SUSE-CU-2025:4726-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Jun 24 08:00:04 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4726-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.4.1 , suse/manager/5.0/x86_64/server:5.0.4.1.7.27.2 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.27.2
Severity : important
Type : security
References : 1239012 1239543 1240132 1241463 1243226 1243887 1243901 1244039
1244079 1244105 1244509 CVE-2024-47081 CVE-2025-40909 CVE-2025-6018
CVE-2025-6020
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1998-1
Released: Wed Jun 18 10:42:20 2025
Summary: Security update for python-requests
Type: security
Severity: moderate
References: 1244039,CVE-2024-47081
This update for python-requests fixes the following issues:
- CVE-2024-47081: fixed netrc credential leak (bsc#1244039).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2007-1
Released: Wed Jun 18 16:03:17 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:
- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
default.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the 'metalink' attribute and reflect that the 'url' elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2013-1
Released: Wed Jun 18 20:05:07 2025
Summary: Security update for pam
Type: security
Severity: important
References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020
This update for pam fixes the following issues:
- CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226).
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2027-1
Released: Thu Jun 19 17:15:41 2025
Summary: Security update for perl
Type: security
Severity: moderate
References: 1244079,CVE-2025-40909
This update for perl fixes the following issues:
- CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079).
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-2062
Released: Mon Jun 23 11:26:16 2025
Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
Type: recommended
Severity: moderate
References:
Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- pam-1.3.0-150000.6.83.1 updated
- libzypp-17.37.5-150600.3.60.1 updated
- zypper-1.14.90-150600.10.34.3 updated
- perl-base-5.26.1-150300.17.20.1 updated
- perl-5.26.1-150300.17.20.1 updated
- spacewalk-base-minimal-5.0.20-150600.3.24.4 updated
- spacewalk-base-minimal-config-5.0.20-150600.3.24.4 updated
- python3-requests-2.25.1-150300.3.15.1 updated
- spacewalk-base-5.0.20-150600.3.24.4 updated
- spacewalk-html-5.0.20-150600.3.24.4 updated
- container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 added
- container:suse-manager-5.0-init-5.0.4-5.0.4-7.15.5 removed
More information about the sle-container-updates
mailing list