SUSE-CU-2025:7773-1: Security update of suse/manager/5.0/x86_64/proxy-httpd
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Oct 30 14:05:21 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7773-1
Container Tags : suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1 , suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1.7.26.2 , suse/manager/5.0/x86_64/proxy-httpd:latest
Container Release : 7.26.2
Severity : important
Type : security
References : 1218459 1221107 1227577 1228260 1229655 1230262 1230267 1230267
1231150 1231157 1232234 1232526 1233012 1233012 1233012 1233012
1233012 1236589 1236931 1237442 1238491 1239012 1239119 1239543
1239566 1239817 1239938 1240058 1240132 1240788 1241219 1241463
1241549 1243226 1243273 1243279 1243397 1243457 1243486 1243706
1243767 1243887 1243901 1243933 1243991 1244032 1244042 1244050
1244056 1244059 1244060 1244061 1244079 1244105 1244401 1244509
1244553 1244705 1244710 1245220 1245220 1245309 1245310 1245311
1245314 1245452 1245496 1245573 1245672 1245936 1245985 1246038
1246149 1246169 1246197 1246197 1246221 1246277 1246296 1246302
1246303 1246305 1246306 1246307 1246421 1246439 1246466 1246477
1246570 1246597 1246697 1246835 1246912 1246965 1246974 1247054
1247144 1247148 1247249 1247690 1248085 1248252 1249191 1249191
1249348 1249348 1249367 1249367 1249375 1249584 1250232 1250232
1250343 1250911 831629 CVE-2016-9840 CVE-2024-10041 CVE-2024-12718
CVE-2024-2236 CVE-2024-42516 CVE-2024-43204 CVE-2024-47252 CVE-2024-6874
CVE-2025-0665 CVE-2025-10148 CVE-2025-10148 CVE-2025-23048 CVE-2025-30258
CVE-2025-3576 CVE-2025-40909 CVE-2025-4138 CVE-2025-4330 CVE-2025-4435
CVE-2025-4516 CVE-2025-4517 CVE-2025-4877 CVE-2025-4878 CVE-2025-4947
CVE-2025-49630 CVE-2025-49812 CVE-2025-5025 CVE-2025-5278 CVE-2025-53020
CVE-2025-5318 CVE-2025-53192 CVE-2025-5372 CVE-2025-53880 CVE-2025-53883
CVE-2025-5399 CVE-2025-59375 CVE-2025-6018 CVE-2025-6020 CVE-2025-6069
CVE-2025-6297 CVE-2025-6965 CVE-2025-7425 CVE-2025-8058 CVE-2025-8114
CVE-2025-8194 CVE-2025-8277 CVE-2025-9086 CVE-2025-9086 CVE-2025-9230
CVE-2025-9230
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/proxy-httpd was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2007-1
Released: Wed Jun 18 16:03:17 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:
- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
default.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the 'metalink' attribute and reflect that the 'url' elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2013-1
Released: Wed Jun 18 20:05:07 2025
Summary: Security update for pam
Type: security
Severity: important
References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020
This update for pam fixes the following issues:
- CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226).
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2027-1
Released: Thu Jun 19 17:15:41 2025
Summary: Security update for perl
Type: security
Severity: moderate
References: 1244079,CVE-2025-40909
This update for perl fixes the following issues:
- CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2229-1
Released: Fri Jul 4 18:02:30 2025
Summary: Security update for libssh
Type: security
Severity: important
References: 1245309,1245310,1245311,1245314,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5372
This update for libssh fixes the following issues:
- CVE-2025-5318: Fixed likely read beyond bounds in sftp server handle management (bsc#1245311).
- CVE-2025-4877: Fixed write beyond bounds in binary to base64 conversion functions (bsc#1245309).
- CVE-2025-4878: Fixed use of uninitialized variable in privatekey_from_file() (bsc#1245310).
- CVE-2025-5372: Fixed cases where ssh_kdf() returns a success code on certain failures (bsc#1245314).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2237-1
Released: Mon Jul 7 14:59:13 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: moderate
References:
This update for openssl-3 fixes the following issues:
- Backport mdless cms signing support [jsc#PED-12895]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2259-1
Released: Wed Jul 9 17:18:02 2025
Summary: Recommended update for gpg2
Type: security
Severity: low
References: 1236931,1239119,1239817,CVE-2025-30258
This update for gpg2 fixes the following issues:
- CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119).
