SUSE-IU-2025:2147-1: Security update of suse/sl-micro/6.0/base-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Jul 30 07:06:22 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:2147-1
Image Tags        : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.30 , suse/sl-micro/6.0/base-os-container:latest
Image Release     : 7.30
Severity          : important
Type              : security
References        : 1229163 1229164 1233606 1233608 1233609 1233610 1233612 1233613
                        1233614 1233615 1233616 1233617 1234958 1236316 1236317 1237002
                        1237006 1237008 1237009 1237010 1237011 1237012 1237013 1237014
                        1239674 1242971 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776
                        CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781
                        CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2025-0622
                        CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685
                        CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125
                        CVE-2025-4382 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 399
Released:    Tue Jul 29 10:20:21 2025
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1229163,1229164,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1239674,1242971,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-4382
This update for grub2 fixes the following issues:

- CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971)

- Filter out the non-subvolume btrfs mount points when creating the
  relative path (bsc#1239674)

- CVE-2024-45781: Fixed ufs strcpy overflow (bsc#1233617)
- CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via
  crafted sblock data in an HFS filesystem (bsc#1234958)
- CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615)
- CVE-2024-45780: Fixed overflow in tar/cpio(bsc#1233614)
- CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616)
- CVE-2025-0624: Fixed out-of-bounds write in grub_net_search_config_file() (bsc#1236316)
- CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609)
- CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610)
- CVE-2025-0622: Fixed command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317)
- CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612)
- CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613)
- CVE-2025-0690: Fixed integer overflow in read that may lead to out-of-bounds write (bsc#1237012)
- CVE-2025-1118: Fixed commands/dump: The dump command is not in lockdown when secure boot is enabled(bsc#1237013)
- CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606)
- CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608)
- CVE-2025-0677: Fixed integer overflow that may lead to heap based
  out-of-bounds write when handling symlinks in ufs (bsc#1237002)
- CVE-2025-0684: Fixed reiserfs: Integer overflow when handling symlinks
  may lead to heap based out-of-bounds write when reading data (bsc#1237008)
- CVE-2025-0685: Fixed jfs: Integer overflow when handling symlinks may
  lead to heap based out-of-bounds write when reading data (bsc#1237009)
- CVE-2025-0686: Fixed romfs: Integer overflow when handling symlinks
  may lead to heap based out-of-bounds write when reading data (bsc#1237010)
- CVE-2025-0689: Fixed udf: Heap based buffer overflow  in
  grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011)
- CVE-2025-1125: Fixed fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014)
- CVE-2025-0678: Fixed squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006)

- Bump upstream SBAT generation to 5 to block older grub2 versions.

- CVE-2024-49504: Fixed Bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164)

- Restrict CLI access if the encrypted root device is automatically unlocked by
  the TPM. LUKS password authentication is required for access to be granted
- Obsolete, as CLI access is now locked and granted access no longer requires
  the previous restrictions



The following package changes have been done:

- grub2-2.12~rc1-6.1 updated
- grub2-i386-pc-2.12~rc1-6.1 updated
- grub2-x86_64-efi-2.12~rc1-6.1 updated

More information about the sle-container-updates mailing list