SUSE-CU-2025:7618-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Oct 28 08:34:59 UTC 2025 

SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7618-1
Container Tags        : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.119 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest
Container Release     : 17.8.119
Severity              : important
Type                  : security
References            : 1241219 1249584 1251263 CVE-2025-3576 CVE-2025-59375 CVE-2025-9187
-----------------------------------------------------------------

The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3624-1
Released:    Thu Oct 16 21:59:19 2025
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1249584,CVE-2025-59375
This update for expat fixes the following issues:

- CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations
  by submitting crafted XML input (bsc#1249584).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3804-1
Released:    Mon Oct 27 12:35:04 2025
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1251263,CVE-2025-9187
This update for mozilla-nss fixes the following issues:

- Move NSS DB password hash away from SHA-1

Update to NSS 3.112.2:

  * Prevent leaks during pkcs12 decoding.
  * SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates

Update to NSS 3.112.1:

  * restore support for finding certificates by decoded serial number.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3805-1
Released:    Mon Oct 27 12:36:40 2025
Summary:     Recommended udpate for container-suseconnect
Type:        recommended
Severity:    moderate
References:  

This update for container-suseconnect rebuilds it against the current go1.25 release.


The following package changes have been done:

- container-suseconnect-2.5.5-150000.4.73.1 updated
- krb5-1.20.1-150600.11.14.1 updated
- libexpat1-2.7.1-150400.3.31.1 updated
- libfreebl3-3.112.2-150400.3.60.1 updated
- libsoftokn3-3.112.2-150400.3.60.1 updated
- mozilla-nss-certs-3.112.2-150400.3.60.1 updated
- mozilla-nss-3.112.2-150400.3.60.1 updated

More information about the sle-container-updates mailing list