1244596 1244649 1244656 1244657 1244663
1244700 1245005 1245222 1245274 1245275 1245309 1245310 1245311
1245314 1245368 1246119 1246431 CVE-2020-21913 CVE-2024-2236
CVE-2024-38822 CVE-2024-38823 CVE-2024-38824 CVE-2024-38825 CVE-2024-41965
CVE-2025-22236 CVE-2025-22237 CVE-2025-22238 CVE-2025-22239 CVE-2025-22240
CVE-2025-22241 CVE-2025-22242 CVE-2025-23392 CVE-2025-23393 CVE-2025-29768
CVE-2025-30258 CVE-2025-32462 CVE-2025-32463 CVE-2025-4373 CVE-2025-4565
CVE-2025-4598 CVE-2025-46701 CVE-2025-46809 CVE-2025-46811 CVE-2025-47287
CVE-2025-4877 CVE-2025-4878 CVE-2025-48964 CVE-2025-48976 CVE-2025-48988
CVE-2025-49125 CVE-2025-49794 CVE-2025-49795 CVE-2025-49796 CVE-2025-5222
CVE-2025-5278 CVE-2025-5318 CVE-2025-5372 CVE-2025-6018 CVE-2025-6021
CVE-2025-6052 CVE-2025-6170
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2079-1
Released: Tue Jun 24 12:24:05 2025
Summary: Security update for icu
Type: security
Severity: important
References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222
This update for icu fixes the following issues:
- CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2080-1
Released: Tue Jun 24 12:26:23 2025
Summary: Security update for pam-config
Type: security
Severity: important
References: 1243226,CVE-2025-6018
This update for pam-config fixes the following issues:
- CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2159-1
Released: Fri Jun 27 16:56:02 2025
Summary: Security update for apache-commons-fileupload
Type: security
Severity: important
References: 1244657,CVE-2025-48976
This update for apache-commons-fileupload fixes the following issues:
Upgrade to upstream version 1.6.0
- CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657).
Full changelog:
https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2167-1
Released: Mon Jun 30 09:14:40 2025
Summary: Security update for glib2
Type: security
Severity: important
References: 1242844,1244596,CVE-2025-4373,CVE-2025-6052
This update for glib2 fixes the following issues:
- CVE-2025-6052: Fixed integer overflow in g_string_maybe_expand() leads to potential buffer overflow in GString (bsc#1244596).
- CVE-2025-4373: Fixed buffer underflow through glib/gstring.c via function g_string_insert_unichar (bsc#1242844).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2177-1
Released: Mon Jun 30 19:53:04 2025
Summary: Security update for sudo
Type: security
Severity: important
References: 1245274,1245275,CVE-2025-32462,CVE-2025-32463
This update for sudo fixes the following issues:
- CVE-2025-32462: Fixed a possible local privilege escalation via the --host option (bsc#1245274).
- CVE-2025-32463: Fixed a possible local privilege Escalation via chroot option (bsc#1245275).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2215-1
Released: Thu Jul 3 12:01:42 2025
Summary: Recommended update for firewalld
Type: recommended
Severity: moderate
References:
This update for firewalld fixes the following issue:
Align with up to update python stack tools.
This update also ships python311-firewall and python311-dbus-python to the Python3 Module.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2226-1
Released: Fri Jul 4 15:31:04 2025
Summary: Security update for vim
Type: security
Severity: moderate
References: 1228776,1239602,CVE-2024-41965,CVE-2025-29768
This update for vim fixes the following issues:
- CVE-2024-41965: Fixed improper neutralization of argument delimiters in zip.vim that could have led to data loss (bsc#1228776).
- CVE-2025-29768: Fixed double-free in dialog_changed() (bsc#1239602).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2229-1
Released: Fri Jul 4 18:02:30 2025
Summary: Security update for libssh
Type: security
Severity: important
References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372
This update for libssh fixes the following issues:
- CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311).
- CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309).
- CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310).
- CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2237-1
Released: Mon Jul 7 14:59:13 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: moderate
References:
This update for openssl-3 fixes the following issues:
- Backport mdless cms signing support [jsc#PED-12895]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2239-1
Released: Mon Jul 7 15:32:03 2025
Summary: Recommended update for libbpf
Type: recommended
Severity: moderate
References: 1244135
This update for libbpf fixes the following issue:
- Workaround kernel module size increase, 6.15 modules are 2-4 times larger than
6.14's (bsc#1244135).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2240-1
Released: Mon Jul 7 18:16:10 2025
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1241667
This update for openssh fixes the following issue:
- 'scp' on SLE 15 ignores write directory permissions for group and world (bsc#1241667).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2244-1
Released: Tue Jul 8 10:44:02 2025
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1242827,1243935,CVE-2025-4598
This update for systemd fixes the following issues:
- CVE-2025-4598: Fixed race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935).
