SUSE-CU-2025:8346-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Nov 15 08:28:24 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:8346-1
Container Tags        : bci/golang:1.25-openssl , bci/golang:1.25.1-openssl , bci/golang:1.25.1-openssl-79.3 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-79.3
Container Release     : 79.3
Severity              : important
Type                  : security
References            : 1040589 1236632 1236976 1236977 1236978 1236999 1237000 1237001
                        1237003 1237005 1237018 1237019 1237020 1237021 1237042 1240870
                        1241916 1243756 1243760 1246481 1246486 1247105 1247114 1247117
                        1250632 1251275 1251276 1251277 1251794 1251795 CVE-2025-0840
                        CVE-2025-11083 CVE-2025-11412 CVE-2025-11413 CVE-2025-11414 CVE-2025-1147
                        CVE-2025-1148 CVE-2025-1149 CVE-2025-11494 CVE-2025-11495 CVE-2025-1150
                        CVE-2025-1151 CVE-2025-1152 CVE-2025-1153 CVE-2025-1176 CVE-2025-1178
                        CVE-2025-1179 CVE-2025-1180 CVE-2025-1181 CVE-2025-1182 CVE-2025-3198
                        CVE-2025-5244 CVE-2025-5245 CVE-2025-7545 CVE-2025-7546 CVE-2025-8224
                        CVE-2025-8225 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4096-1
Released:    Fri Nov 14 09:07:37 2025
Summary:     Security update for binutils
Type:        security
Severity:    important
References:  1040589,1236632,1236976,1236977,1236978,1236999,1237000,1237001,1237003,1237005,1237018,1237019,1237020,1237021,1237042,1240870,1241916,1243756,1243760,1246481,1246486,1247105,1247114,1247117,1250632,1251275,1251276,1251277,1251794,1251795,CVE-2025-0840,CVE-2025-11083,CVE-2025-11412,CVE-2025-11413,CVE-2025-11414,CVE-2025-1147,CVE-2025-1148,CVE-2025-1149,CVE-2025-11494,CVE-2025-11495,CVE-2025-1150,CVE-2025-1151,CVE-2025-1152,CVE-2025-1153,CVE-2025-1176,CVE-2025-1178,CVE-2025-1179,CVE-2025-1180,CVE-2025-1181,CVE-2025-1182,CVE-2025-3198,CVE-2025-5244,CVE-2025-5245,CVE-2025-7545,CVE-2025-7546,CVE-2025-8224,CVE-2025-8225
This update for binutils fixes the following issues:

- Do not enable '-z gcs=implicit' on aarch64 for old codestreams.

Update to version 2.45:

  * New versioned release of libsframe.so.2
  * s390: tools now support SFrame format 2; recognize 'z17' as CPU
    name [bsc#1247105, jsc#IBM-1485]
  * sframe sections are now of ELF section type SHT_GNU_SFRAME.
  * sframe secions generated by the assembler have
    SFRAME_F_FDE_FUNC_START_PCREL set.
  * riscv: Support more extensions: standard: Zicfiss v1.0, Zicfilp v1.0,
    Zcmp v1.0, Zcmt v1.0, Smrnmi v1.0, S[sm]dbltrp v1.0, S[sm]ctr v1.0,
    ssqosid v1.0, ssnpm v1.0, smnpm v1.0, smmpm v1.0, sspm v1.0, supm v1.0,
    sha v1.0, zce v1.0, smcdeleg v1.0, ssccfg v1.0, svvptc v1.0, zilsd v1.0,
    zclsd v1.0, smrnmi v1.0;
    vendor: CORE-V, xcvbitmanip v1.0 and xcvsimd v1.0;
    SiFive, xsfvqmaccdod v1.0, xsfvqmaccqoqv1.0 and xsfvfnrclipxfqf v1.0;
    T-Head: xtheadvdot v1.0;
    MIPS: xmipscbop v1.0, xmipscmov v1.0, xmipsexectl v1.0, xmipslsp v1.0.
  * Support RISC-V privileged version 1.13, profiles 20/22/23, and
    .bfloat16 directive.
  * x86: Add support for these ISAs: Intel Diamond Rapids AMX, MOVRS,
    AVX10.2 (including SM4), MSR_IMM; Zhaoxin PadLock PHE2, RNG2, GMI, XMODX.
    Drop support for  AVX10.2 256 bit rounding.
  * arm: Add support for most of Armv9.6, enabled by -march=armv9.6-a and
    extensions '+cmpbr', '+f8f16mm', '+f8f32mm', '+fprcvt', '+lsfe', '+lsui',
    '+occmo', '+pops', '+sme2p2', '+ssve-aes', '+sve-aes', '+sve-aes2',
    '+sve-bfscale', '+sve-f16f32mm' and '+sve2p2'.
  * Predefined symbols 'GAS(version)' and, on non-release builds, 'GAS(date)'
    are now being made available.
  * Add .errif and .warnif directives.
  * linker:
    - Add --image-base=<ADDR> option to the ELF linker to behave the same
      as -Ttext-segment for compatibility with LLD.
    - Add support for mixed LTO and non-LTO codes in relocatable output.
    - s390: linker generates .eh_frame and/or .sframe for linker
      generated .plt sections by default (can be disabled
      by --no-ld-generated-unwind-info).
    - riscv: add new PLT formats, and GNU property merge rules for zicfiss
      and zicfilp extensions.
- gold is no longer included
- Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md):

