SUSE-CU-2025:4448-1: Security update of suse/sle15

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Jun 19 07:29:51 UTC 2025 

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4448-1
Container Tags        : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.4 , suse/sle15:15.6 , suse/sle15:15.6.47.23.4
Container Release     : 47.23.4
Severity              : important
Type                  : security
References            : 1239012 1239543 1240132 1241463 1243226 1243887 1243901 1244105
                        1244509 CVE-2025-6018 CVE-2025-6020 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2007-1
Released:    Wed Jun 18 16:03:17 2025
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:

- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
  verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
  automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
  (bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
  This patch extends the mirrorlist code to use a cookie file to
  validate the contents of the cache against the source URL, making
  sure that we do not accidentially use a old cache when the
  mirrorlist url was changed. For example when migrating a system
  from one release to the next where the same repo alias might just
  have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
  default.
  Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
  can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
  When refreshing zypp now primarily uses gpgKeyUrl information
  from the repo files and only falls back to a automatically
  generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
  '--with[out] classic_rpmtrans_as_default'.
  classic_rpmtrans is the current builtin default for SUSE,
  otherwise it's single_rpmtrans.
  The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
  was removed from the spec file.  Accordingly the CMake option
  ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires:  libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
  Add the 'metalink' attribute and reflect that the 'url' elements
  list may in fact be empty, if no baseurls are defined in the
  .repo files.
- man: update --allow-unsigned-rpm description.
  Explain how to achieve the same for packages provided by
  repositories.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2013-1
Released:    Wed Jun 18 20:05:07 2025
Summary:     Security update for pam
Type:        security
Severity:    important
References:  1243226,1244509,CVE-2025-6018,CVE-2025-6020
This update for pam fixes the following issues:

- CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226).
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509).


The following package changes have been done:

- libzypp-17.37.5-150600.3.60.1 updated
- pam-1.3.0-150000.6.83.1 updated
- zypper-1.14.90-150600.10.34.3 updated

More information about the sle-container-updates mailing list