SUSE-CU-2025:7778-1: Security update of suse/manager/5.0/x86_64/server-attestation
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Oct 30 14:15:39 UTC 2025
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7778-1
Container Tags : suse/manager/5.0/x86_64/server-attestation:5.0.5.1 , suse/manager/5.0/x86_64/server-attestation:5.0.5.1.6.30.2 , suse/manager/5.0/x86_64/server-attestation:latest
Container Release : 6.30.2
Severity : important
Type : security
References : 1227577 1230262 1231150 1231157 1232526 1237442 1238491 1239566
1239938 1240058 1240788 1241549 1242601 1243869 1243991 1244050
1245573 1246197 1246277 1246421 1246439 1246575 1246580 1246584
1246595 1246597 1246598 1246965 1247144 1247148 1248085 1248252
1248252 1249191 1249348 1249367 1250232 1250911 1251263 CVE-2024-12224
CVE-2025-10148 CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-3416
CVE-2025-50059 CVE-2025-50106 CVE-2025-53192 CVE-2025-53192 CVE-2025-53880
CVE-2025-53883 CVE-2025-6297 CVE-2025-6965 CVE-2025-8058 CVE-2025-9086
CVE-2025-9187 CVE-2025-9230
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2666-1
Released: Mon Aug 4 14:35:30 2025
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1246575,1246580,1246584,1246595,1246598,CVE-2025-30749,CVE-2025-30754,CVE-2025-30761,CVE-2025-50059,CVE-2025-50106
This update for java-11-openjdk fixes the following issues:
Upgrade to upstream tag jdk-11.0.28+6 (July 2025 CPU):
Security fixes:
- CVE-2025-30749: several scenarios can lead to heap corruption (bsc#1246595)
- CVE-2025-30754: incomplete handshake may lead to weakening TLS protections (bsc#1246598)
- CVE-2025-30761: Improve scripting supports (bsc#1246580)
- CVE-2025-50059: Improve HTTP client header handling (bsc#1246575)
- CVE-2025-50106: Glyph out-of-memory access and crash (bsc#1246584)
Changelog:
+ JDK-8026976: ECParameters, Point does not match field size
+ JDK-8211400: nsk.share.gc.Memory::getArrayLength returns wrong
value
+ JDK-8231058: VerifyOops crashes with assert(_offset >= 0)
failed: offset for non comment?
+ JDK-8232625: HttpClient redirect policy should be more
conservative
+ JDK-8258483: [TESTBUG] gtest
CollectorPolicy.young_scaled_initial_ergo_vm fails if heap is
too small
+ JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are
problematic
+ JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
+ JDK-8301753: AppendFile/WriteFile has differences between make
3.81 and 4+
+ JDK-8303770: Remove Baltimore root certificate expiring in May
2025
+ JDK-8315380: AsyncGetCallTrace crash in frame::safe_for_sender
+ JDK-8327476: Upgrade JLine to 3.26.1
+ JDK-8328957: Update PKCS11Test.java to not use hardcoded path
+ JDK-8331959: Update PKCS#11 Cryptographic Token Interface to
v3.1
+ JDK-8339300: CollectorPolicy.young_scaled_initial_ergo_vm
gtest fails on ppc64 based platforms
+ JDK-8339728: [Accessibility,Windows,JAWS] Bug in the
getKeyChar method of the AccessBridge class
+ JDK-8345133: Test sun/security/tools/jarsigner/
/TsacertOptionTest.java failed: Warning found in stdout
+ JDK-8345625: Better HTTP connections
+ JDK-8346887: DrawFocusRect() may cause an assertion failure
+ JDK-8347629: Test FailOverDirectExecutionControlTest.java
fails with -Xcomp
+ JDK-8348110: Update LCMS to 2.17
+ JDK-8348596: Update FreeType to 2.13.3
+ JDK-8348598: Update Libpng to 1.6.47
+ JDK-8348989: Better Glyph drawing
+ JDK-8349111: Enhance Swing supports
+ JDK-8349594: Enhance TLS protocol support
+ JDK-8350469: [11u] Test AbsPathsInImage.java fails
- JDK-8239429 public clone
+ JDK-8350498: Remove two Camerfirma root CA certificates
+ JDK-8350991: Improve HTTP client header handling
+ JDK-8351099: Bump update version of OpenJDK: 11.0.28
+ JDK-8351422: Improve scripting supports
+ JDK-8352302: Test sun/security/tools/jarsigner/
/TimestampCheck.java is failing
+ JDK-8352716: (tz) Update Timezone Data to 2025b
+ JDK-8356096: ISO 4217 Amendment 179 Update
+ JDK-8356571: Re-enable -Wtype-limits for GCC in LCMS
+ JDK-8359170: Add 2 TLS and 2 CS Sectigo roots
+ JDK-8360147: Better Glyph drawing redux
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2672-1
Released: Mon Aug 4 15:06:13 2025
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1246597,CVE-2025-6965
This update for sqlite3 fixes the following issues:
- Update to version 3.50.2
- CVE-2025-6965: Fixed an integer truncation to avoid assertion faults. (bsc#1246597)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2714-1
Released: Wed Aug 6 11:36:56 2025
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References:
This update for systemd fixes the following issues:
- triggers.systemd: skip update of hwdb, journal-catalog if executed during
an offline update.