Other bugfixes:
- Do not install expired sks certificate (bsc#1243069).
- gpg hangs when importing a key (bsc#1236931).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2301-1
Released: Mon Jul 14 11:48:57 2025
Summary: Recommended update for cyrus-sasl
Type: recommended
Severity: moderate
References: 1229655
This update for cyrus-sasl fixes the following issues:
- Add Channel Binding support for GSSAPI/GSS-SPNEGO (bsc#1229655, jsc#PED-12097)
- Add support for setting max ssf 0 to GSS-SPNEGO (bsc#1229655, jsc#PED-12097).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2362-1
Released: Fri Jul 18 11:07:24 2025
Summary: Security update for coreutils
Type: security
Severity: moderate
References: 1243767,CVE-2025-5278
This update for coreutils fixes the following issues:
- CVE-2025-5278: Fixed heap buffer under-read may lead to a crash or leak sensitive data (bsc#1243767)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2447-1
Released: Mon Jul 21 16:45:25 2025
Summary: Security update for libgcrypt
Type: security
Severity: moderate
References: 1221107,CVE-2024-2236
This update for libgcrypt fixes the following issues:
- CVE-2024-2236: Fixed timing based side-channel in RSA implementation. (bsc#1221107)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2543-1
Released: Tue Jul 29 11:09:01 2025
Summary: Recommended update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3
Type: recommended
Severity: moderate
References: 1233012
This update for python-PyYAML, python-bcrypt, python-gssapi, python-pyparsing, python-python-dateutil, python-pytz, python-requests, python-setuptools_scm, python-simplejson, python-urllib3 fixes the following issues:
- Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2558-1
Released: Wed Jul 30 22:14:27 2025
Summary: Recommended update for libsolv
Type: recommended
Severity: moderate
References: 1230267,1243279,1243457,1243486,1244042,1244710,1245220,1245452,1245496,1245672
This update for libsolv fixes the following issues:
- Allow easy migration from SLE Micro 5.5 + SUMA to SL Micro 6.1+MLM
(bsc#1243457).
- implement color filtering when adding update targets.
- support orderwithrequires dependencies in susedata.xml.
- Fix SEGV in MediaDISK handler (bsc#1245452).
- Fix evaluation of libproxy results (bsc#1244710).
- Enhancements regarding mirror handling during repo refresh. Adapt to libzypp
API changes (bsc#1230267).
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
- Enhancements with mirror handling during repo refresh, needs zypper 1.14.91.
- Fix autotestcase when ZYPP_FULLLOG=1 (bsc#1244042)
There was no testcase written for the very first solver run.
- zypper does not allow distinctions between install and upgrade in
%postinstall (bsc#1243279).
- Ignore DeltaRpm download errors, in case of a failure the full rpm is
downloaded (bsc#1245672).
- Improve fix for incorrect filesize handling and download data exceeded errors
on HTTP responses (bsc#1245220).
- sh: Reset solver options after command (bsc#1245496).
