SUSE-IU-2025:751-1: Security update of suse/sl-micro/6.1/base-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Mar 14 08:08:21 UTC 2025
SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:751-1
Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.10 , suse/sl-micro/6.1/base-os-container:latest
Image Release : 4.10
Severity : moderate
Type : security
References : 1221289 1229930 1229931 1229932 1230093 1232528 1234068 1236589
CVE-2024-11053 CVE-2024-28757 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
CVE-2024-8096 CVE-2024-9681 CVE-2025-0665
-----------------------------------------------------------------
The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 44
Released: Thu Mar 13 11:37:02 2025
Summary: Security update for curl
Type: security
Severity: moderate
References: 1221289,1229930,1229931,1229932,1230093,1232528,1234068,1236589,CVE-2024-11053,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-8096,CVE-2024-9681,CVE-2025-0665
This update for curl fixes the following issues:
Update to 8.12.1:
* Bugfixes:
- asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR'
- asyn-thread: fix HTTPS RR crash
- asyn-thread: fix the returned bitmask from Curl_resolver_getsock
- asyn-thread: survive a c-ares channel set to NULL
- cmake: always reference OpenSSL and ZLIB via imported targets
- cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config'
- cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config'
- content_encoding: #error on too old zlib
- imap: TLS upgrade fix
- ldap: drop support for legacy Novell LDAP SDK
- libssh2: comparison is always true because rc <= -1
- libssh2: raise lowest supported version to 1.2.8
- libssh: drop support for libssh older than 0.9.0
- openssl-quic: ignore ciphers for h3
- pop3: TLS upgrade fix
- runtests: fix the disabling of the memory tracking
- runtests: quote commands to support paths with spaces
- scache: add magic checks
- smb: silence '-Warray-bounds' with gcc 13+
- smtp: TLS upgrade fix
- tool_cfgable: sort struct fields by size, use bitfields for booleans
- tool_getparam: add 'TLS required' flag for each such option
- vtls: fix multissl-init
- wakeup_write: make sure the eventfd write sends eight bytes
Update to 8.12.0:
* Security fixes:
- [bsc#1234068, CVE-2024-11053] curl could leak the password used
for the first host to the followed-to host under certain circumstances.
- [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
- [bsc#1236589, CVE-2025-0665] eventfd double close
* Changes:
- curl: add byte range support to --variable reading from file
- curl: make --etag-save acknowledge --create-dirs
- getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
- getinfo: provide info which auth was used for HTTP and proxy
- hyper: drop support
- openssl: add support to use keys and certificates from PKCS#11 provider
- QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
- vtls: feature ssls-export for SSL session im-/export
* Bugfixes:
- altsvc: avoid integer overflow in expire calculation
- asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
- asyn-ares: fix memory leak
- asyn-ares: initial HTTPS resolve support
- asyn-thread: use c-ares to resolve HTTPS RR
- async-thread: avoid closing eventfd twice
- cd2nroff: do not insist on quoted <> within backticks
- cd2nroff: support 'none' as a TLS backend
- conncache: count shutdowns against host and max limits
- content_encoding: drop support for zlib before 1.2.0.4
- content_encoding: namespace GZIP flag constants
- content_encoding: put the decomp buffers into the writer structs
- content_encoding: support use of custom libzstd memory functions
- cookie: cap expire times to 400 days
- cookie: parse only the exact expire date
- curl: return error if etag options are used with multiple URLs
- curl_multi_fdset: include the shutdown connections in the set
- curl_sha512_256: rename symbols to the curl namespace
- curl_url_set.md: adjust the added-in to 7.62.0
- doh: send HTTPS RR requests for all HTTP(S) transfers
- easy: allow connect-only handle reuse with easy_perform
- easy: make curl_easy_perform() return error if connection still there
- easy_lock: use Sleep(1) for thread yield on old Windows
- ECH: update APIs to those agreed with OpenSSL maintainers
- GnuTLS: fix 'time_appconnect' for early data
- HTTP/2: strip TE request header
- http2: fix data_pending check
- http2: fix value stored to 'result' is never read
- http: ignore invalid Retry-After times
- http_aws_sigv4: Fix invalid compare function handling zero-length pairs
- https-connect: start next immediately on failure
- lib: redirect handling by protocol handler
- multi: fix curl_multi_waitfds reporting of fd_count
- netrc: 'default' with no credentials is not a match
- netrc: fix password-only entries
- netrc: restore _netrc fallback logic
- ngtcp2: fix memory leak on connect failure
