SUSE-IU-2025:3707-1: Security update of suse/sl-micro/6.1/baremetal-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Nov 20 08:15:34 UTC 2025
SUSE Image Update Advisory: suse/sl-micro/6.1/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:3707-1
Image Tags : suse/sl-micro/6.1/baremetal-os-container:2.2.1 , suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.31 , suse/sl-micro/6.1/baremetal-os-container:latest
Image Release : 7.31
Severity : important
Type : security
References : 1081723 1218345 1222834 1222834 1224113 1224113 1231055 1240310
1240311 1240750 1240752 1240754 1240756 1240757 1240997 1241162
1241164 1241214 1241222 1241223 1241226 1241238 1241252 1241263
1241686 1241688 1247519 1247520 1247522 1252425 CVE-2025-2784
CVE-2025-32050 CVE-2025-32051 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906
CVE-2025-32907 CVE-2025-32908 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911
CVE-2025-32912 CVE-2025-32913 CVE-2025-32914 CVE-2025-46420 CVE-2025-46421
CVE-2025-54349 CVE-2025-54350 CVE-2025-54351
-----------------------------------------------------------------
The container suse/sl-micro/6.1/baremetal-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 269
Released: Fri Sep 19 09:54:22 2025
Summary: Security update for iperf
Type: security
Severity: important
References: 1222834,1224113,1247519,1247520,1247522,CVE-2025-54349,CVE-2025-54350,CVE-2025-54351
This update for iperf fixes the following issues:
- updated to 3.19.1:
* CVE-2025-54349: Fixed off-by-one error heap based buffer overflow in iperf_auth.c (bsc#1247519)
* CVE-2025-54350: Fixed Base64Decode assertion failure in iperf_auth.c (bsc#1247520)
* CVE-2025-54351: Fixed buffer overflow when --skip-rx-copy is used in net.c (bsc#1247522)
- updated to 3.19
* iperf3 now supports the use of Multi-Path TCP (MPTCPv1) on Linux
with the use of the `-m` or `--mptcp` flag. (PR #1661)
* iperf3 now supports a `--cntl-ka` option to enable TCP keepalives
on the control connection. (#812, #835, PR #1423)
* iperf3 now supports the `MSG_TRUNC` receive option, specified by
the `--skip-rx-copy`. This theoretically improves the rated
throughput of tests at high bitrates by not delivering network
payload data to userspace. (#1678, PR #1717)
* A bug that caused the bitrate setting to be ignored when bursts
are set, has been fixed. (#1773, #1820, PR #1821, PR #1848)
* The congestion control protocol setting, if used, is now
properly reset between tests. (PR #1812)
* iperf3 now exits with a non-error 0 exit code if exiting via a
`SIGTERM`, `SIGHUP`, or `SIGINT`. (#1009, PR# 1829)
* The current behavior of iperf3 with respect to the `-n` and `-k`
options is now documented as correct. (#1768, #1775, #596, PR #1800)
-----------------------------------------------------------------
Advisory ID: 339
Released: Wed Nov 19 10:44:59 2025
Summary: Recommended update for gpgme
Type: recommended
Severity: important
References: 1218345,1231055,1240310,1240311,1240997,1252425
This update for gpgme fixes the following issues:
- Treat empty DISPLAY variable as unset (bsc#1252425, bsc#1231055).
* To avoid gpgme constructing an invalid gpg command line when
the DISPLAY variable is empty it can be treated as unset.
* Reported upstream: dev.gnupg.org/T7919
-----------------------------------------------------------------
Advisory ID: 340
Released: Wed Nov 19 15:42:27 2025
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1081723,1222834,1224113,1240750,1240752,1240754,1240756,1240757,1241162,1241164,1241214,1241222,1241223,1241226,1241238,1241252,1241263,1241686,1241688,CVE-2025-2784,CVE-2025-32050,CVE-2025-32051,CVE-2025-32052,CVE-2025-32053,CVE-2025-32906,CVE-2025-32907,CVE-2025-32908,CVE-2025-32909,CVE-2025-32910,CVE-2025-32911,CVE-2025-32912,CVE-2025-32913,CVE-2025-32914,CVE-2025-46420,CVE-2025-46421
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.36:
* various build, test and automation script fixes
* major parts of the source code were reformatted
mozilla-nss:
- Move NSS DB password hash away from SHA-1
Update to NSS 3.112.2
* Prevent leaks during pkcs12 decoding.
* SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
Update to NSS 3.112.1:
* restore support for finding certificates by decoded serial number.
Update to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
- update to NSS 3.111
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzingâ€
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
- update to NSS 3.108
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed - updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
- requires NSPR 4.36
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible by using a static key from openssl (bsc#1081723)
- FIPS: exclude the SHA-1 hash from SLI approval.
- FIPS: do not pass in bad targetKeyLength parameters when checking
for FIPS approval after keygen. This was causing false rejections.
- FIPS: approve RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
The following package changes have been done:
- SL-Micro-release-6.1-slfo.1.11.68 updated
- libfreebl3-3.112.2-slfo.1.1_1.1 updated
- mozilla-nspr-4.36-slfo.1.1_1.1 updated
- mozilla-nss-certs-3.112.2-slfo.1.1_1.1 updated
- mozilla-nss-3.112.2-slfo.1.1_1.1 updated
- libsoftokn3-3.112.2-slfo.1.1_1.1 updated
- libgpgme11-1.23.0-slfo.1.1_2.1 updated
- container:SL-Micro-base-container-2.2.1-5.52 updated
More information about the sle-container-updates
mailing list