- BuildRequires: Now %{libsolv_devel_package} greater or equal to 0.7.34
is required (bsc#1243486).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2573-1
Released: Thu Jul 31 11:15:06 2025
Summary: Recommended update for python-Cython, python-attrs, python-boto3, python-botocore, python-cffi, python-decorator, python-packaging, python-s3transfer, python-six
Type: recommended
Severity: moderate
References: 1233012
This update for python-Cython, python-attrs, python-boto3, python-botocore, python-cffi, python-decorator, python-packaging, python-s3transfer, python-six fixes the following issues:
- Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2574-1
Released: Thu Jul 31 11:19:37 2025
Summary: Recommended update for python3-PyNaCl, python3-atomicwrites, python3-cryptography, python3-cryptography-vectors, python3-more-itertools, python3-paramiko, python3-pip, python3-pyOpenSSL, python3-pytest, python3-setuptools
Type: recommended
Severity: moderate
References: 1233012
This update for python3-PyNaCl, python3-atomicwrites, python3-cryptography, python3-cryptography-vectors, python3-more-itertools, python3-paramiko, python3-pip, python3-pyOpenSSL, python3-pytest, python3-setuptools fixes the following issues:
- Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2536-1
Released: Thu Jul 31 16:44:39 2025
Summary: Security update for boost
Type: security
Severity: important
References: 1245936,CVE-2016-9840
This update for boost fixes the following issues:
- CVE-2016-9840: Fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2672-1
Released: Mon Aug 4 15:06:13 2025
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1246597,CVE-2025-6965
This update for sqlite3 fixes the following issues:
- Update to version 3.50.2
- CVE-2025-6965: Fixed an integer truncation to avoid assertion faults. (bsc#1246597)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2684-1
Released: Mon Aug 4 17:07:20 2025
Summary: Security update for apache2
Type: security
Severity: important
References: 1246169,1246302,1246303,1246305,1246306,1246307,1246477,CVE-2024-42516,CVE-2024-43204,CVE-2024-47252,CVE-2025-23048,CVE-2025-49630,CVE-2025-49812,CVE-2025-53020
This update for apache2 fixes the following issues:
- CVE-2024-42516: Fixed HTTP response splitting. (bsc#1246477)
- CVE-2024-43204: Fixed a SSRF when mod_proxy is loaded that allows an attacker to send outbound proxy requests to a URL controlled by them. (bsc#1246305)
- CVE-2024-47252: Fixed insufficient escaping of user-supplied data in mod_ssl allows an untrusted SSL/TLS client to insert escape characters into log file. (bsc#1246303)
- CVE-2025-23048: Fixed access control bypass by trusted clients through TLS 1.3 session resumption in some mod_ssl configurations. (bsc#1246302)
- CVE-2025-49630: Fixed denial of service can be triggered by untrusted clients causing an assertion in mod_proxy_http2. (bsc#1246307)
- CVE-2025-49812: Fixed Opossum Attack Application Layer Desynchronization using Opportunistic TLS. (bsc#1246169)
- CVE-2025-53020: Fixed HTTP/2 denial of service due to late release of memory after effective lifetime. (bsc#1246306)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2714-1
Released: Wed Aug 6 11:36:56 2025
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References:
This update for systemd fixes the following issues:
- triggers.systemd: skip update of hwdb, journal-catalog if executed during
an offline update.
- systemd-repart is no more considered as experimental (jsc#PED-13213)
- Import commit 130293e510ceb4d121d11823e6ebd4b1e8332ea0 (merge of v254.27)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/278fb676146e35a7b4057f52f34a7bbaf1b82369...130293e510ceb4d121d11823e6ebd4b1e8332ea0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2720-1
Released: Thu Aug 7 05:38:44 2025
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References:
This update for crypto-policies fixes the following issues:
- Update the BSI policy (jsc#PED-12880)
* BSI: switch to 3072 minimum RSA key size
* BSI: Update BSI policy for new 2024 minimum
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2734-1
Released: Fri Aug 8 10:05:10 2025
Summary: Security update for dpkg
Type: security
Severity: moderate
References: 1245573,CVE-2025-6297
This update for dpkg fixes the following issues:
- CVE-2025-6297: Fixed an improper sanitization of directory permissions that could lead to DoS. (bsc#1245573)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2758-1
Released: Tue Aug 12 12:05:22 2025
Summary: Security update for libxml2
Type: security
Severity: important
References: 1246296,CVE-2025-7425
This update for libxml2 fixes the following issues:
- CVE-2025-7425: Fixed heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr (bsc#1246296)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2761-1
Released: Tue Aug 12 14:17:29 2025
Summary: Recommended update for python-appdirs, python-asn1crypto, python-certifi, python-chardet, python-docutils, python-idna, python-iso8601, python-jmespath, python-ply, python-pretend, python-pyasn1, python-pyasn1-modules, python-pycparser, python-rsa
Type: recommended
Severity: moderate
References: 1233012
This update for python-appdirs, python-asn1crypto, python-certifi, python-chardet, python-docutils, python-idna, python-iso8601, python-jmespath, python-ply, python-pretend, python-pyasn1, python-pyasn1-modules, python-pycparser, python-rsa fixes the following issues:
- Add python36 provides/obsoletes to enable SLE-12 to SLE-15 migration (bsc#1233012)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2025:2763-1
Released: Tue Aug 12 14:45:40 2025
Summary: Optional update for libyaml
Type: optional
Severity: moderate
References: 1246570
This update for libyaml ships the missing libyaml-0-2 library package to
SUSE MicroOS 5.1 and 5.2.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2778-1
Released: Wed Aug 13 08:45:57 2025
Summary: Security update for python3
Type: security
Severity: important
References: 1233012,1243273,1244032,1244056,1244059,1244060,1244061,1244401,1244705,1247249,831629,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4435,CVE-2025-4516,CVE-2025-4517,CVE-2025-6069,CVE-2025-8194
This update for python3 fixes the following issues:
- CVE-2025-4516: use-after-free in the unicode-escape decoder when using the error handler (bsc#1243273).
