SUSE-CU-2025:7572-1: Security update of suse/389-ds

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Oct 25 07:34:57 UTC 2025 

SUSE Container Update Advisory: suse/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7572-1
Container Tags        : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-64.4 , suse/389-ds:latest
Container Release     : 64.4
Severity              : important
Type                  : security
References            : 1241219 1249033 1250232 CVE-2025-3576 CVE-2025-9230 
-----------------------------------------------------------------

The container suse/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3635-1
Released:    Fri Oct 17 16:33:06 2025
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1250232,CVE-2025-9230
This update for openssl-1_1 fixes the following issues:

- CVE-2025-9230: fixed out of bounds read and write in RFC 3211 KEK unwrap (bsc#1250232)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3692-1
Released:    Tue Oct 21 07:46:57 2025
Summary:     Recommended update for 389-ds
Type:        recommended
Severity:    important
References:  1249033
This update for 389-ds fixes the following issues:

- prevent segfault on extremely large queries (bsc#1249033).
- do not delete referrals on chain_on_update backend
- prevent stack depth being hit
- The parentId attribute is indexed with improper matching rule
- When deferred memberof update is enabled after the server crashed it should not launch memberof fixup task by default
- memberOf - ignored deferred updates with LMDB
- Compilation failure with rust-1.89 on Fedora ELN
- UI - Replace deprecated Select components with new TypeaheadSelect
- UI - Fix typeahead Select fields losing values on Enter keypress
- UI - Show error message when trying to use unavailable ports
- More UI fixes
- Revise time skew check in healthcheck tool and add option to exclude checks
- UI - update Radio handlers and LDAP entries last modified time
- dsconf monitor server fails with ldapi:// due to absent server ID
- Make user/subtree policy creation idempotent
- AddressSanitizer: leak in agmt_update_init_status
- AddressSanitizer: leak in do_search
- AddressSanitizer: memory leak in mdb_init
- Memory leak in roles_cache_create_object_from_entry part 2
- Memory leak in roles_cache_create_object_from_entry
- RFE - Allow system to manage uid/gid at startup
- Adjust xfail marks
- ns-slapd crashes when a referral is added
- CLI - Fix default error log level
- Fix disk monitoring test failures and improve test maintainability
- Mask password hashes in audit logs
- Add test for numSubordinates replication consistency with tombstones
- Add test for entryUSN overflow on failed add operations
- Crash if repl keep alive entry can not be created
- Log user that is updated during password modify extended operation
- dsconf - Replicas with the 'consumer' role allow for viewing and modification of their changelog.
- instance read-only mode is broken
- Prevent repeated disconnect logs during shutdown
- compressed log rotation creates files with world readable permission
- str2filter is not fully applying matching rules
- UI - schema attribute table expansion break after moving to a new page
- CLI, UI - Properly handle disabled NDN cache
- uiduniq: allow specifying match rules in the filter

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.


The following package changes have been done:

- krb5-1.20.1-150600.11.14.1 updated
- krb5-client-1.20.1-150600.11.14.1 updated
- libopenssl1_1-1.1.1w-150700.11.6.1 updated
- libsvrcore0-2.5.3~git144.95b15d57c-150700.3.6.1 updated
- python3-ldap-3.4.0-150400.3.3.1 updated
- lib389-2.5.3~git144.95b15d57c-150700.3.6.1 updated
- 389-ds-2.5.3~git144.95b15d57c-150700.3.6.1 updated
- container:registry.suse.com-bci-bci-base-15.7-231a93ad62347ed0484baa9242d06c7c7fc48241452613423a9c25e30102fb8f-0 updated

More information about the sle-container-updates mailing list