SUSE-IU-2025:3709-1: Security update of suse/sl-micro/6.1/kvm-os-container
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Nov 20 08:17:24 UTC 2025
SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:3709-1
Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.1 , suse/sl-micro/6.1/kvm-os-container:2.2.1-5.55 , suse/sl-micro/6.1/kvm-os-container:latest
Image Release : 5.55
Severity : important
Type : security
References : 1081723 1222834 1222834 1224113 1224113 1240750 1240752 1240754
1240756 1240757 1241162 1241164 1241214 1241222 1241223 1241226
1241238 1241252 1241263 1241686 1241688 1247519 1247520 1247522
CVE-2025-2784 CVE-2025-32050 CVE-2025-32051 CVE-2025-32052 CVE-2025-32053
CVE-2025-32906 CVE-2025-32907 CVE-2025-32908 CVE-2025-32909 CVE-2025-32910
CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 CVE-2025-32914 CVE-2025-46420
CVE-2025-46421 CVE-2025-54349 CVE-2025-54350 CVE-2025-54351
-----------------------------------------------------------------
The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 269
Released: Fri Sep 19 09:54:22 2025
Summary: Security update for iperf
Type: security
Severity: important
References: 1222834,1224113,1247519,1247520,1247522,CVE-2025-54349,CVE-2025-54350,CVE-2025-54351
This update for iperf fixes the following issues:
- updated to 3.19.1:
* CVE-2025-54349: Fixed off-by-one error heap based buffer overflow in iperf_auth.c (bsc#1247519)
* CVE-2025-54350: Fixed Base64Decode assertion failure in iperf_auth.c (bsc#1247520)
* CVE-2025-54351: Fixed buffer overflow when --skip-rx-copy is used in net.c (bsc#1247522)
- updated to 3.19
* iperf3 now supports the use of Multi-Path TCP (MPTCPv1) on Linux
with the use of the `-m` or `--mptcp` flag. (PR #1661)
* iperf3 now supports a `--cntl-ka` option to enable TCP keepalives
on the control connection. (#812, #835, PR #1423)
* iperf3 now supports the `MSG_TRUNC` receive option, specified by
the `--skip-rx-copy`. This theoretically improves the rated
throughput of tests at high bitrates by not delivering network
payload data to userspace. (#1678, PR #1717)
* A bug that caused the bitrate setting to be ignored when bursts
are set, has been fixed. (#1773, #1820, PR #1821, PR #1848)
* The congestion control protocol setting, if used, is now
properly reset between tests. (PR #1812)
* iperf3 now exits with a non-error 0 exit code if exiting via a
`SIGTERM`, `SIGHUP`, or `SIGINT`. (#1009, PR# 1829)
* The current behavior of iperf3 with respect to the `-n` and `-k`
options is now documented as correct. (#1768, #1775, #596, PR #1800)
-----------------------------------------------------------------
Advisory ID: 340
Released: Wed Nov 19 15:42:27 2025
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1081723,1222834,1224113,1240750,1240752,1240754,1240756,1240757,1241162,1241164,1241214,1241222,1241223,1241226,1241238,1241252,1241263,1241686,1241688,CVE-2025-2784,CVE-2025-32050,CVE-2025-32051,CVE-2025-32052,CVE-2025-32053,CVE-2025-32906,CVE-2025-32907,CVE-2025-32908,CVE-2025-32909,CVE-2025-32910,CVE-2025-32911,CVE-2025-32912,CVE-2025-32913,CVE-2025-32914,CVE-2025-46420,CVE-2025-46421
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.36:
* various build, test and automation script fixes
* major parts of the source code were reformatted
mozilla-nss:
- Move NSS DB password hash away from SHA-1
Update to NSS 3.112.2
* Prevent leaks during pkcs12 decoding.
* SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
Update to NSS 3.112.1:
* restore support for finding certificates by decoded serial number.
Update to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
- update to NSS 3.111
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzingâ€
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
- update to NSS 3.108
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed - updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
- requires NSPR 4.36
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible by using a static key from openssl (bsc#1081723)
- FIPS: exclude the SHA-1 hash from SLI approval.
- FIPS: do not pass in bad targetKeyLength parameters when checking
for FIPS approval after keygen. This was causing false rejections.
- FIPS: approve RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
The following package changes have been done:
- SL-Micro-release-6.1-slfo.1.11.68 updated
- libfreebl3-3.112.2-slfo.1.1_1.1 updated
- mozilla-nspr-4.36-slfo.1.1_1.1 updated
- mozilla-nss-certs-3.112.2-slfo.1.1_1.1 updated
- mozilla-nss-3.112.2-slfo.1.1_1.1 updated
- libsoftokn3-3.112.2-slfo.1.1_1.1 updated
- container:SL-Micro-base-container-2.2.1-5.52 updated
More information about the sle-container-updates
mailing list