- CVE-2024-12718: Fixed extraction filter bypass that allowed file metadata modification outside extraction directory (bsc#1244056)
- CVE-2025-4138: Fixed issue that might allow symlink targets to point outside the destination directory, and the modification of some file metadata (bsc#1244059)
- CVE-2025-4330: Fixed extraction filter bypass that allowed linking outside extraction directory (bsc#1244060)
- CVE-2025-4435: Fixed Tarfile extracts filtered members when errorlevel=0 (bsc#1244061)
- CVE-2025-4517: Fixed arbitrary filesystem writes outside the extraction directory during extraction with filter='data' (bsc#1244032)
- CVE-2025-6069: Fixed worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705)
- CVE-2025-8194: Fixed denial of service caused by tar archives with negative offsets (bsc#1247249)
Other fixes:
- Limit buffer size for IPv6 address parsing (bsc#1244401).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2780-1
Released: Wed Aug 13 10:28:27 2025
Summary: Recommended update for gcc14
Type: recommended
Severity: moderate
References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050
This update for gcc14 fixes the following issues:
Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Fixed libqt6webengine build.
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Allow GCC executables to be built PIE. [bsc#1239938]
- Backport -msplit-patch-nops required for user-space livepatching on powerpc.
- Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566]
- Disable profiling during build when %want_reproducible_builds is set [bsc#1238491]
- Fixes reported ICE in [bsc#1237442]
- Add larchintrin.h, lasxintrin.h and lsxintrin.h
headers to gccXY main package in %files section
- libstdc++6 fix for parsing tzdata 2024b [gcc#116657]
- Fix ICE with LTO building openvino on aarch64 [bsc#1230262]
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2841-1
Released: Mon Aug 18 13:01:25 2025
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1246697
This update for openssl-1_1 fixes the following issues:
- FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test
instead of NID_secp256k1. [bsc#1246697]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2921-1
Released: Tue Aug 19 16:54:12 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: important
References: 1218459,1245220,1245985,1246038,1246149,1246466,1247054,1247690
This update for libzypp, zypper fixes the following issues:
- Fix evaluation of libproxy results (bsc#1247690)
- Replace URL variables inside mirrorlist/metalink files
- Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054)
- During installation indicate the backend being used (bsc#1246038)
If some package actually needs to know, it should test for
ZYPP_CLASSIC_RPMTRANS being set in the environment.
Otherwise the transaction is driven by librpm.
- Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459)
- Verbose log libproxy results if PX_DEBUG=1 is set.
- BuildRequires: cmake >= 3.17.
- Allow explicit request to probe an added repo's URL (bsc#1246466)
- Fix tests with -DISABLE_MEDIABACKEND_TESTS=1
- Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149)
- Add regression test for (bsc#1245220) and some other filesize related tests.
- Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466)
- Accept 'show' as alias for 'info' (bsc#1245985)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2956-1
Released: Fri Aug 22 08:57:48 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: moderate
References: 1247144,1247148
This update for openssl-3 fixes the following issues:
- Increased limit for CRL download (bsc#1247148, bsc#1247144)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2964-1
Released: Fri Aug 22 14:52:39 2025
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1240058,1246965,CVE-2025-8058
This update for glibc fixes the following issues:
- CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2970-1
Released: Mon Aug 25 10:27:57 2025
Summary: Security update for pam
Type: security
Severity: moderate
References: 1232234,1246221,CVE-2024-10041
This update for pam fixes the following issues:
- Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3066-1
Released: Thu Sep 4 08:37:17 2025
Summary: Recommended update for systemd-presets-branding-SLE
Type: recommended
Severity: moderate
References: 1244553,1246835
This update for systemd-presets-branding-SLE fixes the following issues:
- Enable sysstat_collect.timer and sysstat_summary.timer
(bsc#1244553, bsc#1246835).
