SUSE-CU-2025:4504-1: Security update of suse/sle-micro/5.3/toolbox

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4504-1
Container Tags        : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.144 , suse/sle-micro/5.3/toolbox:latest
Container Release     : 6.11.144
Severity              : moderate
Type                  : security
References            : 1239012 1239543 1240132 1241463 1243887 1243901 1244079 1244105
                        CVE-2025-40909 
-----------------------------------------------------------------

The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2022-1
Released:    Thu Jun 19 15:14:37 2025
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:

- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
  verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
  automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
  (bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
  This patch extends the mirrorlist code to use a cookie file to
  validate the contents of the cache against the source URL, making
  sure that we do not accidentially use a old cache when the
  mirrorlist url was changed. For example when migrating a system
  from one release to the next where the same repo alias might just
  have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
  default.
  Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
  can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
  When refreshing zypp now primarily uses gpgKeyUrl information
  from the repo files and only falls back to a automatically
  generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
  '--with[out] classic_rpmtrans_as_default'.
  classic_rpmtrans is the current builtin default for SUSE,
  otherwise it's single_rpmtrans.
  The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
  was removed from the spec file.  Accordingly the CMake option
  ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires:  libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
  Add the 'metalink' attribute and reflect that the 'url' elements
  list may in fact be empty, if no baseurls are defined in the
  .repo files.
- man: update --allow-unsigned-rpm description.
  Explain how to achieve the same for packages provided by
  repositories.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2027-1
Released:    Thu Jun 19 17:15:41 2025
Summary:     Security update for perl
Type:        security
Severity:    moderate
References:  1244079,CVE-2025-40909
This update for perl fixes the following issues:

- CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079).


The following package changes have been done:

- libzypp-17.37.5-150400.3.126.1 updated
- perl-base-5.26.1-150300.17.20.1 updated
- perl-5.26.1-150300.17.20.1 updated
- zypper-1.14.90-150400.3.85.3 updated