SUSE-CU-2025:4485-1: Security update of suse/sle15
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Jun 19 07:43:42 UTC 2025
SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4485-1
Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.3 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.3 , suse/sle15:latest
Container Release : 5.8.3
Severity : important
Type : security
References : 1173375 1222044 1230267 1235598 1236177 1237172 1237496 1237587
1237949 1238315 1239012 1239543 1239809 1239909 1240132 1240529
1241020 1241078 1241189 1241463 1242060 1242938 1243259 1243317
1243360 1243887 1243901 1243960 1244105 CVE-2025-2588 CVE-2025-29087
CVE-2025-29088 CVE-2025-3277 CVE-2025-4802
-----------------------------------------------------------------
The container suse/sle15 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1456-1
Released: Wed May 7 17:13:32 2025
Summary: Security update for sqlite3
Type: security
Severity: moderate
References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277
This update for sqlite3 fixes the following issues:
- CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020)
- CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078)
Other fixes:
- Updated to version 3.49.1 from Factory (jsc#SLE-16032)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1527-1
Released: Fri May 9 17:21:39 2025
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: important
References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529
This update for libsolv, libzypp, zypper fixes the following issues:
- Support the apk package and repository format (both v2 and v3)
- New dataiterator_final_{repo,solvable} functions
- Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598)
- XmlReader: Fix detection of bad input streams
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a service may set
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct default (false)
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- Fix computation of RepStatus if Repo URLs change
- Fix lost double slash when appending to an absolute FTP url (bsc#1238315)
- Add a transaction package preloader
- Strip a mediahandler tag from baseUrl querystrings
- Updated translations (bsc#1230267)
- Do not double encode URL strings passed on the commandline (bsc#1237587)
- info,search: add option to search and list Enhances (bsc#1237949)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1534-1
Released: Mon May 12 18:00:59 2025
Summary: Security update for augeas
Type: security
Severity: low
References: 1239909,CVE-2025-2588
This update for augeas fixes the following issues:
- CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1577-1
Released: Mon May 19 10:24:04 2025
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1173375
This update for container-suseconnect fixes the following issues:
- update to 2.5.1:
* Bump github.com/mssola/capture from 1.0.0 to 1.1.0
* Log everything to stderr
* Code formatting
* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* Also allow optionally to pass down the system_token
* Various golangci-lint v2.1x warnings fixed
* Remove use of urfave/cli and replace it with flag
- remove unnecessary packaging buildrequires
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1702-1
Released: Sat May 24 11:50:53 2025
Summary: Security update for glibc
Type: security
Severity: important
References: 1243317,CVE-2025-4802
This update for glibc fixes the following issues:
- CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen
search for libraries to load in LD_LIBRARY_PATH (bsc#1243317).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1714-1
Released: Tue May 27 13:23:20 2025
Summary: Recommended update for ncurses
Type: recommended
Severity: moderate
References:
This update for ncurses fixes the following issues:
- Backport sclp terminfo description entry if for s390 sclp terminal lines
- Add a further sclp entry for qemu s390 based systems
- Make use of dumb
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1733-1
Released: Wed May 28 17:59:52 2025
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1242060
This update for krb5 fixes the following issue:
- Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1736-1
Released: Thu May 29 11:34:51 2025
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1243360
This update for container-suseconnect fixes the following issues:
- Version update v2.5.3 (bsc#1243360):
- only handle command line options for the default
- parse and ignore the previously removed log-credentials-errors
- Restore usage output on unhandled command line options
- Switch to go stable and update mod to 1.24.0
- Various golangci-lint v2.1x warnings fixed
- Also allow optionally to pass down the system_token
- Log everything to stderr
- Code formatting
- remove unnecessary packaging buildrequires
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1739-1
Released: Thu May 29 11:40:51 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1236177,1237496,1242938,1243259
This update for systemd fixes the following issues:
- Add missing 'systemd-journal-remote' package
to 15-SP7 (bsc#1243259)
- umount: do not move busy network mounts (bsc#1236177)
- Apply coredump sysctl settings on systemd-coredump updates/removals.
- Fix the issue with journalctl not working
for users in Container UID range (bsc#1242938)
Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids.
- man/pstore.conf: pstore.conf template is not always installed in /etc
- man: coredump.conf template is not always installed in /etc (bsc#1237496)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1943-1
Released: Fri Jun 13 10:33:55 2025
Summary: Recommended update for container-suseconnect
Type: recommended
Severity: moderate
References: 1243960
This update for container-suseconnect fixes the following issues:
- Fix the issue with retrieving
the repository index file for
service 'container-suseconnect-zypp' (bsc#1243960)
- Switch to sha256 from md5
- use go's native fips module on tumbleweed
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2007-1
Released: Wed Jun 18 16:03:17 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:
- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
default.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the 'metalink' attribute and reflect that the 'url' elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
The following package changes have been done:
- container-suseconnect-2.5.4-150000.4.64.1 updated
- glibc-2.38-150600.14.32.1 updated
- krb5-1.20.1-150600.11.11.2 updated
- libaugeas0-1.14.1-150600.3.3.1 updated
- libfa1-1.14.1-150600.3.3.1 updated
- libncurses6-6.1-150000.5.30.1 updated
- libsolv-tools-base-0.7.32-150600.8.10.1 updated
- libsqlite3-0-3.49.1-150000.3.27.1 updated
- libudev1-254.24-150600.4.33.1 updated
- libzypp-17.37.5-150600.3.60.1 updated
- ncurses-utils-6.1-150000.5.30.1 updated
- terminfo-base-6.1-150000.5.30.1 updated
- zypper-1.14.90-150600.10.34.3 updated
More information about the sle-container-updates
mailing list