- Modified default SLE presets.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3198-1
Released: Fri Sep 12 14:15:08 2025
Summary: Security update for curl
Type: security
Severity: important
References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086
This update for curl fixes the following issues:
Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
Security issues fixed:
- CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589).
- CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397).
- CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not
easily noticed (bsc#1243706).
- CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing
specially crafted packets (bsc#1243933).
- CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN
backend (bsc#1228260).
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
(bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
Other issues fixed:
- Fix wrong return code when --retry is used (bsc#1249367).
* tool_operate: fix return code when --retry is used but not triggered [b42776b]
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
* tool_getparam: fix --ftp-pasv [5f805ee]
- Fixed with version 8.14.1:
* TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
* websocket: add option to disable auto-pong reply.
* huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3268-1
Released: Thu Sep 18 13:08:10 2025
Summary: Security update for curl
Type: security
Severity: important
References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
(bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
Other issues fixed:
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
* tool_getparam: fix --ftp-pasv [5f805ee]
- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
* TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
* websocket: add option to disable auto-pong reply.
* huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3369-1
Released: Fri Sep 26 12:54:43 2025
Summary: Security update for libssh
Type: security
Severity: moderate
References: 1246974,1249375,CVE-2025-8114,CVE-2025-8277
This update for libssh fixes the following issues:
- CVE-2025-8277: memory exhaustion leading to client-side DoS due to improper memory management when KEX process is
repeated with incorrect guesses (bsc#1249375).
- CVE-2025-8114: NULL pointer dereference when an allocation error happens during the calculation of the KEX session ID
(bsc#1246974).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3442-1
Released: Tue Sep 30 16:54:04 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1250232,CVE-2025-9230
This update for openssl-3 fixes the following issues:
- CVE-2025-9230: incorrect check of key size can lead to out-of-bounds read and write in RFC 3211 KEK unwrap
(bsc#1250232).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3443-1
Released: Tue Sep 30 16:54:54 2025
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1250232,CVE-2025-9230
This update for openssl-1_1 fixes the following issues:
- CVE-2025-9230: incorrect check of key size can lead to out-of-bounds read and write in RFC 3211 KEK unwrap
(bsc#1250232).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3591-1
Released: Mon Oct 13 15:33:33 2025
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: important
References: 1230267,1246912,1250343
This update for libzypp, zypper fixes the following issues:
- runposttrans: strip root prefix from tmppath (bsc#1250343)
- fixup! Make ld.so ignore the subarch packages during install (bsc#1246912)
- Make ld.so ignore the subarch packages during install (bsc#1246912)
- Fixed `bash-completion`: `zypper refresh` now ignores repository priority lines.
- Changes to support building against restructured libzypp in stack build (bsc#1230267)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3624-1
Released: Thu Oct 16 21:59:19 2025
Summary: Security update for expat
Type: security
Severity: important
References: 1249584,CVE-2025-59375
This update for expat fixes the following issues:
- CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations
by submitting crafted XML input (bsc#1249584).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released: Tue Oct 21 12:07:47 2025
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1241219,CVE-2025-3576
This update for krb5 fixes the following issues:
- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
RC4-HMAC-MD5 (bsc#1241219).
Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.
To avoid problems with those, SUSE has by default now disabled
those alorithms.
The following algorithms have been removed from valid krb5 enctypes:
- des3-cbc-sha1
- arcfour-hmac-md5
To reenable those algorithms, you can use allow options in krb5.conf:
[libdefaults]
allow_des3 = true
allow_rc4 = true
to reenable them.