- systemd-repart is no more considered as experimental (jsc#PED-13213)
- Import commit 130293e510ceb4d121d11823e6ebd4b1e8332ea0 (merge of v254.27)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/278fb676146e35a7b4057f52f34a7bbaf1b82369...130293e510ceb4d121d11823e6ebd4b1e8332ea0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2720-1
Released: Thu Aug 7 05:38:44 2025
Summary: Recommended update for crypto-policies
Type: recommended
Severity: moderate
References:
This update for crypto-policies fixes the following issues:
- Update the BSI policy (jsc#PED-12880)
* BSI: switch to 3072 minimum RSA key size
* BSI: Update BSI policy for new 2024 minimum
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2734-1
Released: Fri Aug 8 10:05:10 2025
Summary: Security update for dpkg
Type: security
Severity: moderate
References: 1245573,CVE-2025-6297
This update for dpkg fixes the following issues:
- CVE-2025-6297: Fixed an improper sanitization of directory permissions that could lead to DoS. (bsc#1245573)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2780-1
Released: Wed Aug 13 10:28:27 2025
Summary: Recommended update for gcc14
Type: recommended
Severity: moderate
References: 1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050
This update for gcc14 fixes the following issues:
Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799
- Fixed libqt6webengine build.
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
copy rather than the installed system runtime. [bsc#1240788]
- Allow GCC executables to be built PIE. [bsc#1239938]
- Backport -msplit-patch-nops required for user-space livepatching on powerpc.
- Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string. [bsc#1239566]
- Disable profiling during build when %want_reproducible_builds is set [bsc#1238491]
- Fixes reported ICE in [bsc#1237442]
- Add larchintrin.h, lasxintrin.h and lsxintrin.h
headers to gccXY main package in %files section
- libstdc++6 fix for parsing tzdata 2024b [gcc#116657]
- Fix ICE with LTO building openvino on aarch64 [bsc#1230262]
- Exclude shared objects present for link editing in the GCC specific
subdirectory from provides processing via __provides_exclude_from.
[bsc#1244050][bsc#1243991]
- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
variant conflict with the unversioned cross-*-gcc package.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2956-1
Released: Fri Aug 22 08:57:48 2025
Summary: Recommended update for openssl-3
Type: recommended
Severity: moderate
References: 1247144,1247148
This update for openssl-3 fixes the following issues:
- Increased limit for CRL download (bsc#1247148, bsc#1247144)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2964-1
Released: Fri Aug 22 14:52:39 2025
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1240058,1246965,CVE-2025-8058
This update for glibc fixes the following issues:
- CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3268-1
Released: Thu Sep 18 13:08:10 2025
Summary: Security update for curl
Type: security
Severity: important
References: 1246197,1249191,1249348,1249367,CVE-2025-10148,CVE-2025-9086
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
(bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
Other issues fixed:
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
* tool_getparam: fix --ftp-pasv [5f805ee]
- Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
* TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
* websocket: add option to disable auto-pong reply.
* huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3285-1
Released: Sun Sep 21 11:18:05 2025
Summary: Security update for mybatis, ognl
Type: security
Severity: important
References: 1248252,CVE-2025-53192
This update for mybatis, ognl fixes the following issues:
Version update to 3.5.7:
* Bug fixes:
+ Improved performance under JDK 8. #2223
Version update to 3.5.8:
* List of changes:
+ Avoid NullPointerException when mapping an empty string to
java.lang.Character. #2368
+ Fixed an incorrect argument when initializing static object.
This resolves a compatibility issue with quarkus-mybatis.