Other bugfixes:
- logs-show: get timestamp and boot ID only when necessary (bsc#1242827).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2259-1
Released: Wed Jul 9 17:18:02 2025
Summary: Recommended update for gpg2
Type: security
Severity: low
References: 1236931,1239119,1239817,CVE-2025-30258
This update for gpg2 fixes the following issues:
- CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119).
Other bugfixes:
- Do not install expired sks certificate (bsc#1243069).
- gpg hangs when importing a key (bsc#1236931).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2267-1
Released: Thu Jul 10 11:24:02 2025
Summary: Recommended update for sssd
Type: recommended
Severity: moderate
References: 1243385,1244325
This update for sssd fixes the following issues:
- Check if the memory cache fd was closed or hijacked; (bsc#1243385);
- Build with openldap 2.5 which supports TLS channel binding.
- Install file in krb5.conf.d to include sssd krb5 config snippets (bsc#1244325)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2274-1
Released: Thu Jul 10 14:35:40 2025
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1081723,1224113
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* bmo#1965754 Update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 Update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
Update to NSS 3.111:
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzingâ€
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
Update to NSS 3.108:
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed Updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 Update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Make the rpms reproducible, by using a hardcoded, static key to generate the checksums (*.chk-files)
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible.
Use key from openssl (bsc#1081723)
- Exclude the SHA-1 hash from SLI approval.
mozilla-nspr was updated to version 4.36:
* renamed the prwin16.h header to prwin.h
* various build, test and automation script fixes
* major parts of the source code were reformatted
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2280-1
Released: Thu Jul 10 18:04:24 2025
Summary: Security update for tomcat
Type: security
Severity: important
References: 1242722,1243815,1244649,1244656,CVE-2025-46701,CVE-2025-48988,CVE-2025-49125
This update for tomcat fixes the following issues:
- CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).
- CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656).
- CVE-2025-49125: Fixed expand checks for webAppMount (bsc#1244649).
Other bugfixes:
- Made permissions more secure (bsc#1242722)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2301-1
Released: Mon Jul 14 11:48:57 2025
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1229655
This update for cyrus-sasl fixes the following issues:
- Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097)
- Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2311-1
Released: Tue Jul 15 11:15:48 2025
Summary: Security update for protobuf
Type: security
Severity: moderate
References: 1244663,CVE-2025-4565
This update for protobuf fixes the following issues:
- CVE-2025-4565: Fix parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages that can lead to crash due to RecursionError (bsc#1244663).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2314-1
Released: Tue Jul 15 14:34:08 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1244554,1244555,1244557,1244590,1244700,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170
This update for libxml2 fixes the following issues:
- CVE-2025-49794: Fixed a heap use after free which could lead to denial of service. (bsc#1244554)
- CVE-2025-49796: Fixed type confusion which could lead to denial of service. (bsc#1244557)
- CVE-2025-49795: Fixed a null pointer dereference which could lead to denial of service. (bsc#1244555)
- CVE-2025-6170: Fixed a stack buffer overflow which could lead to a crash. (bsc#1244700)
- CVE-2025-6021: Fixed an integer overflow in xmlBuildQName() which could lead to stack buffer overflow. (bsc#1244590)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2323-1
Released: Wed Jul 16 04:07:18 2025
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1081723,1224113
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
Update to NSS 3.111:
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzingâ€
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
Update to NSS 3.108:
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed - updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Follow-up to fix test for presence of file nspr.patch.
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible
Use key from openssl (bsc#1081723)
- FIPS: exclude the SHA-1 hash from SLI approval.