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-3825
Released: Tue Oct 28 08:25:58 2025
Summary: Security update 5.0.5.1 for for Multi-Linux Manager
Type: security
Severity: important
References: 1227577,1231150,1231157,1246277,1246421,1246439,1248085,1248252,1250911,CVE-2025-53192,CVE-2025-53880,CVE-2025-53883
Security update 5.0.5.1 for for Multi-Linux Manager: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.12.1 updated
- libssh-config-0.9.8-150600.11.6.1 updated
- glibc-2.38-150600.14.37.1 updated
- libsasl2-3-2.1.28-150600.7.6.2 updated
- boost-license1_66_0-1.66.0-150200.12.7.1 updated
- libbrotlicommon1-1.0.7-150200.3.5.1 updated
- libbrotlidec1-1.0.7-150200.3.5.1 updated
- perl-base-5.26.1-150300.17.20.1 updated
- libxml2-2-2.10.3-150500.5.32.1 updated
- libsqlite3-0-3.50.2-150000.3.33.1 updated
- libgcc_s1-14.3.0+git11799-150000.1.11.1 updated
- libstdc++6-14.3.0+git11799-150000.1.11.1 updated
- libglib-2_0-0-2.78.6-150600.4.16.1 updated
- libudev1-254.27-150600.4.43.3 updated
- libopenssl3-3.1.4-150600.5.39.1 updated
- libgcrypt20-1.10.3-150600.3.9.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.39.1 updated
- krb5-1.20.1-150600.11.14.1 updated
- libssh4-0.9.8-150600.11.6.1 updated
- libboost_system1_66_0-1.66.0-150200.12.7.1 updated
- libboost_thread1_66_0-1.66.0-150200.12.7.1 updated
- libcurl4-8.14.1-150600.4.28.1 updated
- coreutils-8.32-150400.9.9.1 updated
- gpg2-2.4.4-150600.3.9.1 updated
- pam-1.3.0-150000.6.86.1 updated
- libsolv-tools-base-0.7.34-150600.8.17.2 updated
- libzypp-17.37.18-150600.3.82.1 updated
- zypper-1.14.94-150600.10.52.1 updated
- curl-8.14.1-150600.4.28.1 updated
- libbrotlienc1-1.0.7-150200.3.5.1 updated
- libexpat1-2.7.1-150400.3.31.1 updated
- libopenssl1_1-1.1.1w-150600.5.18.1 updated
- libyaml-0-2-0.1.7-150000.3.4.1 updated
- release-notes-susemanager-proxy-5.0.5.1-150600.11.31.1 updated
- update-alternatives-1.19.0.4-150000.4.7.1 updated
- libsystemd0-254.27-150600.4.43.3 updated
- python3-base-3.6.15-150300.10.97.1 updated
- libpython3_6m1_0-3.6.15-150300.10.97.1 updated
- systemd-presets-branding-SLE-15.1-150600.35.3.1 updated
- apache2-prefork-2.4.58-150600.5.35.1 updated
- python3-3.6.15-150300.10.97.2 updated
- python3-six-1.14.0-150200.15.1 updated
- python3-pyparsing-2.4.7-150300.3.3.1 updated
- python3-pycparser-2.17-150000.3.5.1 updated
- python3-pyasn1-0.4.2-150000.3.8.1 updated
- python3-defusedxml-0.6.0-1.42 added
- python3-chardet-3.0.4-150000.5.6.1 updated
- python3-asn1crypto-0.24.0-150000.3.5.1 updated
- python3-appdirs-1.4.3-150000.3.3.1 updated
- python3-PyYAML-5.4.1-150300.3.6.1 updated
- systemd-254.27-150600.4.43.3 updated
- python3-packaging-21.3-150200.3.6.1 updated
- python3-cffi-1.13.2-150200.3.5.1 updated
- python3-libxml2-2.10.3-150500.5.32.1 updated
- python3-setuptools-44.1.1-150400.9.15.1 updated
- apache2-2.4.58-150600.5.35.1 updated
- python3-cryptography-3.3.2-150400.26.1 updated
- python3-pyOpenSSL-21.0.0-150400.10.1 updated
- python3-rhnlib-5.0.5-150600.4.6.4 updated
- spacewalk-backend-5.0.15-150600.4.20.9 updated
- susemanager-tftpsync-recv-5.0.3-150600.3.6.4 updated
- container:sles15-image-15.6.0-47.24.1 updated
More information about the sle-container-updates
mailing list