#2284
+ Performance improvements. #2297 #2335 #2340
Version update to 3.5.9:
* List of changes:
+ Add nullable to <foreach />. If enabled, it skips the
iteration when the collection is null instead of throwing an
exception. To enable this feature globally, set
nullableOnForEach=true in the config. #1883
Version update to 3.5.10:
* Bug fixes:
+ Unexpected illegal reflective access warning (or
InaccessibleObjectException on Java 16+) when calling method
in OGNL expression. #2392
+ IllegalAccessException when auto-mapping Records (JEP-359)
#2195
+ 'interrupted' status is not set when
PooledConnection#getConnection() is interrupted. #2503
* Enhancements:
+ A new option argNameBasedConstructorAutoMapping is added. If
enabled, constructor argument names are used to look up
columns when auto-mapping. #2192
+ Added a new property skipSetAutoCommitOnClose to
JdbcTransactionFactory. Skipping setAutoCommit() call could
improve performance with some drivers. #2426
+ <idArg /> can now be listed after <arg /> in <constructor />.
#2541
Version update to 3.5.11:
* Bug fixes:
+ OGNL could throw IllegalArgumentException when invoking
inherited method. #2609
+ returnInstanceForEmptyRow is not applied to constructor
auto-mapping. #2665
Version update to 3.5.12
* User impactful changes
+ #2703 Referencing collection parameter by name fails fixing
#2693
+ #2709 Fix a race condition caused by other threads calling
mapper methods while mapped tables are being constructed
+ #2727 Enable ability to provide custom configuration to
XMLConfigBuilder
+ #2731 Adding mapper could fail under JPMS
+ #2741 Add 'affectedData' attribute to @select,
@SelectProvider, and <select />
+ #2767 Resolve resultType by namespace and id when not
provided resultType and resultMap
+ #2804 Search readable property when resolving constructor arg
type by name
+ Minor correction: 'boolean' can never be null (primative)
+ General library updates
+ Uses parameters option for compiler now (needed by spring boot
3) (for reflection needs)
* Code cleanup
+ #2816 Use open rewrite to partially cleanup java code
+ #2817 Add private constructors per open rewrite
+ #2819 Add final where appropriate per open rewrite
+ #2825 Cleanup if statement breaks / return logic
+ #2826 Eclipse based cleanup
* Build
+ #2820 Remove test ci group profile in favor of more direct
usage on GH-Actions and update deprecated surefire along in
overview in README.md
+ Adjustments to build so shaded ognl and javassist no longer
throw warnings
+ Build with jdk 21-ea as well now
+ Various test cleanup, updates, and additions
+ Turn on auto formatting of all java code including note to
contributors on readme to skip formatting when necessary in
code blocks
+ Tests may use jdk 11 now while retaining jdk 8 runtime
+ Pom cleanup / better clarification on parameters
* Documentation
+ Various documentation updates
Version update to 3.5.13:
* Bug fix:
+ Unable to resolve result type when the target property has
a getter with different return type #2834
Version update to 3.5.14:
* Bug fixes:
+ Registered type handler is not used for anonymous enums #2956
+ Discriminator does not work in constructor mapping #2913
Version update to 3.5.15:
* Changes
+ XNode#toString() should output all child nodes. See #3001 and
associated tickets on this issue
+ Fix performance of mappedColumnNames.contains by using 'set'
rather than 'list'. See #3023
+ Fix osgi issue with javassist. See #3031
+ Updated shaded OGNL to 3.4.2. See #3035
+ Add support method for generating dynamic sql on SQL class.
See #2887
+ General library updates
+ General document updates
* Build
+ We now show builds from java 11, 17, 21, and 22 on Github
Actions. Code is still java 8 compatible at this time.
+ Update vulnerable hsqldb to 2.7.2 fixing our tests that now
work due to newer support. Note, users were never affected by
this but at least one user pull request was attempted opened
in addition to both renovate and dependabot and various
reporting on it.
+ Now using more properties to define versions in pom to lower
the frequency of pull requests from renovate
Version update to 3.5.16:
* Security:
+ Prevent Invocation from being used by vulnerable applications.
#3115
* Bugs:
+ When database ID resolution is failed, invalid bound statement
is used. #3040
* Enhancements:
+ It is now possible to write a custom map wrapper to customize
how to map column name with dots or brackets. #13 #3062
* Performance:
+ Improved compatibility with Virtual Threads introduced by
Loom.
+ Reduced memory footprint when performing the default (i.e.
order based) constructor auto-mapping. #3113
* Build:
+ Include the shaded libraries (OGNL and Javassist) in the
sources.jar.