  * bsc#1236632 aka CVE-2025-0840 aka PR32650
  * bsc#1236977 aka CVE-2025-1149 aka PR32576
  * bsc#1236978 aka CVE-2025-1148 aka PR32576
  * bsc#1236999 aka CVE-2025-1176 aka PR32636
  * bsc#1237000 aka CVE-2025-1153 aka PR32603
  * bsc#1237001 aka CVE-2025-1152 aka PR32576
  * bsc#1237003 aka CVE-2025-1151 aka PR32576
  * bsc#1237005 aka CVE-2025-1150 aka PR32576
  * bsc#1237018 aka CVE-2025-1178 aka PR32638
  * bsc#1237019 aka CVE-2025-1181 aka PR32643
  * bsc#1237020 aka CVE-2025-1180 aka PR32642
  * bsc#1237021 aka CVE-2025-1179 aka PR32640
  * bsc#1237042 aka CVE-2025-1182 aka PR32644
  * bsc#1240870 aka CVE-2025-3198 aka PR32716
  * bsc#1243756 aka CVE-2025-5244 aka PR32858
  * bsc#1243760 aka CVE-2025-5245 aka PR32829
  * bsc#1246481 aka CVE-2025-7545 aka PR33049
  * bsc#1246486 aka CVE-2025-7546 aka PR33050
  * bsc#1247114 aka CVE-2025-8224 aka PR32109
  * bsc#1247117 aka CVE-2025-8225 no PR
- Add these backport patches:
  * bsc#1236976 aka CVE-2025-1147 aka PR32556
  * bsc#1250632 aka CVE-2025-11083 aka PR33457
  * bsc#1251275 aka CVE-2025-11412 aka PR33452
  * bsc#1251276 aka CVE-2025-11413 aka PR33456
  * bsc#1251277 aka CVE-2025-11414 aka PR33450
  * bsc#1251794 aka CVE-2025-11494 aka PR33499
  * bsc#1251795 aka CVE-2025-11495 aka PR33502

- Skip PGO with %want_reproducible_builds (bsc#1040589)
- Fix crash in assembler with -gdwarf-5
- aarch64-common-pagesize.patch, aarch64 no longer uses 64K page size
- Add -std=gnu17 to move gcc15 forward, as temporary measure until
  the binutils version can be updated [bsc#1241916].


The following package changes have been done:

- libctf-nobfd0-2.45-150100.7.57.1 updated
- libctf0-2.45-150100.7.57.1 updated
- binutils-2.45-150100.7.57.1 updated
- container:registry.suse.com-bci-bci-base-15.7-266903891f60344ede43d81d2d366622f7ac266afb3e57c61a5b796feacf1fa4-0 updated

More information about the sle-container-updates mailing list