SUSE-CU-2025:3714-1: Security update of rancher/seedimage-builder
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue May 27 07:05:55 UTC 2025
SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:3714-1
Container Tags : rancher/seedimage-builder:1.6.9 , rancher/seedimage-builder:1.6.9-8.1 , rancher/seedimage-builder:latest
Container Release : 8.1
Severity : critical
Type : security
References : 1010996 1035807 1036457 1079600 1198823 1198830 1198832 1199079
1219559 1219561 1221289 1227316 1229003 1229930 1229931 1229932
1232579 1232601 1234015 1234128 1234798 1236886 1238700 1239335
1239618 1239883 1240009 1240343 1241083 1241453 1241551 1242901
1243317 441356 867620 CVE-2013-0340 CVE-2014-2240 CVE-2014-2241
CVE-2017-8105 CVE-2017-8287 CVE-2019-15903 CVE-2022-27404 CVE-2022-27405
CVE-2022-27406 CVE-2023-52425 CVE-2023-52426 CVE-2024-28757 CVE-2024-45490
CVE-2024-45491 CVE-2024-45492 CVE-2024-50602 CVE-2024-56406 CVE-2024-8176
CVE-2025-22869 CVE-2025-22870 CVE-2025-32414 CVE-2025-32415 CVE-2025-4802
-----------------------------------------------------------------
The container rancher/seedimage-builder was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 299
Released: Wed Apr 23 16:13:01 2025
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1234015,1236886
This update for systemd fixes the following issues:
- Maintain the network device naming scheme used on SLE15 (jsc#PED-12317)
This shouldn't cause problems as predictable naming schemes are disabled on
SLMicro-6.1 (net.ifnames=0 is set on the kernel command line by default).
- allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
-----------------------------------------------------------------
Advisory ID: 300
Released: Thu Apr 24 16:44:51 2025
Summary: Security update for freetype2
Type: security
Severity: important
References: 1035807,1036457,1079600,1198823,1198830,1198832,867620,CVE-2014-2240,CVE-2014-2241,CVE-2017-8105,CVE-2017-8287,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
This update for freetype2 fixes the following issues:
Update to 2.13.2:
* Some fields in the `FT_Outline` structure have been changed
from signed to unsigned type, which better reflects the actual
usage. It is also an additional means to protect against
malformed input.
* Rare double-free crashes in the cache subsystem have been fixed.
* Excessive stack allocation in the autohinter has been fixed.
* The B/W rasterizer has received a major upkeep that results in
large performance improvements. The rendering speed has
increased and even doubled for very complex glyphs.
-----------------------------------------------------------------
Advisory ID: 304
Released: Tue Apr 29 13:07:45 2025
Summary: Security update for expat
Type: security
Severity: important
References: 1219559,1219561,1221289,1229930,1229931,1229932,1232579,1232601,1239618,CVE-2013-0340,CVE-2019-15903,CVE-2023-52425,CVE-2023-52426,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-50602,CVE-2024-8176
This update for expat fixes the following issues:
Version update to 2.7.1:
* Bug fixes:
* Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
* Other changes:
#976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}'
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
* Security fixes:
* CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ('<e>&g1;</e>')
- general entities in attribute values ('<e k1='&g1;'/>')
- parameter entities ('%p1;')
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* Other changes:
* Document changes since the previous release
* Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
Version update to 2.6.4:
* Security fixes: [bsc#1232601][bsc#1232579]
* CVE-2024-50602 -- Fix crash within function XML_ResumeParser
from a NULL pointer dereference by disallowing function
XML_StopParser to (stop or) suspend an unstarted parser.
A new error code XML_ERROR_NOT_STARTED was introduced to
properly communicate this situation. // CWE-476 CWE-754
* Other changes:
* Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
for what these numbers do
Update to 2.6.3:
* Security fixes:
- CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
* Other changes:
- Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Update to 2.6.2:
* CVE-2024-28757 -- Prevent billion laughs attacks with isolated
use of external parsers (bsc#1221289)
* Reject direct parameter entity recursion and avoid the related
undefined behavior
Update to 2.6.1:
* Expose billion laughs API with XML_DTD defined and XML_GE
undefined, regression from 2.6.0
* Make tests independent of CPU speed, and thus more robust
Update to 2.6.0:
* Security fixes:
- CVE-2023-52425 (bsc#1219559)
Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
- CVE-2023-52426 (bsc#1219561)
Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
* Bug fixes:
- Fix parse-size-dependent 'invalid token' error for
external entities that start with a byte order mark
- Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
- Protect against closing entities out of order
* Other changes:
- Improve support for arc4random/arc4random_buf
- Improve buffer growth in XML_GetBuffer and XML_Parse
- xmlwf: Support --help and --version
- xmlwf: Support custom buffer size for XML_GetBuffer and read
- xmlwf: Improve language and URL clickability in help output
- examples: Add new example 'element_declarations.c'
- Be stricter about macro XML_CONTEXT_BYTES at build time
- Make inclusion to expat_config.h consistent
- Autotools: configure.ac: Support --disable-maintainer-mode
- Autotools: Sync CMake templates with CMake 3.26
- Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
- Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section 'Cflags.private' in order to fix compilation
against static libexpat using pkg-config on Windows
- Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
- Autotools|CMake: Fix PACKAGE_BUGREPORT variable
- Autotools|CMake: Make test suite require a C++11 compiler
- CMake: Require CMake >=3.5.0
- CMake: Lowercase off_t and size_t to help a bug in Meson
- CMake: Sort xmlwf sources alphabetically
- CMake|Windows: Fix generation of DLL file version info
- CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
- docs: Document the importance of isFinal + adjust tests
accordingly
- docs: Improve use of 'NULL' and 'null'
- docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
- docs: reference.html: Promote function XML_ParseBuffer more
- docs: reference.html: Add HTML anchors to XML_* macros
- docs: reference.html: Upgrade to OK.css 1.2.0
- docs: Fix typos
- docs|CI: Use HTTPS URLs instead of HTTP at various places
- Address compiler warnings
- Address clang-tidy warnings
- Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
-----------------------------------------------------------------
Advisory ID: 305
Released: Tue Apr 29 13:13:15 2025
Summary: Security update for elemental-toolkit
Type: security
Severity: important
References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870
This update for elemental-toolkit fixes the following issues:
- Updated to version 2.1.3:
* Simplify podman calls in CI steup
* Switched GHA runners to Ubuntu 24.04
* Updated year in headers
* Updated to go1.23, required by the new x/crypto module
* CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700)
* CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange (bsc#1239335)
-----------------------------------------------------------------
Advisory ID: 311
Released: Wed May 7 08:55:18 2025
Summary: Recommended update for gettext-runtime
Type: recommended
Severity: moderate
References: 1227316
This update for gettext-runtime fixes the following issues:
- Fixed handling of po files with malformed header (bsc#1227316)
-----------------------------------------------------------------
Advisory ID: 324
Released: Fri May 16 11:41:30 2025
Summary: Recommended update for elemental-operator
Type: recommended
Severity: moderate
References: 1242901
This update for elemental-operator fixes the following issues:
- Fix questions.yaml default tag
- operator: update RBAC for upgrade plans (bsc#1242901)
-----------------------------------------------------------------
Advisory ID: 328
Released: Wed May 21 13:04:20 2025
Summary: Security update for glibc
Type: security
Severity: critical
References: 1234128,1239883,1243317,CVE-2025-4802
This update for glibc fixes the following issues:
- CVE-2025-4802: Fixed local root exploits when using static built setuid root applications. (elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static) (bsc#1243317)
- pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847)
- Mark functions in libc_nonshared.a as hidden (bsc#1239883)
-----------------------------------------------------------------
Advisory ID: 329
Released: Wed May 21 13:23:02 2025
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415
This update for libxml2 fixes the following issues:
- CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551)
- CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read (bsc#1241453)
-----------------------------------------------------------------
Advisory ID: 330
Released: Wed May 21 17:37:32 2025
Summary: Security update for perl
Type: security
Severity: important
References: 1241083,CVE-2024-56406
This update for perl fixes the following issues:
- CVE-2024-56406: Fixed heap buffer overflow with tr// [bsc#1241083]
-----------------------------------------------------------------
Advisory ID: 331
Released: Wed May 21 17:40:23 2025
Summary: Security update for ca-certificates-mozilla
Type: security
Severity: moderate
References: 1010996,1199079,1229003,1234798,1240009,1240343,441356
This update for ca-certificates-mozilla fixes the following issues:
- test for a concretely missing certificate rather than
just the directory, as the latter is now also provided by
openssl-3
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
for reproducible builds (bsc#1229003)
- explicit remove distrusted certs, as the distrust does not get exported
correctly and the SSL certs are still trusted. (bsc#1240343)
- Entrust.net Premium 2048 Secure Server CA
- Entrust Root Certification Authority
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
- Entrust Root Certification Authority - G2
- Entrust Root Certification Authority - EC1
- GlobalSign Root E46
- GLOBALTRUST 2020
- pass file argument to awk (bsc#1240009)
- update to 2.74 state of Mozilla SSL root CAs:
Removed:
* SwissSign Silver CA - G2
Added:
* D-TRUST BR Root CA 2 2023
* D-TRUST EV Root CA 2 2023
- remove extensive signature printing in comments of the cert
bundle
- Define two macros to break a build cycle with p11-kit.
- Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798)
Removed:
- SecureSign RootCA11
- Security Communication RootCA3
Added:
- TWCA CYBER Root CA
- TWCA Global Root CA G2
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15
The following package changes have been done:
- elemental-httpfy-1.6.9-1.1 updated
- elemental-seedimage-hooks-1.6.9-1.1 updated
- glibc-2.38-9.1 updated
- libtextstyle0-0.21.1-6.1 updated
- libexpat1-2.7.1-1.1 updated
- libxml2-2-2.11.6-8.1 updated
- perl-base-5.38.2-2.1 updated
- libudev1-254.24-1.1 updated
- libsystemd0-254.24-1.1 updated
- libfreetype6-2.13.3-1.1 updated
- gettext-runtime-0.21.1-6.1 updated
- glibc-locale-base-2.38-9.1 updated
- ca-certificates-mozilla-2.74-1.1 updated
- systemd-254.24-1.1 updated
- udev-254.24-1.1 updated
- elemental-toolkit-2.1.3-1.1 updated
- container:suse-toolbox-image-1.0.0-8.7 updated
More information about the sle-container-updates
mailing list