- openssl: define `HAVE_KEYLOG_CALLBACK` before use
- openssl: fix ECH logic
- osslq: use SSL_poll to determine writeability of QUIC streams
- sectransp: free certificate on error
- select: avoid a NULL deref in cwfds_add_sock
- src: omit hugehelp and ca-embed from libcurltool
- ssl session cache: change cache dimensions
- system.h: add 64-bit curl_off_t definitions for NonStop
- telnet: handle single-byte input option
- TLS: check connection for SSL use, not handler
- tool_formparse.c: make curlx_uztoso a static in here
- tool_formparse: accept digits in --form type= strings
- tool_getparam: ECH param parsing refix
- tool_getparam: fail --hostpubsha256 if libssh2 is not used
- tool_getparam: fix 'Ignored Return Value'
- tool_getparam: fix memory leak on error in parse_ech
- tool_getparam: fix the ECH parser
- tool_operate: make --etag-compare always accept a non-existing file
- transfer: fix CURLOPT_CURLU override logic
- urlapi: fix redirect to a new fragment or query (only)
- vquic: make vquic_send_packets not return without setting psent
- vtls: fix default SSL backend as a fallback
- vtls: only remember the expiry timestamp in session cache
- websocket: fix message send corruption
- x509asn1: add parse recursion limit
Update to 8.11.1:
* Security fixes:
- netrc and redirect credential leak [bsc#1234068, CVE-2024-11053]
* Bugfixes:
- build: fix ECH to always enable HTTPS RR
- cookie: treat cookie name case sensitively
- curl-rustls.m4: keep existing 'CPPFLAGS'/'LDFLAGS' when detected
- curl: use realtime in trace timestamps
- digest: produce a shorter cnonce in Digest headers
- docs: document default 'User-Agent'
- docs: suggest --ssl-reqd instead of --ftp-ssl
- duphandle: also init netrc
- hostip: don't use the resolver for FQDN localhost
- http_negotiate: allow for a one byte larger channel binding buffer
- krb5: fix socket/sockindex confusion, MSVC compiler warnings
- libssh: use libssh sftp_aio to upload file
- libssh: when using IPv6 numerical address, add brackets
- mime: fix reader stall on small read lengths
- mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
- mprintf: fix the integer overflow checks
- multi: fix callback for 'CURLMOPT_TIMERFUNCTION' not being called again when...
- netrc: address several netrc parser flaws
- netrc: support large file, longer lines, longer tokens
- nghttp2: use custom memory functions
- OpenSSL: improvde error message on expired certificate
- openssl: remove three 'Useless Assignments'
- openssl: stop using SSL_CTX_ function prefix for our functions
- pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
- rtsp: check EOS in the RTSP receive and return an error code
- schannel: remove TLS 1.3 ciphersuite-list support
- setopt: fix CURLOPT_HTTP_CONTENT_DECODING
- setopt: fix missing options for builds without HTTP & MQTT
- socket: handle binding to 'host!<ip>'
- socketpair: fix enabling 'USE_EVENTFD'
- strtok: use namespaced 'strtok_r' macro instead of redefining it
Update to 8.11.0:
* Security fixes: [bsc#1232528, CVE-2024-9681]
- curl: HSTS subdomain overwrites parent cache entry
* Changes:
- curl: --create-dirs works for --dump-header as well
- gtls: Add P12 format support
- ipfs: add options to disable
- TLS: TLSv1.3 earlydata support for curl
- WebSockets: make support official (non-experimental)
* Bugfixes:
- build: clarify CA embed is for curl tool, mark default, improve summary
- build: show if CA bundle to embed was found
- build: tidy up and improve versioned-symbols options
- cmake/FindNGTCP2: use library path as hint for finding crypto module
- cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
- cmake: rename LDAP dependency config variables to match Find modules
- cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
- cmake: use OpenSSL for LDAP detection only if available
- curl: add build options for safe/no CA bundle search (Windows)
- curl: detect ECH support dynamically, not at build time
- curl_addrinfo: support operating systems with only getaddrinfo(3)
- ftp: fix 0-length last write on upload from stdin
- gnutls: use session cache for QUIC
- hsts: improve subdomain handling
- hsts: support 'implied LWS' properly around max-age
- http2: auto reset stream on server eos
- json.md: cli-option '--json' is an alias of '--data-binary'
- lib: move curl_path.[ch] into vssh/
- lib: remove function pointer typecasts for hmac/sha256/md5
- libssh.c: handle EGAINS during proto-connect correctly
- libssh2: use the filename buffer when getting the homedir
- multi.c: warn/assert on stall only without timer
- negotiate: conditional check around GSS & SSL specific code
- netrc: cache the netrc file in memory
- ngtcp2: do not loop on recv
- ngtcp2: set max window size to 10x of initial (128KB)
- openssl quic: populate x509 store before handshake
- openssl: extend the OpenSSL error messages
