SUSE-IU-2025:729-1: Security update of suse/sle-micro/base-5.5

Wed Mar 12 08:04:45 UTC 2025

SUSE Image Update Advisory: suse/sle-micro/base-5.5
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:729-1
Image Tags        : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.152 , suse/sle-micro/base-5.5:latest
Image Release     : 5.8.152
Severity          : important
Type              : security
References        : 1189788 1208995 1216091 1220946 1225742 1232472 1232919 1233701
                        1233749 1234154 1234650 1234853 1234891 1234963 1235054 1235061
                        1235073 1235111 1236133 1236289 1236481 1236576 1236661 1236677
                        1236757 1236758 1236760 1236761 1236777 1236951 1237025 1237028
                        1237044 1237139 1237316 1237693 1238033 CVE-2022-49080 CVE-2023-1192
                        CVE-2023-52572 CVE-2024-50115 CVE-2024-53135 CVE-2024-53173 CVE-2024-53226
                        CVE-2024-53239 CVE-2024-56539 CVE-2024-56548 CVE-2024-56605 CVE-2024-57948
                        CVE-2025-21647 CVE-2025-21690 CVE-2025-21692 CVE-2025-21699 
-----------------------------------------------------------------

The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:833-1
Released:    Tue Mar 11 11:53:19 2025
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1208995,1220946,1225742,1232472,1232919,1233701,1233749,1234154,1234650,1234853,1234891,1234963,1235054,1235061,1235073,1235111,1236133,1236289,1236576,1236661,1236677,1236757,1236758,1236760,1236761,1236777,1236951,1237025,1237028,1237139,1237316,1237693,1238033,CVE-2022-49080,CVE-2023-1192,CVE-2023-52572,CVE-2024-50115,CVE-2024-53135,CVE-2024-53173,CVE-2024-53226,CVE-2024-53239,CVE-2024-56539,CVE-2024-56548,CVE-2024-56605,CVE-2024-57948,CVE-2025-21647,CVE-2025-21690,CVE-2025-21692,CVE-2025-21699

The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

- CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238033).
- CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154).
- CVE-2024-53226: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() (bsc#1236576)
- CVE-2024-57948: mac802154: check local interfaces before deleting sdata list (bsc#1236677).
- CVE-2025-21647: sched: sch_cake: add bounds checks to host bulk flow fairness counts (bsc#1236133).
- CVE-2025-21690: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service (bsc#1237025).
- CVE-2025-21692: net: sched: fix ets qdisc OOB Indexing (bsc#1237028).
- CVE-2025-21699: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag (bsc#1237139).

The following non-security bugs were fixed:

- cpufreq/amd-pstate: Only print supported EPP values for performance governor (bsc#1236777).
- iavf: fix the waiting time for initial reset (bsc#1235111).
- ice: add ice_adapter for shared data across PFs on the same NIC (bsc#1235111).
- ice: avoid the PTP hardware semaphore in gettimex64 path (bsc#1235111).
- ice: fold ice_ptp_read_time into ice_ptp_gettimex64 (bsc#1235111).
- idpf: call set_real_num_queues in idpf_open (bsc#1236661 bsc#1237316).
- ipv4/tcp: do not use per netns ctl sockets (bsc#1237693).
- kabi: hide adding RCU head into struct netdev_name_node (bsc#1233749).
- net: Fix undefined behavior in netdev name allocation (bsc#1233749).
- net: avoid UAF on deleted altname (bsc#1233749).
- net: check for altname conflicts when changing netdev's netns (bsc#1233749).
- net: core: Use the bitmap API to allocate bitmaps (bsc#1233749).
- net: do not send a MOVE event when netdev changes netns (bsc#1233749).
- net: do not use input buffer of __dev_alloc_name() as a scratch space (bsc#1233749).
- net: fix ifname in netlink ntf during netns move (bsc#1233749).
- net: fix removing a namespace with conflicting altnames (bsc#1233749).
- net: free altname using an RCU callback (bsc#1233749).
- net: introduce a function to check if a netdev name is in use (bsc#1233749).
- net: make dev_alloc_name() call dev_prep_valid_name() (bsc#1233749).
- net: mana: Add get_link and get_link_ksettings in ethtool (bsc#1236761).
- net: mana: Cleanup 'mana' debugfs dir after cleanup of all children (bsc#1236760).
- net: mana: Enable debugfs files for MANA device (bsc#1236758).
- net: minor __dev_alloc_name() optimization (bsc#1233749).
- net: move altnames together with the netdevice (bsc#1233749).
- net: netvsc: Update default VMBus channels (bsc#1236757).
- net: reduce indentation of __dev_alloc_name() (bsc#1233749).
- net: remove dev_valid_name() check from __dev_alloc_name() (bsc#1233749).
- net: remove else after return in dev_prep_valid_name() (bsc#1233749).
- net: trust the bitmap in __dev_alloc_name() (bsc#1233749).
- nfsd: use explicit lock/unlock for directory ops (bsc#1234650 bsc#1233701 bsc#1232472).
- rcu: Remove rcu_is_idle_cpu() (bsc#1236289).
- scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes).
- x86/aperfmperf: Dont wake idle CPUs in arch_freq_get_on_cpu() (bsc#1236289).
- x86/aperfmperf: Integrate the fallback code from show_cpuinfo() (bsc#1236289).
- x86/aperfmperf: Make parts of the frequency invariance code unconditional (bsc#1236289).
- x86/aperfmperf: Put frequency invariance aperf/mperf data into a struct (bsc#1236289).
- x86/aperfmperf: Replace aperfmperf_get_khz() (bsc#1236289).
- x86/aperfmperf: Replace arch_freq_get_on_cpu() (bsc#1236289).
- x86/aperfmperf: Restructure arch_scale_freq_tick() (bsc#1236289).
- x86/aperfmperf: Separate AP/BP frequency invariance init (bsc#1236289).
- x86/aperfmperf: Store aperf/mperf data for cpu frequency reads (bsc#1236289).
- x86/aperfmperf: Untangle Intel and AMD frequency invariance init (bsc#1236289).
- x86/aperfperf: Make it correct on 32bit and UP kernels (bsc#1236289).
- x86/smp: Move APERF/MPERF code where it belongs (bsc#1236289).
- x86/smp: Remove unnecessary assignment to local var freq_scale (bsc#1236289).
- x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes).
- x86/xen: allow larger contiguous memory regions in PV guests (bsc#1236951).
- x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes).
- xen/swiotlb: relax alignment requirements (bsc#1236951).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:838-1
Released:    Tue Mar 11 13:11:21 2025
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    important
References:  1189788,1216091,1236481,1237044
This update for libzypp, zypper fixes the following issues:

- Disable zypp.conf:download.use_deltarpm by default 
  Measurements show that you don't benefit from using deltarpms
  unless your network connection is very slow. That's why most
  distributions even stop offering deltarpms. The default remains
  unchanged on SUSE-15.6 and older.
- Make sure repo variables are evaluated in the right context
  (bsc#1237044)
- Introducing MediaCurl2 a alternative HTTP backend.
  This patch adds MediaCurl2 as a testbed for experimenting with a
  more simple way to download files. Set ZYPP_CURL2=1 in the
  environment to use it.
- Filesystem usrmerge must not be done in singletrans mode
  (bsc#1236481, bsc#1189788)
- Commit will amend the backend in case the transaction would
  perform a filesystem usrmerge.
- Workaround bsc#1216091 on Code16.
- Annonunce --root in commands not launching a Target
  (bsc#1237044)

The following package changes have been done:

- kernel-default-5.14.21-150500.55.97.1 updated
- libzypp-17.36.3-150500.6.42.1 updated
- zypper-1.14.85-150500.6.26.1 updated