SUSE-CU-2025:7789-1: Security update of suse/multi-linux-manager/5.1/x86_64/proxy-squid

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Oct 30 14:24:09 UTC 2025 

SUSE Container Update Advisory: suse/multi-linux-manager/5.1/x86_64/proxy-squid
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7789-1
Container Tags        : suse/multi-linux-manager/5.1/x86_64/proxy-squid:5.1.1 , suse/multi-linux-manager/5.1/x86_64/proxy-squid:5.1.1.8.7.1 , suse/multi-linux-manager/5.1/x86_64/proxy-squid:latest
Container Release     : 8.7.1
Severity              : important
Type                  : security
References            : 1230262 1230959 1231748 1232234 1232326 1232526 1237442 1238491
                        1239566 1239938 1240058 1240788 1241219 1241549 1243991 1244050
                        1246221 1246296 1246428 1246597 1246965 1247144 1247148 1250232
                        CVE-2024-10041 CVE-2025-3576 CVE-2025-6965 CVE-2025-7425 CVE-2025-8058
                        CVE-2025-9230 
-----------------------------------------------------------------

The container suse/multi-linux-manager/5.1/x86_64/proxy-squid was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2599-1
Released:    Fri Aug  1 17:35:01 2025
Summary:     Recommended update for openssl-3
Type:        recommended
Severity:    important
References:  1230959,1231748,1232326,1246428
This update for openssl-3 fixes the following issues:

- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS (bsc#1230959, bsc#1232326, bsc#1231748, bsc#1246428)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2617-1
Released:    Mon Aug  4 09:04:59 2025
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1246296,CVE-2025-7425
This update for libxml2 fixes the following issues:

- CVE-2025-7425: Fixed heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr (bsc#1246296)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2672-1
Released:    Mon Aug  4 15:06:13 2025
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1246597,CVE-2025-6965
This update for sqlite3 fixes the following issues:

- Update to version 3.50.2
- CVE-2025-6965: Fixed an integer truncation to avoid assertion faults. (bsc#1246597)
    
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2720-1
Released:    Thu Aug  7 05:38:44 2025
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    moderate
References:  
This update for crypto-policies fixes the following issues:

- Update the BSI policy (jsc#PED-12880)
    * BSI: switch to 3072 minimum RSA key size
    * BSI: Update BSI policy for new 2024 minimum

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2780-1
Released:    Wed Aug 13 10:28:27 2025
Summary:     Recommended update for gcc14
Type:        recommended
Severity:    moderate
References:  1230262,1232526,1237442,1238491,1239566,1239938,1240788,1241549,1243991,1244050
This update for gcc14 fixes the following issues:

Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799

- Fixed libqt6webengine build.
- Fix build on s390x [bsc#1241549]
- Make sure link editing is done against our own shared library
  copy rather than the installed system runtime.  [bsc#1240788]
- Allow GCC executables to be built PIE.  [bsc#1239938]
- Backport -msplit-patch-nops required for user-space livepatching on powerpc.
- Also record -D_FORTIFY_SOURCE=2 in the DWARF debug info DW_AT_producer string.  [bsc#1239566]
- Disable profiling during build when %want_reproducible_builds is set [bsc#1238491]
- Fixes reported ICE in [bsc#1237442]
- Add larchintrin.h, lasxintrin.h and lsxintrin.h
  headers to gccXY main package in %files section
- libstdc++6 fix for parsing tzdata 2024b [gcc#116657]
- Fix ICE with LTO building openvino on aarch64 [bsc#1230262]
- Exclude shared objects present for link editing in the GCC specific
  subdirectory from provides processing via __provides_exclude_from.
  [bsc#1244050][bsc#1243991]
- Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap
  variant conflict with the unversioned cross-*-gcc package.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2874-1
Released:    Tue Aug 19 06:07:47 2025
Summary:     Recommended update for openssl-3
Type:        recommended
Severity:    important
References:  1247144,1247148
This update for openssl-3 fixes the following issues:

- Increase limit for CRL download (bsc#1247148, bsc#1247144)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2964-1
Released:    Fri Aug 22 14:52:39 2025
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1240058,1246965,CVE-2025-8058
This update for glibc fixes the following issues:

- CVE-2025-8058: Fixed double-free after allocation failure in regcomp. (bsc#1246965)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2970-1
Released:    Mon Aug 25 10:27:57 2025
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1232234,1246221,CVE-2024-10041
This update for pam fixes the following issues:

- Improve previous CVE-2024-10041 fix which led to CPU performance issues (bsc#1232234)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3546-1
Released:    Sat Oct 11 03:21:33 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1250232,CVE-2025-9230
This update for openssl-3 fixes the following issues:

- CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.


The following package changes have been done:

- crypto-policies-20230920.570ea89-150600.3.12.1 updated
- glibc-2.38-150600.14.37.1 updated
- libsqlite3-0-3.50.2-150000.3.33.1 updated
- libgcc_s1-14.3.0+git11799-150000.1.11.1 updated
- libstdc++6-14.3.0+git11799-150000.1.11.1 updated
- libxml2-2-2.12.10-150700.4.6.1 updated
- libopenssl3-3.2.3-150700.5.21.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.21.1 updated
- krb5-1.20.1-150600.11.14.1 updated
- pam-1.3.0-150000.6.86.1 updated
- container:bci-bci-base-15.7-231a93ad62347ed0484baa9242d06c7c7fc48241452613423a9c25e30102fb8f-0 updated

More information about the sle-container-updates mailing list