mozilla-nspr was updated to version 4.36:
* renamed the prwin16.h header to prwin.h
* configure was updated from 2.69 to 2.71
* various build, test and automation script fixes
* major parts of the source code were reformatted
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2344-1
Released: Thu Jul 17 13:09:02 2025
Summary: Recommended update for samba
Type: recommended
Severity: moderate
References: 1246431
This update for samba fixes the following issues:
- Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName (bsc#1246431).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2362-1
Released: Fri Jul 18 11:07:24 2025
Summary: Security update for coreutils
Type: security
Severity: moderate
References: 1243767,CVE-2025-5278
This update for coreutils fixes the following issues:
- CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2430-1
Released: Mon Jul 21 13:23:17 2025
Summary: Security update for iputils
Type: security
Severity: moderate
References: 1243772,CVE-2025-48964
This update for iputils fixes the following issues:
- CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2447-1
Released: Mon Jul 21 16:45:25 2025
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1221107,CVE-2024-2236
This update for libgcrypt fixes the following issues:
- CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107)
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-2478
Released: Wed Jul 23 14:39:10 2025
Summary: Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Server
Type: security
Severity: critical
References: 1157520,1229825,1230282,1230403,1230908,1233371,1234608,1235847,1236565,1236621,1236779,1236877,1236910,1237294,1237710,1237770,1237938,1238173,1238320,1238514,1238827,1238922,1239154,1239558,1239559,1239604,1239621,1239743,1239744,1239747,1239801,1239826,1239868,1239903,1239907,1240010,1240023,1240038,1240050,1240076,1240124,1240131,1240160,1240386,1240604,1240635,1240666,1240901,1240984,1241034,1241094,1241239,1241286,1241455,1241490,1241880,1242004,1242010,1242030,1242135,1242148,1242561,1242916,1243239,1243241,1243268,1243292,1243375,1243460,1243724,1243765,1243821,1243825,1244561,1244564,1244565,1244566,1244567,1244568,1244570,1244571,1244572,1244574,1244575,1245005,1245222,1245368,1246119,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-23392,CVE-2025-23393,CVE-2025-46809,CVE-2025-46811,CVE-2025-47287
Security update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server:
This is a codestream only update
The following package changes have been done:
- libssh-config-0.9.8-150600.11.3.1 updated
- libglib-2_0-0-2.78.6-150600.4.16.1 updated
- libudev1-254.25-150600.4.40.1 updated
- libopenssl3-3.1.4-150600.5.33.1 updated
- libxml2-2-2.10.3-150500.5.29.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.33.1 updated
- libssh4-0.9.8-150600.11.3.1 updated
- libgcrypt20-1.10.3-150600.3.9.1 updated
- gpg2-2.4.4-150600.3.9.1 updated
- libsasl2-3-2.1.28-150600.7.6.2 updated
- openssl-3-3.1.4-150600.5.33.1 updated
- pam-config-1.1-150600.16.8.1 updated
- libsystemd0-254.25-150600.4.40.1 updated
- systemd-254.25-150600.4.40.1 updated
- coreutils-8.32-150400.9.9.1 updated
- grafana-formula-5.0.0-150600.3.6.2 updated
- iputils-20221126-150500.3.14.1 updated
- libbpf1-1.2.2-150600.3.6.2 updated
- libfreebl3-3.112-150400.3.57.1 updated
- libgmodule-2_0-0-2.78.6-150600.4.16.1 updated
- libgobject-2_0-0-2.78.6-150600.4.16.1 updated
- libicu65_1-ledata-65.1-150200.4.15.1 updated
- libipa_hbac0-2.9.3-150600.3.25.1 updated
- libsss_idmap0-2.9.3-150600.3.25.1 updated
- libsss_nss_idmap0-2.9.3-150600.3.25.1 updated
- libxml2-tools-2.10.3-150500.5.29.1 updated
- mozilla-nspr-4.36-150000.3.32.1 updated
- openssh-common-9.6p1-150600.6.29.2 updated
- release-notes-susemanager-5.0.5-150600.11.39.1 updated
- sudo-1.9.15p5-150600.3.9.1 updated
- susemanager-schema-utility-5.0.15-150600.3.15.2 updated
- uyuni-config-modules-5.0.14-150600.3.15.2 updated
- vim-data-common-9.1.1406-150500.20.27.1 updated
- cyrus-sasl-2.1.28-150600.7.6.2 updated
- libicu-suse65_1-65.1-150200.4.15.1 updated
- libsss_certmap0-2.9.3-150600.3.25.1 updated
