SUSE-CU-2025:4691-1: Security update of bci/kiwi

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Jun 24 07:17:14 UTC 2025 

SUSE Container Update Advisory: bci/kiwi
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4691-1
Container Tags        : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.12 , bci/kiwi:latest
Container Release     : 16.12
Severity              : important
Type                  : security
References            : 1236136 1236329 1236599 1240157 1243459 CVE-2024-12797 CVE-2024-13176
                        CVE-2025-27587 
-----------------------------------------------------------------

The container bci/kiwi was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2042-1
Released:    Fri Jun 20 12:38:43 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587
This update for openssl-3 fixes the following issues:

- CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459).
- CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599)
- CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2063-1
Released:    Mon Jun 23 12:02:06 2025
Summary:     Recommended update for qemu
Type:        recommended
Severity:    moderate
References:  1236329,1240157
This update for qemu fixes the following issues:

- Fix the *-video-gpu-ccw package not being present in products:
  * [openSUSE] rpm/spec: go back to only Recommending -video-gpu-ccw for s390x
- Update to version 9.2.4:
  * target/hppa: Fix FPE exceptions
  * linux-user/hppa: Send proper si_code on SIGFPE exception
  * target/hppa: Copy instruction code into fr1 on FPU assist fault
  * migration: Allow caps to be set when preempt or multifd cap enabled
  * qapi/misc-target: Fix the doc to distinguish query-sgx and query-sgx-capabilities
  * hw/pci-host: Remove unused pci_host_data_be_ops
  * hw/pci-host/gt64120: Fix endianness handling
  * target/riscv/kvm: add kvm_csr_cfgs[]
  * target/riscv/kvm: turn kvm_riscv_reg_id_ulong() into a macro
  * target/riscv/kvm: turn u32/u64 reg functions into macros
  * target/riscv/kvm: fix leak in kvm_riscv_init_multiext_cfg()
  * target/riscv: Fix vslidedown with rvv_ta_all_1s
  * target/riscv: Fix the rvv reserved encoding of unmasked instructions
  * target/riscv: rvv: Apply vext_check_input_eew to vector indexed load/store instructions
  * target/riscv: rvv: Apply vext_check_input_eew to vector narrow/widen instructions
  * target/riscv: rvv: Apply vext_check_input_eew to vector integer extension instructions(OPMVV)
  * target/riscv: rvv: Apply vext_check_input_eew to vector slide instructions(OPIVI/OPIVX)
  * target/riscv: rvv: Apply vext_check_input_eew to OPIVV/OPFVV(vext_check_sss) instructions
  * target/riscv: rvv: Apply vext_check_input_eew to OPIVI/OPIVX/OPFVF(vext_check_ss) instructions
  * target/riscv: rvv: Apply vext_check_input_eew to vrgather instructions to check mismatched input EEWs encoding constraint
  * target/riscv: rvv: Add CHECK arg to GEN_OPFVF_WIDEN_TRANS
  * target/riscv: rvv: Source vector registers cannot overlap mask register
  * common-user/host/riscv: use tail pseudoinstruction for calling tail
  * target/riscv: fix endless translation loop on big endian systems
  * target/riscv: pmp: move Smepmp operation conversion into a function
  * virtio: Call set_features during reset
  * s390x: Fix leak in machine_set_loadparm
  * 9pfs: fix FD leak and reduce latency of v9fs_reclaim_fd()
  * 9pfs: fix concurrent v9fs_reclaim_fd() calls
- all glib2 versions are recent enough to use pcre2:
  * qemu-linux-user: drop pcre (by Andreas Stieger)
- Correct wrong bug mentioned in changelog (bsc#1236329)
- Update to latest stable release (9.2.3)
  Fixes: bsc#1236329
  * hw/intc/aspeed: Fix IRQ handler mask check
  * hw/misc/aspeed_hace: Fix buffer overflow in has_padding function
  * target/riscv: fix handling of nop for vstart >= vl in some vector instruction
  * target/riscv: refactor VSTART_CHECK_EARLY_EXIT() to accept vl as a parameter
  * Makefile: 'make dist' generates a .xz, not .bz2
  * target/ppc: Fix e200 duplicate SPRs
  * target/ppc: Fix facility interrupt checks for VSX
  * ppc/spapr: fix default cpu for pre-9.0 machines.
  * host/include/loongarch64: Fix inline assembly compatibility with Clang
  * linux-user/riscv: Fix handling of cpu mask in riscv_hwprobe syscall
  * target/riscv: fixes a bug against `ssamoswap` behavior in M-mode
  * target/riscv: fix access permission checks for CSR_SSP
  * docs/about/emulation: Fix broken link
  * vdpa: Allow vDPA to work on big-endian machine
  * vdpa: Fix endian bugs in shadow virtqueue
  * target/loongarch: Fix vldi inst
  * target/arm: Simplify pstate_sm check in sve_access_check
  * target/arm: Make DisasContext.{fp, sve}_access_checked tristate
  * util/cacheflush: Make first DSB unconditional on aarch64
  * docs: Rename default-configs to configs
  * block: Zero block driver state before reopening
  * hw/xen/hvm: Fix Aarch64 typo
  * hw/net/smc91c111: Don't allow data register access to overrun buffer
  * hw/net/smc91c111: Sanitize packet length on tx
  * hw/net/smc91c111: Sanitize packet numbers
  * ppc/pnv/occ: Fix common area sensor offsets
  * xen: No need to flush the mapcache for grants (bsc#1236329)
  * net: move backend cleanup to NIC cleanup
  * net: parameterize the removing client from nc list
  * util/qemu-timer.c: Don't warp timer from timerlist_rearm()
  * target/arm: Correct STRD atomicity
  * target/arm: Correct LDRD atomicity and fault behaviour
  * hw/arm: enable secure EL2 timers for sbsa machine
  * hw/arm: enable secure EL2 timers for virt machine
  * target/arm: Implement SEL2 physical and virtual timers
- [openSUSE][RPM] spec: Require ipxe and virtio-gpu packages for more arch-es (bsc#1240157)


The following package changes have been done:

- libopenssl3-3.2.3-150700.5.5.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated
- openssl-3-3.2.3-150700.5.5.1 updated
- qemu-vmsr-helper-9.2.4-150700.3.5.1 updated
- qemu-pr-helper-9.2.4-150700.3.5.1 updated
- qemu-img-9.2.4-150700.3.5.1 updated
- qemu-tools-9.2.4-150700.3.5.1 updated
- container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated

More information about the sle-container-updates mailing list