Version update to 3.5.17:
* Bugs:
+ VendorDatabaseIdProvider#getDatabaseId() should return product
name when properties is empty #3297
+ Update NClobTypeHandler to use methods for national character
set #3298
* Enhancements:
+ Allow DefaultSqlSessionFactory to provide a custom
SqlSession #3128
Version update to 3.5.18:
* Regressions
+ Fixed issue in 3.5.17 #3334
* New
+ Ignore empty xnode per #3349
+ Share expression validator #3339
+ Throw helpful error instead of IndexOutOfBoundsException
(automapping) #3327
+ Optimize mapper builder #3252
* Tests
+ Add TransactionFactory, Transaction test cases #3277
* Build
+ Reworked pom to match current java 17 build usage
+ Moved all tests to newer java standards
+ Cleaned up github actions
+ Run 'site' branch only on release commits
Version update to 3.5.19:
* Revert Regression introduced by #3349.
- Initial packaging with version 3.4.7
ognl replaces the EOLed apache-commons-ognl that has an unpatched
security bug (bsc#1248252, CVE-2025-53192)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3442-1
Released: Tue Sep 30 16:54:04 2025
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1250232,CVE-2025-9230
This update for openssl-3 fixes the following issues:
- CVE-2025-9230: incorrect check of key size can lead to out-of-bounds read and write in RFC 3211 KEK unwrap
(bsc#1250232).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3445-1
Released: Wed Oct 1 15:09:57 2025
Summary: Security update for snpguest
Type: security
Severity: moderate
References: 1242601,1243869,CVE-2024-12224,CVE-2025-3416
This update for snpguest fixes the following issues:
- CVE-2024-12224: idna: acceptance of Punycode labels that do not produce any non-ASCII output may lead to incorrect
hostname comparisons and incorrect URL parsing (bsc#1243869).
- CVE-2025-3416: openssl: use-after-free in `Md::fetch` and `Cipher::fetch` when `Some(...)` value is passed to the
`properties` argument (bsc#1242601).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3804-1
Released: Mon Oct 27 12:35:04 2025
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1251263,CVE-2025-9187
This update for mozilla-nss fixes the following issues:
- Move NSS DB password hash away from SHA-1
Update to NSS 3.112.2:
* Prevent leaks during pkcs12 decoding.
* SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
Update to NSS 3.112.1:
* restore support for finding certificates by decoded serial number.
-----------------------------------------------------------------
Advisory ID: SUSE-Manager-5.0-2025-3825
Released: Tue Oct 28 08:25:58 2025
Summary: Security update 5.0.5.1 for for Multi-Linux Manager
Type: security
Severity: important
References: 1227577,1231150,1231157,1246277,1246421,1246439,1248085,1248252,1250911,CVE-2025-53192,CVE-2025-53880,CVE-2025-53883
Security update 5.0.5.1 for for Multi-Linux Manager: Server, Proxy and Retail Branch Server
This is a codestream only update
The following package changes have been done:
- crypto-policies-20230920.570ea89-150600.3.12.1 updated
- glibc-2.38-150600.14.37.1 updated
- libbrotlicommon1-1.0.7-150200.3.5.1 updated
- libbrotlidec1-1.0.7-150200.3.5.1 updated
- libsqlite3-0-3.50.2-150000.3.33.1 updated
- libgcc_s1-14.3.0+git11799-150000.1.11.1 updated
- libstdc++6-14.3.0+git11799-150000.1.11.1 updated
- libopenssl3-3.1.4-150600.5.39.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.39.1 updated
- openssl-3-3.1.4-150600.5.39.1 updated
- libfreebl3-3.112.2-150400.3.60.1 updated
- snpguest-0.3.2-150600.3.6.1 updated
- update-alternatives-1.19.0.4-150000.4.7.1 updated
- libsystemd0-254.27-150600.4.43.3 updated
- mozilla-nss-certs-3.112.2-150400.3.60.1 updated
- mozilla-nss-3.112.2-150400.3.60.1 updated
- libsoftokn3-3.112.2-150400.3.60.1 updated
- java-11-openjdk-headless-11.0.28.0-150000.3.129.2 updated
- ognl-3.4.7-150200.5.3.1 added
- mybatis-3.5.19-150200.5.9.1 updated
- uyuni-java-common-5.0.7-150600.3.9.2 updated
- uyuni-coco-attestation-core-5.0.7-150600.3.9.2 updated
- uyuni-coco-attestation-module-snpguest-5.0.7-150600.3.9.2 updated
- uyuni-coco-attestation-module-secureboot-5.0.7-150600.3.9.2 updated
- container:sles15-image-15.6.0-47.24.1 updated
- apache-commons-ognl-4.0~20191021git51cf8f4-150200.5.7.6 removed
More information about the sle-container-updates
mailing list