- mozilla-nss-certs-3.112-150400.3.57.1 updated
- openssh-fips-9.6p1-150600.6.29.2 updated
- susemanager-docs_en-5.0.4-150600.11.15.2 updated
- libgio-2_0-0-2.78.6-150600.4.16.1 updated
- glib2-tools-2.78.6-150600.4.16.1 updated
- spacewalk-java-lib-5.0.27-150600.3.33.1 updated
- vim-9.1.1406-150500.20.27.1 updated
- cyrus-sasl-gssapi-2.1.28-150600.7.6.2 updated
- cyrus-sasl-digestmd5-2.1.28-150600.7.6.2 updated
- openssh-server-9.6p1-150600.6.29.2 updated
- openssh-clients-9.6p1-150600.6.29.2 updated
- python3-uyuni-common-libs-5.0.7-150600.2.9.2 updated
- mozilla-nss-3.112-150400.3.57.1 updated
- libsoftokn3-3.112-150400.3.57.1 updated
- susemanager-docs_en-pdf-5.0.4-150600.11.15.2 updated
- susemanager-schema-5.0.15-150600.3.15.2 updated
- susemanager-sync-data-5.0.13-150600.3.22.2 updated
- openssh-9.6p1-150600.6.29.2 updated
- python3-libxml2-2.10.3-150500.5.29.1 updated
- sssd-ldap-2.9.3-150600.3.25.1 updated
- sssd-2.9.3-150600.3.25.1 updated
- sssd-krb5-common-2.9.3-150600.3.25.1 updated
- samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 updated
- susemanager-build-keys-15.5.3-150600.5.9.3 updated
- inter-server-sync-0.3.7-150600.3.6.2 updated
- spacecmd-5.0.13-150600.4.15.2 updated
- spacewalk-backend-sql-postgresql-5.0.14-150600.4.17.1 updated
- sssd-krb5-2.9.3-150600.3.25.1 updated
- sssd-dbus-2.9.3-150600.3.25.1 updated
- python3-sssd-config-2.9.3-150600.3.25.1 updated
- sssd-ad-2.9.3-150600.3.25.1 updated
- tomcat-servlet-4_0-api-9.0.106-150200.86.1 updated
- tomcat-el-3_0-api-9.0.106-150200.86.1 updated
- spacewalk-base-minimal-5.0.21-150600.3.27.7 updated
- susemanager-build-keys-web-15.5.3-150600.5.9.3 updated
- spacewalk-config-5.0.7-150600.3.12.2 updated
- sssd-tools-2.9.3-150600.3.25.1 updated
- sssd-ipa-2.9.3-150600.3.25.1 updated
- tomcat-jsp-2_3-api-9.0.106-150200.86.1 updated
- apache-commons-fileupload-1.6.0-150200.3.12.1 updated
- python3-firewall-2.0.1-150600.3.9.1 updated
- spacewalk-base-minimal-config-5.0.21-150600.3.27.7 updated
- tomcat-lib-9.0.106-150200.86.1 updated
- protobuf-java-25.1-150600.16.13.1 updated
- firewalld-2.0.1-150600.3.9.1 updated
- spacewalk-backend-5.0.14-150600.4.17.1 updated
- python3-spacewalk-client-tools-5.0.10-150600.4.12.4 updated
- spacewalk-client-tools-5.0.10-150600.4.12.4 updated
- spacewalk-base-5.0.21-150600.3.27.7 updated
- spacewalk-search-5.0.4-150600.3.6.2 updated
- subscription-matcher-0.40-150600.3.6.2 updated
- salt-3006.0-150600.8.5.4 updated
- python3-salt-3006.0-150600.8.5.4 updated
- spacewalk-backend-sql-5.0.14-150600.4.17.1 updated
- python3-spacewalk-certs-tools-5.0.10-150600.3.12.2 updated
- spacewalk-certs-tools-5.0.10-150600.3.12.2 updated
- spacewalk-admin-5.0.11-150600.3.11.2 updated
- tomcat-9.0.106-150200.86.1 updated
- salt-master-3006.0-150600.8.5.4 updated
- cobbler-3.3.3-150600.5.14.4 updated
- spacewalk-backend-server-5.0.14-150600.4.17.1 updated
- susemanager-sls-5.0.14-150600.3.15.2 updated
- spacewalk-java-postgresql-5.0.27-150600.3.33.1 updated
- spacewalk-java-config-5.0.27-150600.3.33.1 updated
- salt-api-3006.0-150600.8.5.4 updated
- spacewalk-backend-xmlrpc-5.0.14-150600.4.17.1 updated
- spacewalk-backend-xml-export-libs-5.0.14-150600.4.17.1 updated
- spacewalk-backend-package-push-server-5.0.14-150600.4.17.1 updated
- spacewalk-backend-iss-5.0.14-150600.4.17.1 updated
- spacewalk-backend-app-5.0.14-150600.4.17.1 updated
- saltboot-formula-0.1.1750679229.f368550-150600.3.6.2 updated
- spacewalk-reports-5.0.3-150600.3.3.2 updated
- spacewalk-html-5.0.21-150600.3.27.7 updated
- spacewalk-taskomatic-5.0.27-150600.3.33.1 updated
- spacewalk-java-5.0.27-150600.3.33.1 updated
- spacewalk-backend-iss-export-5.0.14-150600.4.17.1 updated
- susemanager-tools-5.0.13-150600.3.15.2 updated
- spacewalk-backend-tools-5.0.14-150600.4.17.1 updated
- spacewalk-utils-5.0.7-150600.3.9.2 updated
- susemanager-5.0.13-150600.3.15.2 updated
- container:suse-manager-5.0-init-5.0.5-5.0.5-7.21.12 added
- container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 removed
More information about the sle-container-updates
mailing list