- openssl: improve retries on shutdown
- quic: use send/recvmmsg when available
- schannel: fix TLS cert verification by IP SAN
- schannel: ignore error on recv beyond close notify
- select: use poll() if existing, avoid poll() with no sockets
- sendf: add condition to max-filesize check
- server/mqttd: fix two memory leaks
- setopt: return error for bad input to CURLOPT_RTSP_REQUEST
- setopt_cptr: make overflow check only done when needed
- tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
- tool: support --show-headers AND --remote-header-name
- tool_operate: make --skip-existing work for --parallel
- url: connection reuse on h3 connections
- url: use same credentials on redirect
- urlapi: normalize the IPv6 address
- version: say quictls in MSH3 builds
- vquic: fix compiler warning with gcc + MUSL
- vquic: recv_mmsg, use fewer, but larger buffers
- vtls: convert Curl_pin_peer_pubkey to use dynbuf
- vtls: convert pubkey_pem_to_der to use dynbuf
Update to 8.10.1:
* Bugfixes:
- autotools: fix `--with-ca-embed` build rule
- cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
- cmake: fix MSH3 to appear on the feature list
- connect: store connection info when really done
- FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
- http2: when uploading data from stdin, fix eos forwarding
- http: make max-filesize check not count ignored bodies
- lib: fix AF_INET6 use outside of USE_IPV6
- multi: check that the multi handle is valid in curl_multi_assign
- QUIC: on connect, keep on trying on draining server
- request: correctly reset the eos_sent flag
- setopt: remove superfluous use of ternary expressions
- singleuse: drop `Curl_memrchr()` for no-HTTP builds
- tool_cb_wrt: use 'curl_response' if no file name in URL
- transfer: fix sendrecv() without interim poll
- vtls: fix `Curl_ssl_conn_config_match` doc param
Update to version 8.10.0:
* Security fixes:
- [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
* Changes:
- curl: make --rate accept 'number of units'
- curl: make --show-headers the same as --include
- curl: support --dump-header % to direct to stderr
- curl: support embedding a CA bundle and --dump-ca-embed
- curl: support repeated use of the verbose option; -vv etc
- curl: use libuv for parallel transfers with --test-event
- vtls: stop offering alpn http/1.1 for http2-prior-knowledge
* Bugfixes:
- curl: allow 500MB data URL encode strings
- curl: warn on unsupported SSL options
- Curl_rand_bytes to control env override
- curl_sha512_256: fix symbol collisions with nettle library
- dist: fix reproducible build from release tarball
- http2: fix GOAWAY message sent to server
- http2: improve rate limiting of downloads
- INSTALL.md: MultiSSL and QUIC are mutually exclusive
- lib: add eos flag to send methods
- lib: make SSPI global symbols use Curl_ prefix
- lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
- lib: remove the final strncpy() calls
- lib: remove use of RANDOM_FILE
- Makefile.mk: fixup enabling libidn2
- max-filesize.md: mention zero disables the limit
- mime: avoid inifite loop in client reader
- ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
- openssl quic: fix memory leak
- openssl: certinfo errors now fail correctly
- openssl: fix the data race when sharing an SSL session between threads
- openssl: improve shutdown handling
- POP3: fix multi-line responses
- pop3: use the protocol handler ->write_resp
- progress: ratelimit/progress tweaks
- rand: only provide weak random when needed
- sectransp: fix setting tls version
- setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
- sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
- sigpipe: init the struct so that first apply ignores
- smb: convert superflous assign into assert
- smtp: add tracing feature
- spnego_gssapi: implement TLS channel bindings for openssl
- src: delete `curlx_m*printf()` aliases
- ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
- tool_operhlp: fix 'potentially uninitialized local variable 'pc' used'
- tool_paramhlp: bump maximum post data size in memory to 16GB
- transfer: skip EOS read when download done
- url: fix connection reuse for HTTP/2 upgrades
- urlapi: verify URL *decoded* hostname when set
- urldata: introduce `data->mid`, a unique identifier inside a multi
- vtls: add SSLSUPP_CIPHER_LIST
- vtls: fix static function name collisions between TLS backends
- vtls: init ssl peer only once
- websocket: introduce blocking sends
- ws: flags to opcodes should ignore CURLWS_CONT flag
- x509asn1: raise size limit for x509 certification information
The following package changes have been done:
- SL-Micro-release-6.1-slfo.1.11.11 updated
- libcurl4-8.12.1-slfo.1.1_1.1 updated
- curl-8.12.1-slfo.1.1_1.1 updated
- container:suse-toolbox-image-1.0.0-4.10 updated
More information about the sle-container-updates
mailing list